How you can prevent toll fraud
While Stytch offers built-in protections, we highly recommend that apps that use SMS OTPs take additional steps to protect SMS endpoints.
Restrict your UI to specific geographies in which you operate
- SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023 (if you're interested in sending international SMS, please reach out to support@stytch.com, and we can enable it for you).
- If your Stytch Workspace is enabled for international SMS:
- If your company plans to primarily operate in only a few geographies, consider configuring your UI or phone number validation to limit SMS logins to core geographies.
- If you’re using our Backend SDKs, create an allowlist in your backend for phone number prefixes. See our T3 example app for a complete example. Below are the relevant code blocks:
// utils/phone-countries.ts
import { Country } from 'react-phone-number-input';
/**
* This list is used to populate the country dropdown on the phone number input
* in the login form. Simply remove any countries that you don't want to support. You may
* want to limit support due to cost, fraud, or because you do not do business in that country.
**/
export const STYTCH_SUPPORTED_SMS_COUNTRIES: Country[] = [
'US', // will be selected by default on phone number input
'CA',
];// components/PhoneInput.tsx
import { STYTCH_SUPPORTED_SMS_COUNTRIES } from '~/utils/phone-countries';
import PhoneInputWithCountry from 'react-phone-number-input/react-hook-form';
import flags from 'react-phone-number-input/flags';
// ...other imports
export function PhoneInput(props: { control: Control<{ phone: string }, any> }) {
const { control } = props;
return (
<PhoneInputWithCountry
style={{...}}
control={control}
countries={STYTCH_SUPPORTED_SMS_COUNTRIES}
countryCallingCodeEditable={false}
defaultCountry={STYTCH_SUPPORTED_SMS_COUNTRIES[0]}
flags={flags}
inputComponent={Input}
international
name='phone'
rules={{ required: true }}
withCountryCallingCode
/>
);
}- Reach out to support@stytch.com to disable SMS to international numbers for your Stytch Workspace if you do not need access to international SMS, especially if you're using any of our Frontend SDKs and can't enforce country code restriction.
Implement Device Fingerprinting or reCAPTCHA to prevent bots
- Since most toll fraud attacks are automated, using fraud prevention measures to block/challenge bots or headless browsing can meaningfully mitigate your risk.
- Stytch offers a device fingerprinting product that can be used to detect and block or challenge bot traffic and bad actors.
- If you’re using Stytch’s JavaScript SDK, Google reCAPTCHA can be easily implemented using our CAPTCHA guide.
Monitor and configure alerting for common toll fraud indicators
- Consider setting up alerting for some of the common toll fraud indicators described above, such as abnormally low SMS authentication rates, a spike in SMS quantity or velocity, or SMS logins from unusual geos.
Use SMS as second factor rather than a primary authentication measure
- Another approach to limit your risk is to use SMS only as a secondary authentication factor.
- For example, you can require users to verify their email prior to allowing them to interact with your SMS endpoints.
What to do if you suspect your app is experiencing toll fraud
If you believe your app is actively experiencing toll fraud, in addition to taking action to stop it on your end, please reach out to support@stytch.com so we can help you to mitigate the fraud quickly and effectively.