L
L
LazarusNucleros2020-05-08 19:53:38
PHP
LazarusNucleros, 2020-05-08 19:53:38

How to implement "protection" of authorization by phone number?

Hello everyone

There is a site on which you want to add authorization / registration by phone number (following the example of this site )
That is, the user enters the phone number - sends the form - enters the code received in sms and enters his profile.
To send sms, it is supposed to use some service with an adequate API.
But one question arises

: How could this authorization form be "protected" from excessive use for "hooligan" purposes (just a bunch of times to re-send sms to 1 number, to different numbers, including non-existent ones)?

After all, for each SMS sent, funds are withdrawn from the balance that we would not like to spend in such a stupid way.

All the ideas that come to mind one way or another do not provide the proper level of protection against such actions.

Thanks in advance for your replies.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vamp, 2020-05-08
@LazarusNucleros

1. Check if the phone number is syntactically correct. All mobile numbers in Russia start with +79 and are exactly 11 digits long. Validation can even be added to the web form at the js level. It's not exactly bully-proofing, but it will weed out real errors and typos, making life easier for regular users.
2. Punch the number according to the Rossvyaz base (file DEF-9xx). So you will determine the numbers to which 100% will not be delivered. Unlike syntax checking, don't give the user an invalid number response. Reply to all numbers "One-time code sent, enter it here", but do not send a message to invalid numbers.
3. Add a limit on the number of forms sent per minute from one IP and the number of messages sent to the same number (regardless of IP).
4. Estimate how many forms can be sent per day and put a total limit on all SMS sent per day. This is the only real way to control the budget drain attack. Yes, real users will suffer when the limit is reached, but you should not bring it to it - set up monitoring of the number of sent SMS and alerting when the threshold is reached at 90% of the limit, so that you have time to react to the attack and repel it before the limit is completely exhausted. Or if it's a surge of real users (for example, an unexpectedly successful reaction to an ad), then you will have time to adjust the limit. You can calculate the limit as 2 * the average number of SMS sent over the last X days, so that you do not have to edit it manually as attendance grows naturally. Of course, you can choose the formula and percentage for alerting according to your requirements.
Separately, I want to talk about the so-called direct mobile numbers. They look like city phones (for example, +7495), but in reality they are mobile and can receive text messages. The check in point 1 does not pass such numbers and there is no way to check whether a given city number is a direct mobile number without sending an SMS. There are few direct numbers compared to real mobile or real landline numbers. In addition, each direct number has a mobile counterpart starting with +79, which the user can use to register. Therefore, I propose to simply forget about direct numbers, and in case of complaints about the impossibility of registering with a direct number, talk about the existence of a mobile analogue,
Mandatory email requirement will not strengthen the protection scheme, since it is not a problem to stamp real addresses with a script that automatically clicks on confirmation links in incoming emails.
An alternative option is to rent an incoming room. In this case, you do not send messages to users, but they send you. Usually, a fixed fee per month is charged for an incoming number, regardless of the number of SMS, so you don’t have to worry about the budget in principle. But then you will have users with a disabled SMS service in flight. And there are many, I can say. Thanks to internet messengers.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question