Expensive SMS and Phone Calls

DanMcNeece · ‎08-05-2021

There are ways to limit which two-factor options are available, like push notifications, SMS text, phone calls, etc. Several times we have been exploited by some account making multiple “expensive” telephony calls or even SMS text to foreign countries. Somehow these methods pay another third-party for making these calls, which get charged to our telephony credits.

Maybe this is an enhancement request. It seems like there should be a policy available that would restrict these “expensive”, more that 1 or 2 credit calls, to an authorized group. Then, we wouldn’t have to restrict and entire method, but could limit it to the one and two credit methods unless a person belonged to an override group.

DuoPablo · ‎08-06-2021

Hi @DanMcNeece ,

While it is possible to restrict the maximum number of credits consumed per authentication, this setting affects all users within your Duo account. You could also restrict SMS/Phone Calls as an authentication method and apply it to a specific group of users, or Globally and have the override group be the exception. I understand, however, that these may be less desirable options for what you are trying to accomplish.

Please feel free to submit a Feature Request via your Duo Account Executive, Customer Success Manager (if applicable), or our Support Team.

[Duo Blog] A Game of Phones: Fighting Phone Phreaks in the 21st Century

We appreciate your feedback!

Amy2 · ‎08-06-2021

@DuoPablo beat me to it, but I have a response for this as well with some additional info to share.
@DanMcNeece, thank you for sharing your concern here in the forum. This is a great idea you’ve proposed, and I’ve shared it with the internal team at Duo. I’m sorry to hear that you’ve experienced this type of unauthorized telephony activity. This can occur when new users are allowed to enroll in Duo via publicly accessible applications. Scammers can then create accounts that give them access to generate phone calls and profit from them in a type of scam known as toll fraud. This form of fraud can also occur if end-user primary credentials are compromised prior to enrolling in Duo, allowing a scammer to add their own phone and make unauthorized phone calls using the account.

We recommend only allowing known users to enroll in Duo to help combat this. This requires you to set your New User Policy to Deny Access and enroll users using one of the automatic enrollment options, bulk self-enrollment, or manual enrollment by a Duo administrator. You should also reduce your maximum per call credit setting to the lowest value that will enable your users. We also encourage you to put users that require telephony into User Groups and allow only those User Groups to use telephony as an authentication factor. Please see our docs for how to create and apply a custom Group Policy here.

Please also see our help article on telephony misuse and how to protect against it for more information.

DanMcNeece · ‎08-06-2021

Thank you @Amy and @DuoPablo! We have added a maximum credit limit. Another idea was to have a maximum per day limit on a user (maybe another enhancement)

This is helpful. We will investigate limiting DUO access to certain active users. Although, like you mentioned, if an active user’s account gets compromised, then it could also be exploited.

Amy2 · ‎08-10-2021

Glad you found the info we shared helpful! To clarifty, the user’s account would have to be compromised prior to them enrolling fully in Duo by adding their authentication device, but yes. That’s always a possibility. Let us know if you have any other questions. Thanks!