Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Your Code is 0000: An Analysis of the Disposable Phone Numbers Ecosystem

José Miguel Moreno, Srdjan Matic, Narseo Vallina-Rodriguez, Juan Tapiador

TL;DR

Disposable Phone Numbers delivered by Public SMS Gateways enable widespread receipt of verification messages, effectively blurring personal identifiers and enabling account creation at scale. The authors build a large-scale, longitudinal dataset (70.95M messages across 17,141 DPNs from 29 PSGs over ~12 months) and develop a full pipeline for PSG identification, message collection, language/service attribution, and automatic purpose labeling. They show that DPNs are heavily used for account creation and verification, with OTPs present in roughly 77% of messages and extensive service coverage across sectors; roughly MUSK 80% of messages contain an OTP or a single-use link. The study reveals pervasive abuse potential, including DPN rotation, cross-gateway reuse, and long-duration message bursts, suggesting that major platforms, finances, healthcare, and public services are affected and prompting stronger protections and targeted defenses by providers and regulators.

Abstract

Short Message Service (SMS) is a popular channel for online service providers to verify accounts and authenticate users registered to a particular service. Specialized applications, called Public SMS Gateways (PSGs), offer free Disposable Phone Numbers (DPNs) that can be used to receive SMS messages. DPNs allow users to protect their privacy when creating online accounts. However, they can also be abused for fraudulent activities and to bypass security mechanisms like Two-Factor Authentication (2FA). In this paper, we perform a large-scale and longitudinal study of the DPN ecosystem by monitoring 17,141 unique DPNs in 29 PSGs over the course of 12 months. Using a dataset of over 70M messages, we provide an overview of the ecosystem and study the different services that offer DPNs and their relationships. Next, we build a framework that (i) identifies and classifies the purpose of an SMS; and (ii) accurately attributes every message to more than 200 popular Internet services that require SMS for creating registered accounts. Our results indicate that the DPN ecosystem is globally used to support fraudulent account creation and access, and that this issue is ubiquitous and affects all major Internet platforms and specialized online services.

Your Code is 0000: An Analysis of the Disposable Phone Numbers Ecosystem

TL;DR

Disposable Phone Numbers delivered by Public SMS Gateways enable widespread receipt of verification messages, effectively blurring personal identifiers and enabling account creation at scale. The authors build a large-scale, longitudinal dataset (70.95M messages across 17,141 DPNs from 29 PSGs over ~12 months) and develop a full pipeline for PSG identification, message collection, language/service attribution, and automatic purpose labeling. They show that DPNs are heavily used for account creation and verification, with OTPs present in roughly 77% of messages and extensive service coverage across sectors; roughly MUSK 80% of messages contain an OTP or a single-use link. The study reveals pervasive abuse potential, including DPN rotation, cross-gateway reuse, and long-duration message bursts, suggesting that major platforms, finances, healthcare, and public services are affected and prompting stronger protections and targeted defenses by providers and regulators.

Abstract

Short Message Service (SMS) is a popular channel for online service providers to verify accounts and authenticate users registered to a particular service. Specialized applications, called Public SMS Gateways (PSGs), offer free Disposable Phone Numbers (DPNs) that can be used to receive SMS messages. DPNs allow users to protect their privacy when creating online accounts. However, they can also be abused for fraudulent activities and to bypass security mechanisms like Two-Factor Authentication (2FA). In this paper, we perform a large-scale and longitudinal study of the DPN ecosystem by monitoring 17,141 unique DPNs in 29 PSGs over the course of 12 months. Using a dataset of over 70M messages, we provide an overview of the ecosystem and study the different services that offer DPNs and their relationships. Next, we build a framework that (i) identifies and classifies the purpose of an SMS; and (ii) accurately attributes every message to more than 200 popular Internet services that require SMS for creating registered accounts. Our results indicate that the DPN ecosystem is globally used to support fraudulent account creation and access, and that this issue is ubiquitous and affects all major Internet platforms and specialized online services.
Paper Structure (19 sections, 4 figures, 3 tables)

This paper contains 19 sections, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Related work
  4. Methodology
  5. PSGs Identification
  6. Messages Collection
  7. Language and Service Identification
  8. Purpose Identification
  9. Ecosystem Characterization
  10. Gateways
  11. DPN Dynamics
  12. Country and Language Diversity
  13. OTPs and Single-use Links
  14. Malicious URLs
  15. Analysis of Services
  16. ...and 4 more sections

Figures (4)

  • Figure 1: Our pipeline for identifying PSGs, crawling messages and post-processing of data. For language detection, arrows with full lines (green) indicate passed check, while dashed lines in (red) denote a check that failed.
  • Figure 2: Daily volume of messages, active DPNs and online PSGs.
  • Figure 3: Time-to-First-Message per service grouped by service category.
  • Figure 4: DPNs with the longest bursts of account-related messages grouped by service. X axis shows days, while every row in the Y axis plots the messages for a given DPN. Gray pixels show the lifespan of a DPN.