Dialing Back Abuse on Phone Verified Accounts
Venue
Proceedings of the 21st ACM Conference on Computer and Communications Security (2014)
Publication Year
2014
Authors
Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier, Damon McCoy
BibTeX
Abstract
In the past decade the increase of for-profit cybercrime has given rise to an
entire underground ecosystem supporting large-scale abuse, a facet of which
encompasses the bulk registration of fraudulent accounts. In this paper, we present
a 10 month longitudinal study of the underlying technical and financial
capabilities of criminals who register phone verified accounts (PVA). To carry out
our study, we purchase 4,695 Google PVA as well as acquire a random sample of
300,000 Google PVA through a collaboration with Google. We find that miscreants
rampantly abuse free VOIP services to circumvent the intended cost of acquiring
phone numbers, in effect undermining phone verification. Combined with short lived
phone numbers from India and Indonesia that we suspect are tied to human
verification farms, this confluence of factors correlates with a market-wide price
drop of 30--40% for Google PVA until Google penalized verifications from frequently
abused carriers. We distill our findings into a set of recommendations for any
services performing phone verification as well as highlight open challenges related
to PVA abuse moving forward.
