AIT – what it is and why it matters

AIT – what it is and why it matters

Few people outside of niche techy circles had even heard of AIT until this year – now it’s something of a buzz phrase.

The single biggest reason is – Elon Musk.

The tech sector’s highest-profile character – the outspoken, performative man behind PayPal, Tesla, SpaceX and rockets to space – dragged it screaming into the spotlight in the early days of his new role as the owner of Twitter.

“I discovered that Twitter was being scammed to the tune of $60 million a year for SMS texts,” he raged. “Basically, there are telcos who are not being super honest out there, in other parts of the world, who were basically gaming the system and running, like, two-factor authentication SMS texts over and over again, and just creating a zillion bot accounts to literally run up the tab so that Twitter would SMS text them, and Twitter would pay them millions of dollars, without even asking about it.”

Elon – welcome to Artificially Inflated Traffic.

Like many things in the digital world this long-winded phrase is usually reduced to its acronym, AIT. Or it’s sometimes described alternatively as AGT – Artificially Generated Traffic – but it amounts to the same thing.

And Musk’s description was pretty much spot on, although it’s usually described somewhat less frankly.

It’s essentially a scenario in which bad actors use bots to register new accounts on websites, with each new application automatically generating the sending of a one-time passcode (OTP) via SMS.

The reason they do this is that the ultimate client – in Musk’s case Twitter – will foot the bill for the OTP messages sent to all these bot accounts. And although the amount charged for each single message sent is relatively low, if those bots can work up hundreds of thousands or even millions of new applications, then the aggregated sum for the scammer can be very lucrative indeed.

By artificially inflating traffic they generate revenue in the absence of a single real new customer.

And, as Musk says – because payment takes place all but automatically – the money can disappear before anyone has even noticed it’s happening. The scammers will further work this under-the-radar aspect deliberately. For example, they’re fond of initiating a wave of applications on a Friday evening when they’re less likely to be detected – and addressed – for hours longer than in another slot.

But where Musk does oversimplify is in his attribution of blame: ‘there are telcos who are not being super honest’.

This reductive statement suggests that there’s a single visible culprit for each AIT scam – in fact, infuriatingly, there almost always isn’t, which is what makes it so difficult to call out the offender and cease trading with them.

This is because of the complexity of the digital chains involved in these processes, with multiple agencies interacting with each other and each paying and receiving fees in small sums.

So, trying to identify ‘whodunnit’ and initiate sanctions against them after they ‘dunnit’ is usually a doomed enterprise: it’s very difficult to work out who the culprit is and if you disrupt the existing connections speculatively you could be cutting off genuine new customers whom, of course, you’re desperate to engage.

It makes much more sense to adopt the most up-to-date procedures at the point of onboarding. By using telcom data-driven screening processes, host companies can detect in seconds whether the number used at the point of sign-up is genuine and connected to a real person. Our version of this is called TMT Authenticate – but other products are available, as they say on the BBC. The point is with these procedures is you don’t let your platform get flooded with fake customers so you no longer know who’s real and who’s not – and you don’t need to send OTPs at all because the verification security is of such high integrity they’re simply not required. So, there’s no risk of AIT attacks whatsoever.

But, of course, sometimes you just aren’t in the right place to tear up your onboarding procedures and start again. If you still need to use SMS-delivered OTPs as a customer communication tool for now then we have an alternative product, TMT TeleShield, which can work with what you’ve got and make it much more secure. This weeds out those bot numbers and ensures that only genuine, active numbers attached to a real person in the place they claim to be can receive them – and blocks, for example, premium rate numbers or invalid numbers linked to attempted AIT.

Musk, characteristically, tried to come up with his own solution: “I said cut off any telco that’s got fraud above 10 percent. Now that has caused some havoc in many parts of the world. Now we’re going back to the telcos and saying: ‘Listen, if you stop scamming us, then we will gladly pay you some amount of money for SMS texts, but you can’t turn a blind eye’. We’ll take 10 percent fraud, but we’re not going to take 90 percent fraud.”

I’m not sure this approach could ever be functional or even cost effective. It’s much cheaper to invest in protocols to avoid the problem. But Musk will be Musk.

For the rest of us it’s more about practical ways forward. Because of course this issue is global. Twitter is only the tip of a very lucrative and slippery AIT iceberg.