5

I am using firebase phone authentication in a website and react native application. We are getting an ~1,200-1,500 unknown sms sent in our firebase dashboard. None of these get verified, but we are incurring a cost for the same.

enter image description here

Basis our analytics software, we have requested for 257 OTPs in the past two days. The number of verifications are also in line with the analytics. Most of these unknown OTPs are from Lebanon, Israel, Timor-Leste & Palestine. We do not have any sessions from these regions.

Additionally, our analytics don't report any spike in even sessions on our app or website.

  1. Can anyone help in how to stop this sms abuse?

I have already blocked the regions. Any help would be highly appreciated.

OTP requests from client in the period enter image description here

Sessions by region enter image description here

DAU and MAU on firebase console shows users < 400 enter image description here

Rahul Jain
  • 117
  • 6

2 Answers2

7

firebaser here

Update (August 11): We discovered that the emails mentioned below about the SMS price change were not sent to the correct recipient list. We are very sorry for the confusion that this has caused. We've rolled back the billing change for now, are reverting the related SMS charges, and sent a new notification to the correct recipient list with the new date that the price change will come into effect. At this point every billing owner of a project that uses Firebase or Identity Platform for SMS/Phone authentication should have received the new message.

First off, I apologize for the unexpected Phone Authentication charges on your bill. It's related to a notice sent on Apr 10, 2023 and a reminder sent on Jun 12, 2023 with subject "[Billing Notice] New SMS pricing for Firebase Auth and Google Cloud Identity Platform (GCIP) starting August 1, 2023".

Please reach out to Firebase support who can help verify the usage and configuration. In the meantime, here are a few things you can investigate right now that can help protect your project from excess charges and potential abuse going forward:

  • Understand your regional SMS usage
    View your SMS usage and look for regions with very high sent SMS and very low (or zero) verified SMS. The ratio of sent/verified is your success rate.

  • Consider SMS Region Policy
    Use SMS Regions to deny SMS regions with low success rates and/or where you don't expect any users of your app, or only allow certain regions.
    How to set the SMS regions in the Firebase console

  • Limit your authorized authentication domains
    Use the authentication settings dashboard to manage authorized domains. The localhost domain is added by default to the approved authentication domains, and you should consider removing it in your production project to prevent abusers from running code on their localhost to access your production project. Remove localhost as an authorized domain



Additional options are available if your project is upgraded to Identity Platform:

  • Enable and enforce App Check
    Enable App Check to help protect your project from abuse by validating requests. Check the pricing of Identity Platform before upgrading and remember that you will also need to enforce App Check for Firebase Authentication in the Firebase console. Double check your reCaptcha Enterprise approved sites list to validate that it only contains your production sites.
    Enforce App Check in the Firebase console

  • Reconfigure Multi-Factor Authentication
    If you already have multiple providers, and can operate without Phone Authentication, you may want to disable Phone Authentication as a first factor option. This will remove SMS as an attack/abuse vector since the user will be able to request an SMS/Phone Auth as a second factor once the first factor is verified.

In addition to the above, you can also set budget alerts and automated cost control responses to help prevent this from happening in the future. You can find more details in Create budget alerts and in Selectively control usage. Keep in mind that using Cloud Functions to stop service usage will make all services on your project unavailable.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks Frank for the answer. I have banned the countries from which the abuse is coming. The thing that helped me stop the abuse was restrict our app keys for the devices and add a strict rate limit to the identity toolkit api in the google console. May I suggest that we add this in the Firebase documentation or provide a way in the console to add this limits on sms/ip level, query per minute for each individual countries – Rahul Jain Aug 06 '23 at 07:54
4

Is Firebase passing its inability to prevent SMS fraud to users? Firebase phone auth says it will "verify that phone number sign-in requests are coming from your app" (via Play Integrity API, reCAPTCHA etc).

Firebase app attestation

However Firebase provides no controls to developers for rate limiting (for example, only 1 SMS/unique device/hour etc.) SMS is directly sent by Google, and apps have no control on this limit. It seems to me that AppCheck in this case is also useless because fake SMS traffic (SMS pumping) is being generated from app surfaces. So how does Google expect developers to manage usage? Blocking legitimate countries wholesale is not really a solution here.

Pier1 Sys
  • 1,250
  • 2
  • 12
  • 21
  • I find myself agreeing with you that the AppCheck won't help as those phony requests are clearly not coming through mobile client. I say so because of the frequency of the requests and no timeout for the requester mobile number. – rashidotm Aug 06 '23 at 10:48
  • I have a ticket open and there are tons of people complaining but I don't see any great answer from google. Does anyone have a solution ? It's just not acceptable to block countries that we needs. We will have to change all app authentication because there is no solution. Google just left us like this without any solution. – mcfly Aug 08 '23 at 07:04
  • Even opening a ticket they seems not open to refund. – mcfly Aug 08 '23 at 07:05