Researchers Expose Cheap Online Fraud Loophole

-

 



Introduction: A Vulnerability Hidden in Plain Sight

Online platforms increasingly rely on verification systems to stop fake accounts and fraudulent activities. Yet a new study by University of Cambridge researchers reveals that one of the most widely used security methods, SMS verification can be bypassed for just a few cents, calling into question the effectiveness of this defense. Their findings highlight a growing challenge in the fight against online fraud.

SMS Verification: Not as Secure as We Think

Most websites, apps, and social platforms request a phone number and send a one-time SMS code during registration. This method is supposed to prove that a user is legitimate. However, the Cambridge team found that cheap disposable phone numbers can bypass this process entirely, making it extremely easy for fraudsters to operate at scale.

Key points from the research:

  • Fake accounts can be created using SMS activation services for less than 30 cents per number.

  • In some cases, numbers cost as little as 10–15 cents, reducing costs for attackers even further.

  • This makes SMS verification a weak barrier, especially when used by itself to block bots and fake identities.

How the Bypass Actually Works

Researchers analyzed four major SMS activation services: SMSActivate, 5Sim, SMShub, and SMSPVA. These websites sell temporary phone numbers that receive verification codes from platforms like social networks, messaging apps, and email providers.

Their findings revealed:

  • Users can purchase thousands of disposable numbers cheaply.

  • Attackers can automate the process to create mass fake accounts.

  • The entire system undercuts the purpose of SMS verification — making fraud scalable and inexpensive.

Real-World Impact: Why This Is a Serious Warning

The researchers didn’t just theorize — they tested the vulnerability. In many cases, they successfully registered accounts using disposable numbers, proving how easily the system can be manipulated.

This loophole can lead to:

  • Rapid creation of fake accounts used for scams, bot networks, and propaganda

  • Social engineering attacks that appear more legitimate

  • Higher risk of identity fraud

  • A breakdown of trust in verification systems

When fraudulent activity becomes cheap and scalable, online communities and platforms become more vulnerable than ever.

What Platforms Should Do Next

SMS verification is no longer reliable as a standalone security measure. Platforms may need to adopt stronger, layered authentication methods such as:

  • App-based two-factor authentication (2FA)

  • Device fingerprinting

  • Biometric verification

  • AI-driven behavioral analysis

Relying solely on phone numbers is becoming outdated in a world where fake identities cost less than a cup of coffee.

What Users Can Do to Stay Safe

While most of the responsibility lies with platforms, users can also take steps to protect themselves:

  • Use strong passwords and enable 2FA apps (not SMS).

  • Be cautious of accounts that look suspicious or newly created.

  • Stay informed about cybersecurity developments.

  • Avoid giving personal information to unverified profiles.

Cybersecurity is no longer optional — it’s essential.

Conclusion

The Cambridge study highlights a troubling reality: a critical barrier designed to prevent online fraud can be bypassed for pennies. As digital threats grow and become more complex, both platforms and users must adopt stronger security practices. SMS verification, once considered a strong defense, now risks becoming obsolete without additional layers of protection.

🔗 Reference

https://www.reuters.com/business/media-telecom/key-barrier-online-fraud-can-be-bypassed-pennies-say-researchers-2025-12-11/

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more