table of Contents
Preface
I recently encountered a problem about preventing SMS verification codes from being swiped. I believe many friends have also encountered this problem of being swiped. Therefore, a summary and sharing will be made on "preventing verification code SMS from being stolen".
1. What is the SMS verification code?
1. What is the SMS verification code:
SMS verification code is an effective verification code system by sending verification codes to mobile phones.
Some verification code access providers provide mobile phone SMS verification code services. Each website sends a request to the access provider’s server through the interface, and the server sends random numbers or letters to the mobile phone, and the access provider’s server performs uniform verification code verification.
In layman's terms, it is to send a text message with a numeric or letter verification code to the mobile phone number you entered on some websites or apps. For example, when you log in to an app, you can log in via SMS verification code.
2. What are the applicable scenarios of SMS verification code:
1. Registration verification
Registration verification is the most common application scenario for SMS verification codes. During the registration process, the customer enters the mobile phone number according to the system requirements, and the system will send a dynamic verification code to the mobile phone number. After receiving the verification code, the user enters the verification code numbers into the specified location as required to complete the registration verification. Can effectively prevent malicious registration and duplicate registration.
2. Information changes
When system users modify personal account information such as passwords and mobile phone numbers, in order to ensure that they operate for the account owner himself and protect the user's information and property security, the system will require SMS verification to be modified. For example, in the banking system, when you enter the personal account page to view personal information, you must be verified before you can open the relevant page.
3. Retrieve the password
For account security, most users will set more complex passwords for their accounts, and some systems will also assign password security levels to urge users to set more complex passwords to ensure account security. However, the more complex, the easier it is to forget. Although many browsers and mobile phone systems now have the function of recording passwords for automatic login, this recording has a time limit. Once the time limit is exceeded, you still need to manually enter the password. In this case, it is often easier because it is not often remembered. Forgotten. After adding the mobile phone verification code function, you only need to send a verification code SMS to the bound mobile phone number, and you can successfully modify the password after obtaining the verification code. The operation is simple and fast.
4. Dynamic login
Nowadays, many websites with high security requirements or serious account theft will require dynamic verification login when logging in, that is, every time you log in to the system, you need to obtain a verification code SMS from the system and enter the correct verification code to enter the system. The former is like the apps of China Unicom, China Mobile and Telecom. The latter, such as various large-scale game websites, is the first choice of many criminals who steal wealth through account theft because of the wealth of characters in large game websites and even the characters themselves can exchange for cash through certain operations.
The above are the four most common application scenarios for SMS verification codes in major website systems. In addition, SMS verification codes also play an important role in special scenarios where one person, one vote needs to be guaranteed, such as online voting, questionnaire surveys, and lottery interactions.
2. Why protect SMS verification codes?
As the most basic requirement for apps and websites, SMS verification codes are often maliciously used by hackers and bombed by SMS. For the specific situation, please see the screenshot below (picture from the Internet)
If there are no restrictions on the SMS verification code interface and page, hackers can easily use some malicious SMS bombing software to attack the interface, and repeatedly send verification code SMS to the same number or N numbers.
The SMS verification code being attacked will not only cause harassment and complaints to users, but also waste your SMS balance and reduce brand image. If the SMS interface is protected well, once it is attacked, it will face many unnecessary losses.
3. What are the common protection methods?
Before introducing protection methods, we need to understand the common behaviors of SMS verification.
1. Swipe the SMS verification code for the purpose of attacking the mobile phone number
The main target of this type of attack is that the attacker uses the SMS interface of the web site to bomb the target mobile phone number by SMS. The attacker will first collect the SMS interface of multiple unprotected websites on the Internet, set the mobile phone number to be attacked by simulating the user, and cyclically send SMS verification code requests to the background to achieve the purpose of attacking the mobile phone number. For this type of attack, it is generally not sent from the same website, and the purpose of protection can be achieved through general protection methods.
