Recycling Numbers on Twilio

We’ve been getting busy on Twilio recently working on our SE Honeypot project. It’s a wonderful platform, everything is placed where it feels it should be, some complex IVR tasks can be made in a drag and drop fashion – if you’ve not used Twilio, it’s commercial communication that’s easier than Scratch.

Our project needs to be able to acquire about 50 UK mobile phone numbers and with that simple requirement I head over to the pool of numbers that are available for purchase.

The pool consists of thousands of numbers issued to Twilio by Three U.K. so they have a good range. After a rather seamless checkout, the numbers are configured to process incoming SMS and calls.

Everything was nearly complete, but when I opened WhatsApp on my own device I noticed the numbers had accounts associated to the phone numbers already. These were not dormant accounts from historical mobile phone users either – the accounts were online recently.

If I was to be associated with these numbers, it was important I could claim the messengers enabled by the phone number, which was now in my control.

But it wasn’t so easy…

Reclaiming WhatsApp Try 1

I setup two Android test devices and check I can receive SMS messages that are sent to the numbers I want to reclaim. My ‘testing123’ message is received, so I then requested the reset code from WhatsApp… I wait… nothing…

It seems that Twilio have an entire process for registering WhatsApp to the phone number and if I want to use that number with WhatsApp I have to register it via the sign up form. The website states:

To start using WhatsApp Business API with Twilio in production, you need to enable your Twilio numbers for WhatsApp. We’ll use the information in the form below to assist you with onboarding. You will need your Facebook Business Manager ID to initiate a request authorizing Twilio to message on your behalf. Read our docs for details on how to get this info.

Reclaiming WhatsApp Try 2

Never one to be detoured, I set up an call answering process using Twilio Studio. Which took about 30 seconds, I mean look at it. If you can’t design useful stuff on here you need crayons.

I then got WhatsApp to call me instead of sending an authorisation SMS. I’m not sure why exactly the SMS didn’t work, either this is blocked by Twilio as per their sign up process or it’s from an alphanumeric sender ID which isn’t supported by Twilio.

The whole process was now setup and I could now start to reclaim the WhatsApp accounts, set a blank profile image and add them to our project.

But…

OK, nothing to see here.

Almost all of the accounts are Urdu/Arabic. I don’t know why this is…

In total about 12 WhatsApp accounts were reclaimed.

A Problem?

Account recycling is part and parcel of running a telecoms company, in no way should this observation be a knock on Twilio. Mobile numbers are recycled daily on all UK networks. But more could be done on cleansing these numbers before sale. Twilio should take ownership of the WhatsApp account and blank it out before reselling the number.

The issue that is worth considering though is how this could enable fraudsters. Now anyone in the world with a credit card can can obtain a UK phone number, register an account on WhatsApp and be on their way.

I personally find it curious how none of the +44 numbers purchased used English, that isn’t to sound like some racist either with rhetoric about ‘foreigners coming over here tekkin all our WhatsApp accounts’ it’s just not what I’d expect from 12 random UK numbers bearing in mind just 1.3% of the UK population speak either Punjabi, Urdu or Arabic.

The issue has been reported to Twilio, but they might decide this is just part and parcel of number allocation and if they do, they are probably right. What would be good though is to remove the accounts in no man’s land.

The lost accounts that have active WhatsApp users but no real owner.