Interresting in the light other similar services used in the privacy domain.
In an announcement today, Europol says that the cybercrime service operated through two websites, gogetsms.com and apisim.com, which have been seized and now display a law enforcement banner.
I was actively seeking out privacy options for mobile internet, but I knew nothing about the service that was exposed this time. After looking into it, I found it was being advertised on several hacker forums.
Their exposure might have involved something beyond simply providing SIM/SMS services for privacy aspects. For example, there could have been links to criminal organizations in their funding sources, or their SIM procurement methods might have been illegal.
1 Like
I hate that these kinds of stories are going to be used to justify ID registration to buy a prepaid SIM card. The SIMCartel was linked to human trafficking so I’m glad they got caught, but I really hope services like SMSPool don’t get shut down because of bad actors like this.
4 Likes
So what’s the real difference between those shut down services and SMSPool? They basically offer the same thing. What’s stopping criminals from using SMSPool too and does this mean all similar services might get taken down eventually?
3 Likes
That’s a real worry. The main difference is SMSPool only allows SMS verification code one time. It doesn’t allow to send SMS or use a number as permanent identification, since any further codes send to the number will be inaccessible for you.
At the same time, it seems police think using this is a crime in itself, which is worrying.
Legally, SMSPool might be safe since they don’t operate the SIM farms themselves. But operators wouldn’t be.
You could also say that them getting caught shows it isn’t that easy.
Personally, I operate under the assumption that SMSPool or any other service is shady in some form. If you use it, fine. But remove the phone number as a 2FA method, I wouldn’t trust that the number isn’t going to be resold.
Why would you assume they are shady? And shady in what way?
I 100% subscribe to the idea that phone numbers should be removed as a 2FA option in that, nobody should use their phone number as a 2FA method.
Unfortunately, it’s not that simple.
First, many services require that you share your phone number in order to create an account, let alone enable 2FA via other methods (TOTP Token / Yubikey). So at the very least, you need a phone number to set up these methods.
Can you remove or stop using these numbers later on? Sure. But you should probably wait a while. At least a month. I made the mistake of losing my SMSPool number after I enabled 2FA via authenticator app, and my account was locked within 48h.
There are valid reasons for phone number requirement
Although I don’t believe for a second that your account security is the only or even the primary reason websites require a phone number to enable other types of 2FA, there is some validity in that requirement.
The truth is, if most website allowed you to enable 2FA without using a phone number, and people got locked out of their account because they lost their YubiKey or their phone with their authenticator app, they would blame the website for not having alternative methods to access their accounts. Even though IMO they would be in the wrong, it would still likely spark a lot of backlash.
Authenticator apps used to suck
For a long time, most 2FA apps did not have cloud backup and could not sync across devices, which means you could only have them on one device, and losing it or access to the app meant losing access to your accounts. I also don’t get the impression that the most popular 2FA apps are apps that can sync. That needs to change.
If we lived in a time when buying a prepaid SIM card in most countries didn’t require ID registration, I would probably have less of an issue with websites requiring a phone number. But that world is gone.
The solution: give multiple loud warnings
IMO, websites should allow creating an account and enabling 2FA without a phone number, with a caveat. They warn you multiple times that if you lose your Yubikey / recovery codes / device with 2FA tokens, you risk losing access. Let people understand the risk and accept them.
Also give them some recommendations to back up their tokens. Tell them to use an app that syncs across devices, like Ente. Tell them to write down their recovery codes not just in their password manager, but physically in a secret notebook that is stashed securely.
1 Like
Because I tried using it for Amazon registration. Didn’t work. Amazingly, when I used the phone number to login, I had access to someone else Amazon account.
It might have been that the provider created accounts in advance, or that someone else already used the account.
I suspect it is common for some of SMSPool’s numbers to fail when you try to register an online account with them. But if a number doesn’t work, they always refund you if you ask. It’s practically automatic. You just click the refund button. What I surmise happens is that websites remember the numbers that fail. They probably remember them for weeks or months. This means that when a new person tries to use a number that previously failed it automatically gets flagged.
SMSPool’s support team told me that they do not re-use numbers. Meaning that once a user is done with a number, SMSPool can no longer use that number. It will eventually get reassigned to the world. From my experience, it takes months for a phone number to stop working and get reassigned to someone else.
I personally think it’s a terrible idea for websites to use phone numbers as usernames to log in. But even if they do that, you shouldn’t be able to log in with someone else’s number if you don’t know their password.
1 Like
We are fully compliant with the law, and unlike most SMS providers, our service is not offshore which means if we don’t comply with the law there could be consequences for us. To prevent abuse, we do not allow financial services to be verified on our services. Law enforcement can also contact us at any time.
1 Like
We’ve been offering non-VoIP long-term rental phone numbers for years, users can renew them monthly an ultimately it’ll be your permanent number.
https://www.smspool.net/article/long-term-rental-frequently-asked-questions
I was talking about one-off verification code
This would be because the carrier recycled the phone number long before we obtained the phone number.
“Do you sell numbers twice for the same service?
No, we never sell the number twice for the same service. Nor do we rotate them after a time; we update our phone numbers daily and there’s a chance that the carrier recycled the phone number after 6 months; which we have no control over. In this case you’re always free to open a ticket to refund the phone number.”
We’re sorry to hear you had a bad experience. If you’d like a refund for that specific number, please open a ticket here (help.smspool.net) 
Do you even have control over all the providers?
You’re correct regarding sending SMS however we do offer long-term rentals which can be used permanently as long as the user renews.
All of our on-site number pools than the Charlie pool are our own suppliers.
1 Like
Bad news. 
I see. It might have been Charlie then.
To be fair, I am not saying you are 100% shady, but I do consider any such online service to potentially be so, and I act accordingly.
It’s not possible to pre-check our phone numbers for every single service we offer, regardless of the pool.
If a carrier recycles a number 3-6 months before we obtain it, there’s nothing we can do. We will always refund used numbers, provided the user provides the phone number in text format and a screenshot of the website or service stating this.