How Elon’s Twitter Takeover Changed One-Time Passwords

  • Post author:
  • Post category:
    messaging

The great part of being at ID.me is the outside-in perspective it provides on telecom. Nowhere is this more apparent than when dealing with Artificially Inflated Traffic, or AIT. Simply put, AIT occurs when a downstream carrier colludes with a bad actor to artificially drive up text-messaging traffic.

My colleague, Symeon Brown, is at the forefront of this fight, protecting the ID.me network from these attacks. He recently wrote about ID.me’s fight, with the numbers to back it up. His article shows exactly why AIT continues to be the scourge of the industry and why, despite our best efforts, the problem remains unsolved.

But why does this happen? Why, when the network is so transparent, is it so hard to identify and block this fraud? To use an old saw: Let’s follow the money.

Like much of the current thinking in Silicon Valley, AIT has a “before” and an “after” Elon Musk.

Before Musk

It was easy for the industry to look the other way because the customer was going to pay regardless. When an AIT attack happened, the usual talking points applied:

“We’re sorry this happened, but we have bills to pay, so there is no way for us to eat this cost. It’s yours to pay.”

This commentary was usually couched with a list of “best practices” that the brand or software developer needed to implement to prevent future occurrences. I’m not saying the entire industry was colluding—just that it was easy to make the “We have bills to pay too” argument and force the brand to foot the bill.

After Musk

Then came Elon’s Twitter takeover. Elon shared many famous tweets and videos  about his “cleanup” of the platform. One of them was about the $60 million Twitter had been paying for fake one-time password (OTP) traffic.

Now, keep in mind, $60 million was probably a rounding error in Twitter’s total text-messaging bill. But when a company is facing a financial crisis, $60 million is real money. Elon, of course, deployed a well-used weapon: declaring he had no intent to pay any of it.

In product organizations across the Valley, that declaration sparked conversations between product managers and their leadership that went something like this:

“How much are we paying in AIT?”

“I don’t know. It’s usually a small part of a big bill, and customers like the convenience.”

“I don’t care. Fix it.”

Product managers then had a tough call to make: Should they build convoluted, per-geography checks (e.g., if the OTP is going to a certain country, route it to email; for others, use SMS)? Or just pivot to email and push everyone there? It was cheap and stopped the financial bleeding, and for low-stakes apps, it was good enough.

Seemingly overnight, that SMS traffic disappeared.

The Fallout

Let’s start with a simple truth about messaging. There are really just two types of traffic: promotions and notifications. Together, they bring in about 80% of all revenue—and most notifications are OTP traffic.

So, when that OTP money declined, everyone took notice.

Some providers tried to build cost-sharing arrangements, where the vendor shared proven AIT traffic “at cost.” But this is a high-cognitive-load exercise. Not only does the AIT need to be caught, but it also must be mutually adjudicated as something both parties should split. In a margin-beholden industry, these were never pleasant conversations.

The other approach was to provide add-ons that absolved the brand of financial liability. For a fee (typically a premium tacked on to your per-message rate), the CPaaS provider would protect you from the bill. Think of it like an airline offering you baggage insurance after charging you a checked-bag fee. Isn’t the whole point of the fee not to lose my baggage? Shouldn’t the ticket cost cover that baseline service?

Just like your favorite airline, the messaging industry was dealing with a captive audience—one that had little recourse before Twitter Elon. Regardless of what you think of him, his effect on tech is singular, and that includes AIT. He made it acceptable for brands to say:

“You know what? I don’t need to accept this. I don’t need OTPs over SMS; email is good enough.”

Predictably, OTP traffic took a hit. The industry responded, and some of the drop-off has stabilized, but that old traffic is never coming back. The way product organizations work, turning SMS OTP back on will only become a priority when there is an overwhelming business reason to do so. Otherwise? Email just works.

Finally

While email “just works” for a casual app, it doesn’t cut it for high-security environments. Email introduces latency, friction, and its own security vulnerabilities. Moreover, for an identity network like ID.me, turning off SMS isn’t an option.

AIT remains a stubborn problem. As it stands now, unless you pay for protection, you’re bound to get robbed. And yet, thanks to the resilience and pervasiveness of SMS, brands can’t just turn it off. That’s why front-line warriors like Symeon will continue fighting to protect the network, the brands’ cost structure, and, most importantly, the members’ experience.