Moment For Technology

Actual problem series: the company SMS interface is attacked, how to prevent

Posted on Dec. 3, 2022, 8:12 a.m. by 王家豪
Category: The back-end Tag: The back-end

This is the third day of my participation in the August More text Challenge. For details, see:August is more challenging

With QQ, the role of short messages after wechat seems to have no special use for individuals, usually the communication between friends is through wechat (also have QQ), gradually dilute the use of short messages. But as developers we will touch the SMS platform.

The use of SMS now:

  • Website and APP security verification (registration, login, password change, etc.)
  • AD push harassment
  • Birthday wishes (from finance, insurance, bank)
  • An apology channel after an angry girlfriend blocks wechat/phone call
  • And those who believe in selling goods A (read the end of the article for those who are interested)
  • .

At present, Ali Cloud, Baidu Cloud and Tencent Cloud all have their own SMS platforms, which are also integrated into our system. Once our official environment system was configured with one of the SMS platform, which has been running for two years.

During recent use, there was a malicious sending of tens of thousands of messages (better to turn on the daily maximum limit on the platform, we didn't).

Part of our SMS interface is public (forget the password and registration function), and we can directly call the API without authorization. In addition, we also do some frequency control in our system, but there is no restriction of IP.

How on earth can a SMS function be developed to be safe?

Bottom line: There is no real security on the Internet. Security is a relative matter of raising the cost to the attacker as high as possible.

Novice: only consider can send, research SMS platform interface documents, write code debugging, finally can normally send SMS. Write business related code, related information storage cache, waiting for verification, a SMS function development is completed.

Veteran: study SMS platform interface document, write code debugging, can normally send SMS. Continue to encapsulate the SMS interface, and add frequency control such as SMS sending interval, verification code expiration time, sending limit on the same account, and number limit interval. Configuration is as follows

      Expiration time of SMS verification code (minutes)
      expire: ${SMS_EXPIRE:5}
      # Verification code send interval (seconds)
      interval: ${SMS_INTERVAL:60}
      # Limit on sending times from the same account
      limit-time: ${SMS_LIMIT_TIME:10}
      # Interval time (time) for frequency limit
      limit-interval: ${SMS_LIMIT_INTERVAL:12}
Copy the code

There will be an increase in interface call IP restrictions (to prevent the same IP call interface frequently), and then write business code, complete the development.

You can also filter some invalid SMS messages sent, such as:

1. Mobile phone number verification: Unqualified mobile phone number will not be sent, can use Google's component inspection, domestic and foreign mobile phone number can be verified.

Copy the code

2. Registration function: The existing ones in the system will not be sent. It will check whether the phone number is registered when sending short messages, rather than check when the data is really registered and submitted.

3. Change the password: The password that does not exist in the system is not sent. When sending the verification code, check whether the mobile phone number is the user in the system.

The above scheme only does frequency control to the same phone number and IP, but if the attacker uses constantly changing IP to send text messages to different phone numbers, then the waste of text messages and the harassment of users cannot be avoided.

To solve this, use graphical or behavioral captcha

Graphic verification code is simple, and do not need to spend money, their own development program can be achieved, the effect is as follows

It's visually taxing and requires additional user input, not a great experience, and it's easy for the machine to recognize and parse the text. If you want to increase the difficulty of machine recognition, you need to increase the blur of the picture, so the user error rate is higher, the experience is worse.

Behavior type verification code to this have to mention the holidays to buy tickets to make people crazy 12306 picture verification, this is a kind of touch, as follows

The more commonly used solution is drag-and-drop, as follows

This experience is much better than graphics, more convenient and beautiful, the background picture can also be used for advertising.

The core idea of behavioral verification is to use the "behavioral characteristics" of users to make verification safety discrimination, and to analyze a lot of human behavioral characteristics through machine learning and deep learning. Establish a security model to distinguish between human and machine programs. The neural network constructed by deep learning can continuously learn autonomously and continuously learn new feature analysis in the process of continuous verification (source: Baidu Baike)

General enterprise does not have this ability, need to spend money to buy

Want to spend the money can also be achieved by cutout simple slider, the server record the position of the slider cutout on the images on the edge of the distance, the original image and the slider to the front, the front after user sliding of the sliding distance to the server, the server by comparing the distance of the user drag the slider to verify whether it is right (security).

And the API adds traffic limits


  1. Frequency control, increaseInterval for sending SMS messages.Expiration time of the verification code.Same account sending limit.The interval for the frequency limitControl.
  2. Increase the frequency of IP interface calls.
  3. Check to avoid unnecessary interface calls, such asVerify the format of mobile phone number.Registration function: The system does not send existing information.Change password: The password that does not exist in the system is not sent
  4. Added behavioral captcha.
  5. Current limiting

"Or that sentence, there is no absolute security, security is a contest between attack and defense."

About (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.