In the following guest post, Chris Quirk, a wholesale broker at ARC Excess & Surplus, part of CRC Group, takes a detailed look at the cyber liability insurance implications of text messaging fraud schemes. I would like to thank Chris for allowing me to publish his article as a guest post on this site. Here is Chris’s article.
******************
Modern businesses increasingly rely on text messaging to support core business functions, including: one-time temporary passcodes for login access, delivery and appointment reminders, transaction alerts, and customer-service updates. These functions are delivered through “communications platform as a service” (cPaaS) providers — specialized vendors that allow companies to programmatically send and receive SMS text messages using “application programming interfaces” (APIs). In practice, these platforms function as a bridge between a company’s software and the global telecommunications ecosystem, purchasing connectivity from carriers and charging customers on a usage basis, typically per message (and often per message segment), with pricing that can vary materially by destination and routing. Two examples of cPaaS providers are Twilio and Sinch.
Where a business has built a workflow that automatically sends an SMS in response to a user action (e.g., “send me a two-factor passcode,” “text me a link,” “confirm my phone number or appointment”), new scams known as “SMS Pumping” schemes or “Artificially Inflated Traffic” schemes have arisen, abusing those workflows which are not set up properly. The objective of these schemes is to trick the victim business’s workflow into sending millions of SMS messages to numbers controlled by the fraudsters. Fraudsters profit through revenue-sharing arrangements on the receiving end of the SMS traffic, often in collaboration with shady mobile network operators (MNOs) in certain countries. The loss for the victim business is an exceedingly high bill from their cPaaS service provider, often multiple hundreds of thousands of dollars or more, that the cPaaS provider is willing to negotiate, but not waive entirely.
How this happens
Bots scan the internet for a business’s SMS-triggering endpoints (signup, OTP, “send code”) and quickly test whether they can trigger SMS repeatedly with little friction (e.g. no CAPTCHA, weak throttles, no per-IP/per-number rate limiting). Once they find an “easy to trigger” endpoint, they automate requests using botnets, rotating IPs, and headless browsers. The victim’s app keeps saying “sure, here’s a code” over and over again, millions of times, and calls the cPaaS provider each time. The victim gets billed per message (and sometimes per segment) plus any relevant pass-through carrier fees. At scale, it adds up fast, especially if the destination is international. By the time the scheme is discovered and stopped, it is not uncommon for the victim to have racked up hundreds of thousands or more in cPaaS service fees. According to reports, cPaaS providers have been willing to negotiate on the amounts due, but unwilling to waive them completely. A victim may still be expected to pay up to 70% of the original bill after negotiation.
The good news is that insurance coverage may be available for this type of loss under the Cyber Liability policy’s first-party Utility or Service Fraud agreements. While coverage for Cyber has converged toward an industry standard for most of the familiar agreements of liability, regulatory, and breach response, there is still considerable variance in the coverage provided by these ancillary first-party coverages. In other words, even if you have Utility or Service fraud coverage under your policy, some policies may cover the aforementioned scenario while others may not. The devil is unsurprisingly in the details.
Some Examples
The following examples are sampled directly from policies commercially available today from well-known Cyber Liability insurers.
Example 1
To indemnify the Insured Organization for any direct financial loss sustained resulting from:
3. Telephone Fraud;
Telephone Fraud means the act of a third party gaining access to and using the Insured Organization’s telephone system in an unauthorized manner.
I am doubtful that this wording would provide coverage for an SMS pumping loss. While the cPaaS architecture running on the victim’s network could plausibly be construed to be part of their telephone system, there remains an unfulfilled condition that the fraudster “gain access to and use” a telephone system, which is unlikely to have occurred here. Due to the use of the word “and,” both conditions are required to trigger coverage: access and use of the network. In the scenario, all the fraudster did was abuse public-facing endpoints that can be used by any consumer for legitimate purposes. At no point did the fraudster ever intrude or log into the network thereby “gaining access” to it. Arguments would have to be made as to what constitutes “gaining access” and whether the fraudster only exploiting public endpoints met that condition, but I think this language has a poor likelihood of providing coverage for an SMS pumping loss.
