Overview

This article details how to mitigate toll fraud when using Okta for voice authentication.

Applies To 

• Using Voice OTP or SMS OTP for multi-factor authentication
• Self-service registration is enabled on one or more Okta orgs
• Cases where an Okta org uses an Okta-hosted or a custom sign-in widget 
• Cases where Okta’s Authentication API is used and/or utilizes the Factors API for telephony use cases 
• A custom user provisioning or self-service registration solution is enabled
• Okta Classic Engine

What is toll fraud? 

International Revenue Sharing Fraud (IRSF), often referred to as toll fraud, is the use of a telecommunications product or service without the intent to pay. This typically involves a scheme where fraudsters utilize a phone system to generate a high volume of international calls on expensive routes. 

How is a toll fraud attack carried out? 

Fraudsters make calls to premium-rate numbers and take a cut of the revenue generated from these calls. Ultimately, the fraudsters run up huge costs, which are charged back to the customer by their telecommunications provider. Any country that has expensive calling rates is a likely destination for toll fraud pumping. Some of the top destinations for toll fraud currently are:

1. Cuba
2. Latvia
3. Somalia
4. Lithuania
5. Guinea
6. The Gambia
7. Maldives
8. Estonia
9. Zimbabwe
10. Tunisia

Source: Twilio

How is toll fraud related to my Okta implementation? 

If your Okta org is set with the conditions below, you may be prone to toll fraud attacks: 

1. You allow users to self-register without strong proof of their identity. This includes custom user provisioning or self-service registration solutions that may be enabled in your org. 

2. You allow Voice or SMS authentication factors for registration or login.

NOTE: If toll fraud has occurred on your Okta org and the mitigations outlined below have not been implemented, Okta will not issue a refund for the use of telephony APIs. 

If you have one of the features mentioned above in your org, fraudsters can abuse account creation or sign-in, then initiate Voice MFA calls to expensive countries by providing fake phone numbers. Okta will always enforce backend Voice MFA security measures; however, because the Okta service is not aware of the business logic used for account creation, we do not enforce identity proofing or deactivate potentially malicious users by default. While Okta continuously improves the tools available to help mitigate toll fraud attacks, we recommend carrying out the guidance in this article.  

What are the implications of toll fraud attacks on my Okta org? 

• Toll fraud attacks can contribute to the creation of fake accounts on your service, which could lead to:  

  • Higher operational costs.

  • Devalued user base (non-quality leads, users that will never visit your site again, overall low engagement of your service). This also drives the cost of user acquisition higher.

  • Fraudulent selling activity (if applicable). 

  • Cleanup is required to remove fake accounts. 

  • Providers usually block sender numbers, which generates low-engagement communications.

• The impact of the toll fraud attack itself could lead to: 

  • High volumes of toll traffic can impact the deliverability of Voice and SMS for legitimate users because providers may choose to block numbers based on country. 

  • Impact on SMS and Voice delivery to legitimate accounts if your org hits the service cap.

  • Increased aMAU numbers on your org. Note that Okta bills customers for usage above the purchased contract aMAU count and for using telephony APIs.

What has Okta implemented on our service to mitigate toll fraud? 

• Service cap for SMS and Voice traffic 
  If your Okta org has hit the service cap limit, all Voice or SMS MFA traffic will be blocked on your org for 24 hours - the requests will receive a 429 error message (separate limits for Voice and SMS, if one factor hits the service cap limit only that specific factor will be blocked).

• Per user Voice and SMS rate limits 
  Per-user voice/SMS enrollment rate limits are enforced to prevent a single user from flooding your org with malicious calls. 

• Alerts during an active attack 
  Okta’s support team will notify you in case of an active toll fraud attack on one or more of your Okta org. 

Recommendations and best practices for mitigation  

There are a variety of steps you can take to mitigate toll fraud attacks, including stronger security enabled for user creation/registration, enabling out-of-box security features, disabling Voice MFA, admin tools for monitoring, working directly with Okta Support, and partner integrations.
 

