preface

Recently encountered a problem about preventing SMS verification code brush, I believe many friends have also encountered this brush SMS problem. Therefore, “to prevent verification code SMS stolen brush” for a summary and share.

1. What is the SMS verification code?

1. What is the SMS verification code?

SMS verification code is an effective verification code system that sends verification codes to mobile phones.

Some verification code providers provide mobile phone SMS verification code service. Each website sends a request to the server of the access provider through an interface. The server sends random numbers or letters to the mobile phone, and the server of the access provider verifies the verification code uniformly.

To put it more generally, you can send a text message with a number or letter verification code to your mobile phone number on some website or app. For example, when you log in to an app, you can log in by SMS verification code.

2. What are the applicable scenarios of the SMS verification code?

1. Registration verification

Registration verification is the most common application scenario of SMS verification codes. During registration, a customer enters a mobile phone number as required by the system, and the system sends a dynamic verification code to the mobile phone number. After receiving the verification code, the user enters the verification code in the specified position as required to complete registration verification. Can effectively prevent malicious registration and repeated registration.

2. Information change

When a user changes personal account information, such as password and mobile phone number, the system requires that the modification be verified by SMS to ensure that the modification is performed for the owner of the account and the information and property security of the user. For example, in the banking system, when entering the personal account page to check personal information, you must be verified before opening the relevant page.

3. Retrieve the password

In order to ensure account security, most users will set complex passwords for their accounts, and some systems will classify the security level of passwords to urge users to set more complex passwords to ensure account security. However, the more complex it is, the easier it is to forget. Although many browsers and mobile phone systems have the function of recording passwords for automatic login, there is a time limit for such records. Once the time limit is exceeded, you still need to manually enter the password. In this case, because it is not often remembered, it is often easier to forget. After the verification code function is added, you only need to send the verification code SMS message to the bound mobile phone number to obtain the verification code and change the password. The operation is simple and quick.

4. Dynamic login

Nowadays, many websites with high security requirements or serious number theft require dynamic verification login. That is, each time you log in to the system, you need to obtain verification code SMS from the system and enter the correct verification code to enter the system. The former, such as China Unicom, Mobile, telecom three major operators of the application APP. The latter, like all kinds of large game websites, is the first choice of many criminals who steal wealth by stealing numbers because the character wealth and even the character itself can be exchanged for cash through some operations in large game websites.

The above are the four most common application scenarios of SMS verification codes in major website systems. In addition, SMS verification code also plays an important role in network voting, questionnaire survey, lottery interaction and other special scenarios that need to protect one person, one vote.

2, why to protect the SMS verification code?

SMS verification codes, as the most basic requirements of apps and websites, are often maliciously used by hackers and bombarded by SMS. Please see the screenshot below (picture from Internet) for details of the situation.

If the SMS verification code interface and page are not restricted, hackers can easily use some malicious SMS bombing software to attack the interface and repeatedly send verification code messages to the same number or N numbers.

SMS verification code attacks will not only cause harassment and complaints to users, but also waste your SMS balance and reduce your brand image. If you do a good job of SMS interface protection, once attacked, will face many unnecessary losses.

3. What are the common means of protection?

Before introducing the means of protection, we need to understand the common behavior of brushing SMS verification.

1. Swipe the SMS verification code to attack the mobile phone number

The target of this kind of attack is that the attacker uses the SMS interface of the Web site to bomb the target mobile phone number. The attacker will first collect the SMS interface of several undefended websites on the Internet, set the mobile phone number to be attacked, and then send the SMS verification code request to the background through the simulation of the user, so as to attack the mobile phone number. For this kind of attack generally will not be the same website ordinary send, through the general means of protection can achieve the purpose of protection.

2. To malicious brush target website SMS charges for the purpose of attack

The main purpose of this kind of attack is to brush off the target website SMS fees, on the basis of the first attacker will keep changing various interface parameters such as mobile phone number, IP (using high proxy) to request the background to send SMS verification code, malicious brush SMS, the background is unable to identify the user’s authenticity. The attack target is clear and difficult to defend. Some simple measures are basically invalid due to the change of IP and mobile phone number. Product designers need to pay special attention to this kind of attack in early product design.

Here are some common responses to attackers.

1. Add front-end verification codes

It is a common method to add text verification code before obtaining SMS verification code. An attacker generally adopts automatic attacks. After the verification code is added, the attacker can send simulated user requests only after the authentication succeeds.

Common front-end verification codes are as follows:

(1) input class

(2) the sliding class

(3) click on the class

2. Limit requests for a single mobile phone number

To a single mobile phone number for a single day receiving times limit, can prevent a single mobile phone number unlimited brush SMS, at the same time set the time interval can effectively prevent manual brush ticket. The number of receiving SMS messages can be limited according to the characteristics of the platform. Generally, the number of receiving verification codes is about 10 times per day. The interval for sending packets from the same number is usually 60 seconds. The two ends must be the same.

3. Limit requests from a single IP address

Limiting the maximum number of mobile phone numbers sent from a single IP address can effectively prevent multiple mobile phone numbers from being swiped in a single IP address. The maximum sending volume limit prevents malicious attackers from scanning SMS verification codes with different mobile phone numbers under the IP address. Design a threshold for the maximum number of SMS messages to be sent based on the actual situation of the platform. If the threshold is exceeded, no SMS messages will be returned.

4. Restrict the authenticity of mobile phone numbers

Check the validity of entered mobile phone numbers and block invalid and illegal mobile phone numbers.

5. Encrypt outgoing parameters

At the same time, token is used as the unique identification verification. An algorithm is written in the background to inject token into the front end, and then the front end can obtain token by corresponding rules, and bring token when sending SMS verification request interface data. After the token authentication on the backend succeeds, the SMS can be sent normally.

4, these protective means are useless, how to choose?

1. The first method is the most common and can effectively increase the attack cost of attackers, but at the same time, user experience needs to be taken into account. For the first means of attack, the attacker will generally give up this kind of site directly, but it is hard to avoid the first iron will not pull your site into his bombing site library, after all, the code platform is quite cheap. The second attack is futile.

2. The second to fifth methods can be used in combination with the first method. But most of the time, many people think they can rest easy using the first method, not knowing it has been cracked. In addition, the latter methods can effectively improve the effectiveness of protection in some aspects.

This time someone said, send a text message verification yao also make so many things, bored to death.

Some people ask, is there a better way for bloggers to solve this problem? Is there a message that doesn’t require me to write so much code to protect against theft?

The answer, of course, is yes.

Someone has developed a special son for the protection of SMS verification code SMS firewall, it can be real-time effective protection of each SMS. Intercept most malicious attack requests.

So someone said, this SMS firewall with the above what is different, is not the above these whole piece of it?

Of course not, this SMS firewall is in accordance with the payment risk control standards to create a security firewall. He also has the following characteristics.

  1. Distinguish between normal user requests and simulator automatic attack script requests. Intercepts simulator scripting attacks.
  1. Distinguish each device and apply protection policies to each device. When attacked, only the attacker device is intercepted. Normal user devices are not affected.
  1. It can distinguish old and new users and ensure that the services of old users are not affected by attacks

Say a little truth, be you no matter how to defend bar, be to do not need you to consider, do not need to think so much, also do not need to write so much code, happy over.

Here’s an example I tested myself:If you want to try it out, you can contact me by private letter

5, conclusion

This is the end of this article, thank you for stopping to watch, you click a follow, click a like ~

Thank you, big guy


Author: Sweet taro taste cat,

SMS firewall