Security teams have long relied on SMS one-time codes to verify users. But this approach carries hidden costs—fraudulent traffic inflates bills by millions annually, while international carrier fees make scaling unpredictable. The solution isn’t just switching providers—it’s flipping the direction of verification entirely.
The hidden cost of SMS 2FA
SMS-based two-factor authentication (2FA) seems straightforward: a service sends a code, and the user types it back. Yet this simplicity masks structural vulnerabilities that inflate budgets and invite fraud.
Every outbound SMS carries a per-message fee, which spills into three major pain points:
- Fraudulent traffic: Scammers exploit verification endpoints by submitting thousands of phone numbers tied to premium-rate carriers. The company pays for each message, while a cut of the termination fee flows back to the fraudsters. Elon Musk revealed that X (formerly Twitter) lost approximately $60 million annually to this scheme before eliminating free SMS 2FA.
- Unpredictable scaling costs: Volume surges from marketing campaigns or bot attacks trigger sudden bill spikes. A single viral launch can turn a predictable line item into a budgeting nightmare.
- International carrier surcharges: Cross-border SMS incurs steep, variable fees imposed by telecoms. In the U.S., additional overhead from A2P 10DLC registration, brand vetting, and per-segment charges further erode margins.
These factors transform 2FA from a security staple into a financial liability that scales poorly and invites exploitation.
How SMS pumping works
At its core, SMS pumping—also known as artificially inflated traffic (AIT)—relies on a simple asymmetry: the company pays for every message sent. Fraudsters weaponize this by submitting batches of phone numbers linked to premium-rate SIM cards they control. Each verification request triggers an outbound SMS, generating revenue for the carrier and the scammers behind the scheme.
The attack requires minimal sophistication:
- Scammers identify or acquire phone numbers in premium ranges.
- They repeatedly trigger verification endpoints using automated scripts or botnets.
- The company absorbs the cost, unaware until the bill arrives.
Unlike phishing or credential stuffing, SMS pumping doesn’t target individual users. It weaponizes the company’s own infrastructure to siphon funds through legitimate billing channels.
Why mobile-originated 2FA breaks the scam
The key to stopping SMS pumping lies in reversing the flow of communication. Instead of the service sending a code to the user, the user sends a code to the service. This shift eliminates the outbound message—the very element that fraudsters exploit.
In mobile-originated (MO) 2FA, the user initiates the verification process by sending a message from their device to a designated endpoint. The service verifies the code without incurring per-message fees, carrier surcharges, or exposure to toll fraud.
Traditional MO systems rely on shortcodes, which are region-locked and expensive to provision. A modern alternative leverages end-to-end encrypted messaging platforms like iMessage to achieve the same goal with broader compatibility and lower overhead.
Reverse 2FA over iMessage: a practical example
We implemented a proof-of-concept that demonstrates the advantages of reverse iMessage 2FA. Here’s how it works:
- Challenge initiation: The service generates a one-time code and a deep link that opens the user’s iMessage app with the code pre-filled. For example:
- User action: The user taps the link, which opens Messages with the code already populated. They hit send from their own Apple ID.
- Verification: The service receives a webhook from iMessage confirming the message was delivered. It extracts the code and links it to the user’s verified identifier (e.g., phone number or email).
The entire workflow requires no outbound SMS, no per-message billing, and no exposure to SMS pumping. The code is verified instantly over WiFi or cellular data, eliminating delivery delays common in SMS-based systems.
Implementation: the code behind the concept
Building a reverse 2FA system is simpler than it appears. The following example uses Node.js and a webhook-based architecture:
// 1. Start a challenge: generate a code and iMessage deep link
app.post("/2fa/start", async (c) => {
const code = generateCode(); // Short, unambiguous one-time code
await store.create(code); // Status: "pending"
return c.json({
code,
link: `
});
});
// 2. Handle the inbound message via webhook
app.post("/webhook/blooio", async (c) => {
const event = await c.req.json();
if (event.event === "message.received") {
const code = extractCode(event.text);
if (code) {
// event.sender is the verified Apple ID or phone number
await store.verify(code, event.sender);
}
}
return c.json({ ok: true });
});This snippet encapsulates the entire process: code generation, deep link creation, and webhook-based verification. There’s no need for SMS gateways, carrier negotiations, or fraud monitoring tools focused on outbound traffic.
Comparing SMS 2FA and reverse iMessage 2FA
The table below highlights the key differences between traditional SMS 2FA and the reverse iMessage approach:
| Criteria | SMS 2FA | Reverse iMessage 2FA | |--------------------------|--------------------------------------|---------------------------------------| | Pricing model | Pay per message; spikes escalate costs | Flat monthly fee; predictable | | Fraud vulnerability | High; vulnerable to SMS pumping | Low; no outbound code to exploit | | International cost | Steep; carrier surcharges apply | Minimal; no cross-border fees | | Security | Sender IDs spoofable; SIM swap risk | E2E encrypted; tied to Apple ID | | Anti-phishing | Codes relayed or phished | User proves real device possession | | Delivery speed | Often delayed; network-dependent | Instant; works over WiFi/data |
The reverse iMessage model excels in cost control, fraud resistance, and user experience—without sacrificing security.
Real-world impact: cost savings and fraud prevention
Adopting reverse 2FA over iMessage delivers tangible benefits:
- Eliminates SMS pumping losses: Fraudsters can’t monetize outbound messages that don’t exist. Services like X saved millions annually by removing this vector.
- Predictable budgeting: Flat-rate pricing replaces volatile per-message fees, making financial planning straightforward.
- Reduced operational overhead: No need for A2P 10DLC registration, carrier negotiations, or fraud detection focused on outbound traffic.
- Improved user trust: Verification happens instantly, and users retain control of the process via their trusted messaging app.
For teams scaling globally or managing high volumes, the switch isn’t just a security upgrade—it’s a financial and operational win.
The future of 2FA: beyond SMS
As scams evolve, so must authentication strategies. SMS-based 2FA served its purpose, but its structural flaws have become too costly to ignore. Mobile-originated verification, particularly over end-to-end encrypted platforms like iMessage, offers a scalable alternative that aligns security with budgetary realities.
The next step isn’t to patch the existing system—it’s to rethink it entirely. By shifting the burden of initiation to the user, services can eliminate fraud incentives, reduce costs, and deliver a smoother experience. The technology exists today, and the savings speak for themselves.
AI summary
SMS 2FA drains budgets with fraud and unpredictable fees. Reverse iMessage verification eliminates pumping scams, saves up to 90% on costs, and delivers instant security.
