from Hacker News

Show HN: Phone verification at no cost

by natsu90 on 5/8/16, 3:12 AM with 62 comments

  • by patcheudor on 5/8/16, 4:30 PM

    I may get down voted for this and so be it, this must be said. This is a prime example of creating what was intended to be a security feature without understanding the threat landscape. I just tested it, and it's 100% vulnerable to caller ID spoofing. In 2016, caller ID spoofing is as simple as downloading an iPhone app and spending $30 for a bunch of minutes.

    The problem is, a lot of people will find this cool and will also not evaluate the threat landscape. In fact, it's even worse. They will assume the threat landscape has already been evaluated. The code is out there, so it must be good. They will then implement this into some "super duper secure" service which should require a far more security for user authentication. It will then take me 15 minutes of pulling my hair out in a security review to explain to whomever implemented it that it offers no security. The team will walk away from our meeting wondering if I was just trolling them and ask how their entire team could have made this mistake. They will then come to the conclusion they are smart and I must be wrong. They'll then call me back to explain again, at which point I'll take them through a full video demonstration with their VP of operations on the call. This time they will actually "get it" because they saw it exploited on video. Their VP of operations will then fire the project manager and lead developer and I'll feel like shit for being responsible for the termination of two careers.

  • by gst on 5/8/16, 4:06 AM

    It's relatively easy to change/fake the caller ID of phone calls so unfortunately this approach isn't really secure. That's why phone number verification usually places an outgoing call, to verify that you're actually able to receive calls on that number.

  • by kevindeasis on 5/8/16, 4:51 AM

    Hi, there's a free phone verification using facebook. It's account kit.

    https://developers.facebook.com/docs/accountkit/overview

    What do you guys think?

  • by Matt3o12_ on 5/8/16, 1:31 PM

    Are you willing to make international users pay up to 80¢ per verification? If someone cancels a call, I still have to pay for one minute (it's only free if I cancel the call). So if I were to call any American number that hung up on me, I have to pay 80¢ (USD dollar cents of course).

    Just pay the 0.02¢ or whatever phone services charge these days. If your business is actually big enough to have to worry about phone verification, do it right. Users don't like to call your number since they don't know the costs associated with it (especially international users). Furthermore, it makes number spoofing much harder.

  • by neil_s on 5/8/16, 11:55 AM

    Haha, this is the digital version of the Indian phenomenon of 'missed calls', used as 1-bit 0-cost notification mechanism. It's become such a cultural artifact, that big companies are now advertising numbers you can 'missed call' and get a callback from.

    https://gigaom.com/2011/12/13/indias-missed-call-mobile-ecos...

  • by ntauthority on 5/8/16, 4:03 AM

    Would 'rejecting' the call result in the calling user's operator billing them, though? This is a major concern with international usage, given phone providers' tendency to... overcharge for what's technically VoIP usage.

    The classical text message verification schemes barely have this issue in most of the world as the recipient pays nothing, but of course the sender gets billed instead.

  • by DDickson on 5/8/16, 4:04 AM

    So you can only verify, at best, one user every 90 seconds?

    Also, I have to assume Twilio would look at this as a form of abuse.

  • by therealidiot on 5/8/16, 10:28 AM

    Can people just stop with this whole verify-by-phone thing?

  • by faizmokhtar on 5/8/16, 4:11 PM

    This is pretty cool hack. Great job OP!

  • by jldugger on 5/8/16, 4:00 AM

    So... Twilio adjusts their pricing in 3... 2... 1...

  • by cia48621793 on 5/8/16, 12:02 PM

    However isn't it considered a kind of exploit? Twilio never intended users to waste their VoIP traffic.

    Could we also do phone verification at no cost, however instead by outbound call? Is there any free/paid host providing such service?

  • by subinsebastien on 5/8/16, 7:29 AM

    Again, nothing new. I have already implemented this on my app here : https://play.google.com/store/apps/details?id=in.xtel.quitq.... using Twilio alone. But, twilio is not completely free.