From Web2.0 to the mobile Internet era, more and more product functions began to use SMS verification function, registration/login/password recovery/payment.. Short message service (SMS) has become one of the most important technical infrastructures. Because of this importance, more and more malicious attacks are being carried out around the SMS interface, and many teams have been tripped up by it. Therefore, today comb common SMS attack prevention measures, for your reference.
One, authentication
1. The graph verification code is bound to the mobile phone verification code. After entering the mobile phone number, the user needs to enter the graph verification code or perform a logical operation based on the graph (for example, 25 + 1 =?). Can trigger SMS, so can be more effective to prevent malicious software click.
2. Contact verification: let users select certain ICONS or texts specified. A typical case is 12306 train ticket sales. In particular, it hurts the most ordinary users to some extent when they are asked to choose weird items. -_ -! 3. Sliding verification: At present, the more and more popular way is mainly to achieve verification by dragging the mouse.
For ordinary graphic verification code is easy to be cracked mechanically by all kinds of violence, and sliding verification can only monitor the mouse action, can not pass the data verification, to prevent mechanical cracking.
For the above three practices, there are open source libraries as a reference, which can be used for secondary development according to their own situation.
Second, business process limitation
Block attack scripts by setting specific business processes, such as the following two scenarios:
1. Divide the process into two parts. Perform service operations first and then perform SMS authentication. For example, mobile phone SMS authentication and user name registration are divided into two steps. After the user successfully registers the user name and password, the next step is mobile phone SMS authentication. Simply put, without the new user’s identity information, SMS will not trigger success.
2. You must fill in relevant information to trigger the SMS message. For example, you must fill in all registration information to trigger the SMS message.
Three, trigger restrictions
By mining and limiting abnormal user behaviors, the triggering of SMS can be controlled in the following three ways:
1. Set sending interval. Set the interval for sending repeated messages from the same number.
2. Trigger IP address limit and set the maximum amount of packets sent per IP address every day.
3. Set the maximum sending amount for each mobile phone number every day;
In addition, please add unsubscribe operation in the verification code content, such as: reply TD reject; Unsubscribe reply TD and other related content. When a non-user triggers receiving SMS messages and the user replies to TD, the platform will list them in the denial database and stop sending messages to the number.
In addition, if you encounter a tricky SMS attack problem, you can leave me a message, we discuss.
Scan the QR code or manually search wechat public account [architecture stack] : ForestNotes
Welcome to reprint, bring the following QR code
Click “Read Original” for a summary of all recent architecture articles in Architecture Stack