1. Check your user provisioning methods 

If applicable, we recommend revisiting your user provisioning/user creation methods to check if additional security measures can be added to prevent the creation of fake accounts. 

Recommendations include: 

1. 1. 1. Block account creation from known malicious geolocations

      2. Validate user registration using email-based verification

      3. Integrate with identity-proofing tools to determine if the email address may be coming from a fake domain 

      4. Implement rate limiting on custom registration pages to stop fraudsters from generating fake accounts in large volumes 

      5. Deactivate fake users in your org to prevent fraudsters from rotating through the fake accounts to generate calls

2. Okta features that help block malicious traffic pre-authentication

Use network zones to block malicious traffic

If you are aware of known malicious IPs attempting to access your Okta org(s), utilize Okta’s network zones to block traffic pre-authentication. This means fraudsters will not be able to access your Okta sign-in and registration pages if the attempt is initiated from an IP or network identified in your network zone policy. To learn more about blocking access pre-authentication, see Create an IP Zone. 
 

3. Disable Voice MFA or control Voice MFA per group as an Okta admin

If you do not need Voice MFA enabled on your Okta org for any user, deactivate via Security > Multifactor. 

If you do need Voice MFA, do not allow new account enrollment until some form of identity proofing has been completed to ensure that the account is not fraudulent. 

4. Monitoring of your Okta org  

Monitor malicious activity in Okta Syslog and deactivate bad actors. 

Below is an example of how to monitor suspicious voice activity in the Splunk Add-on.

The Splunk query below does the following:

• • Checks the field system.voice.send_phone_verification_call and analyzes if the count of the combination User, IP Address & User Agent is greater than a certain threshold (that is, where count > 20).
  • The threshold can be set depending on the timeframe of the search. If the search is run every hour, the threshold can be set to a value that is higher than the benign activity during the hour.

event_type="system.voice.send_phone_verification_call"| stats count values(client_geographical_context_country) as Country dc(target1_alternate_id) as unique_count_phone_numbers by actor_alternate_id, client_ip_address, client_user_agent_raw_user_agen| where count > 20| table actor_alternate_id, client_ip_address, client_user_agent_raw_user_agent, Country, unique_count_phone_numbers

Explanation of fields in the above query: 

• • event_type: Event recorded by Okta based on user action. In this case, the event indicates that phone call verification was initiated.
  • actor_alternate_id: Email address of the user.
  • client_ip_address: IP address of the user.
  • client_user_agent_raw_user_agent: User-agent string. 
  • target1_alternate_id: Mobile phone number to which the verification call was sent.
  • client_geographical_context_country: Geo location of the user’s IP address.

Based on the output, please delete bad actors/fake users in your org. 

• • The System Logs query below can also be used to filter all the Toll Fraud events in your org:

    eventType eq "system.sms.send_factor_verify_message" and outcome.reason eq "Toll Fraud Suspected"

5. Working with Okta Support 

• • Contact Okta support to provide an allowed list of countries. 

If you are confident in the specific list of countries servicing your customers and would like to block Voice MFA calls to all other countries, contact our support team. We will block all countries to which there should be no Voice MFA traffic. 

• • Contact Okta support to modify rate limits for your org.

If you are experiencing increased toll fraud attacks or an increase in the creation of fake user accounts, Okta Support can work with you to create strict rate limits on Voice and SMS enrollment endpoints, decreasing the frequency of new accounts that can be created on your org. 

• • Disable Voice MFA.

If you will never require Voice MFA enabled on your Okta org(s), contact our support team to disable this feature on your org. 
 

6. Partner Integrations 

Integrate with identity-proofing solutions for new account creation.

Enable user self-verification through document-based and/or knowledge-based proofs to improve identity confidence and approve access for authorized individuals. See our Identity Proofing webpage to learn more. 

If you have any additional questions on toll fraud, please contact your Okta account team.