Example 2
Utility Loss incurred directly as a result of Utility Fraud.
The Company will pay for Loss up to the Utility Fraud Limit of Liability identified above, provided the Loss first occurs and is discovered by the Insured during the Policy Period and is reported to the Company in accordance with the conditions section of this policy.
Utility Loss means:
An increase in expenses incurred by the Insured resulting from the unauthorized use of any of the following services or resources:
a. electricity;
b. water;
c. natural gas;
d. heating oil;
e. internet access, including mobile data;
f. telephone;
g. cable or satellite television;
h. sewerage; or
i. cloud computing
provided such expenses:
a. are charged to the Insured in a periodic billing statement by the provider of such service or resource pursuant to a written contract or agreement between the Insured and the provider that was executed before the Utility Fraud occurred; and
b. are not charged at a flat fee that does not scale with the rate of use of such service or resource.
Utility Fraud means:
The unauthorized use of or access to the Insured’s Computer System by a Third Party, including Cryptojacking or Telecommunications Fraud, that results in a Utility Loss.
This language will depend on whether the fraudster’s actions were an “unauthorized use” of the victim’s computer system, but I think strong arguments can be made naturally in favor of coverage here. The fraudster’s scheme abused the network’s public-facing endpoints in a manner that was not authorized by the victim, thus leading to an increase in expenses incurred by the victim with its cPaaS provider. A critical difference with Example 1 is the use of “or” here, thereby only requiring one of either unauthorized access or unauthorized use in order to trigger coverage; versus “and” with Example 1, which affirmatively requires both “access” and “use.” As mentioned previously, “access” seems to be much more difficult to establish in this scenario. I think this agreement has a good likelihood of providing coverage for an SMS pumping loss.
Example 3
We will pay on your behalf Service Fraud Loss that you incur resulting from a Security Failure first discovered by you during the policy period.
Service Fraud Loss means direct financial loss that you incur as the result of being
charged a fee for the fraudulent use of Business Services, including fraudulent use arising from cryptojacking.
Business Services means software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), network as a service (NaaS), voice over internet protocol, and telephony services that:
1. you use regularly in the normal course of your business;
2. you are charged a fee for on a regular periodic basis, no less frequently than on a semi-annual basis; and
3. are provided to you pursuant to a written contract.
Security Failure means the failure of security of computer systems which results in:
1. loss, alteration, corruption, or damage to software,
2. transmission of malicious code from computer systems to third party computer systems that are not owned, operated, or controlled by the named insured or subsidiary; or
3. a denial of service attack on the named insured’s or subsidiary’s computer systems; or
4. access to or use of computer systems in a manner that is not authorized by you, including when resulting from the theft of a password.
This agreement works similar to Example 2, but there is an additional condition that there be a “failure of security” that led to “an unauthorized use” which is not present in Example 2. Whether definition of Security Failure is triggered depends on whether the abuse of the public-facing endpoints constitutes a “failure of security.” The answer to that for me is unclear. An Insurer might say that there was no failure of security because the same service charge would have occurred if the victim had instead been solicited by millions of legitimate customers, and thus the system was operating properly as configured. However, if the abuse was deemed to be a “failure of security” then the rest of the agreement would likely be triggered by the unauthorized use of the network’s public-facing endpoints (where access is not required for coverage) leading to the victim being charged fees due to the fraudulent use of the cPaaS system by the fraudster. The cPaaS system should easily qualify as Business Services. I think the likelihood of coverage with this language falls somewhere between Examples 1 and 2.
For companies that utilize cPaaS as a core business function, when buying Cyber Liability coverage, ensure that a Utility Fraud (or equivalent) Insuring agreement is included and review the language closely. The above examples demonstrate three different scopes for the same coverage, each with different requirements that must be carefully considered. Coverage for these losses is commercially available but is not automatic, and careful review of the terms and conditions with legal or insurance experts is advised.