2. Attacks for the purpose of maliciously scraping the SMS fee of the target website
The main purpose of this type of attack is to brush off the SMS fee of the target website. Based on the first type, the attacker will continuously change various interface parameters such as mobile phone number, IP (using a high hidden proxy), etc. to request the background to send SMS verification codes. To scan text messages maliciously, the background is unable to distinguish the authenticity of the user. The target of the attack is clear and it is difficult to defend. Because it changes different IPs and mobile phone numbers, some simple measures are basically ineffective. Product designers especially need to pay attention to this type of attack during the early product design.
The following are some common countermeasures against attackers.
1. Add front-end verification code
It is a common method to add graphic verification code before obtaining SMS verification code. Attackers generally use automated attacks. After adding a graphic verification code, the attacker must identify and verify the verification before it can simulate the user's sending request.
The common front-end verification codes are as follows:
(1) Input type
(2) Sliding type
(3) Click class
2. Request restrictions on a single mobile phone number
Limiting the number of receipts of a single mobile phone number in a single day can prevent unlimited brushing of text messages by a single mobile phone number. At the same time, setting a time interval can be effective to prevent manual ticket brushing. The number of SMS receipts can be limited according to the characteristics of the platform. Generally, the number of verification codes received per day is about 10; the interval between sending the same number is usually 60 seconds, and the front and back ends must be consistent.
3. Restriction on a single IP request
Limiting the maximum sending volume of a single IP can effectively prevent the issue of multiple phone numbers being swiped under a single IP. The maximum sending volume limit is to prevent malicious attackers from scanning SMS verification codes with different mobile phone numbers under the same IP. According to the actual situation of the platform, a threshold for the maximum sending volume of short messages is designed. If the threshold is exceeded, no short messages will be returned.
4. Restrictions on the authenticity of mobile phone numbers
Check the validity of the entered mobile phone number, and block invalid and illegal mobile phone numbers.
5. Encryption restrictions on outgoing parameters
By encrypting the parameters transmitted to the server, decrypting when they arrive at the server, and using the token as unique identification verification, the background writes an algorithm to inject the token into the front end, and then the front end can obtain the token through the corresponding rules and send the SMS When verifying the request interface data, bring the token and verify the token on the backend. Only after the verification is passed can the SMS be sent normally.
4. Are these protective measures useful? How to choose?
1. The first method is the most common, which can effectively increase the attacker's attack cost, but it also needs to consider the user experience. For the first attack method, the attacker will generally abandon this kind of website directly, but it is inevitable that you will have to pull your website into his bombing website library. After all, the coding platform is quite cheap. If you encounter the second type of attack, it is futile.
2. The second to fifth methods can be used in combination with the first method. However, in most cases, many people only use the first method and think that they can sit back and relax, but they don't know it has been cracked. In addition, the latter methods can effectively improve the effectiveness of protection in some aspects.
At this time, someone said, sending a text message to verify that there are so many things to do, it is annoying.
Someone asked, besides these, is there a better way for bloggers to solve this problem? Is there a way to protect text messages from being stolen without writing so much code?
The answer is of course there.
Someone has developed a SMS firewall specifically designed to protect SMS verification codes, which can effectively protect every SMS in real time. Block most malicious attack requests.
So some people have said, what is the difference between this SMS firewall and the above, can you just put the above together?
Of course not. This SMS firewall is a security firewall built in accordance with payment risk control standards. He also has the following characteristics.
- Distinguish between normal user requests and simulator automatic attack script requests. Implement interception of simulator script attacks.
- Be able to distinguish each device and apply protection strategies to the device. When under attack, only the attacker's device is intercepted, and the normal user's device is not affected.
- Able to distinguish between new and old users, and ensure that the business of old users is not affected in any way when attacked
To be honest, you don't need to think about it anymore, you don't need to think about it, and you don't need to write so much code, it's the end of happiness.
The following is a rendering of my own test: if
you want to try it, you can contact me by private message~
5 Conclusion
This article is over here, thanks to the big guys for stopping and watching, big guys for your attention and praise~
Thank you guys~
Author: taro-flavored cat Dian
SMS firewall