Today, a large number of websites, websites, and mobile apps are using SMS verification codes as security technical measures to verify user identities. Especially at the end of the year, the promotion, lottery, and interactive activities of enterprises will usher in a peak period, and the scenes of using SMS verification codes are very frequent.
However, recently, the Alibaba Cloud Yundun WAF team has detected that the SMS verification code function of many user services has been attacked, and the SMS interface has been maliciously used, resulting in the inability to access services normally. At the same time, the cost of swiping text messages also directly causes a certain amount of capital loss.
What are the three major industries or businesses that need to be alert to the risks behind SMS verification codes?
Risky business 1: Website login pages of all industries
Which scenarios need to be vigilant: website online registration page, website online password recovery page, mobile phone SMS dynamic password login page.
Risk business 2: Online voting pages for all industries
Which scenarios need to be vigilant: such as WeChat voting, online voting, H5 voting, etc.
Risk business 3: activity pages of e-commerce, retail, and financial online loan industries
Which scenarios need to be vigilant: event coupons page, participation event page.
The danger of being attacked by the SMS verification code function is greater than expected
The SMS verification code used by enterprises to ensure security will also attract attacks; the harm of this risk to enterprises should be explained by the security gentleman.
Attacking the SMS verification code function generally directly leads to the "swiping" of the enterprise's SMS interface. Business scenarios in which the SMS interface is easily "swiped" include the following three categories:
When the SMS interface is brushed, for enterprises, the main hazards are as follows :
- 1. Too many SMS interface requests cause the server load to increase, and in severe cases, the server resources are exhausted, and the requests cannot be responded to, which affects the normal access of users;
- 2. Too many SMS interfaces are sent, so that normal users cannot use the SMS verification service;
- 3. Too many SMS interface illegal calls consume SMS package resources, which directly leads to an increase in operating costs.
Eight ways to prevent SMS interface from being brushed
After understanding the risks, enterprises don't need to worry too much. The following "guidelines" can help you understand how to prevent the security risks behind SMS verification codes.
1. Mobile phone number logic detection
Add number validity detection in the mobile phone number window to prevent malicious attackers from using invalid or illegal numbers, thereby shielding invalid numbers such as garbled characters other than mobile phone numbers in the first window.
2. Random check
在注册页添加个隐藏的<input>,设置保存在session中的随机验证码,发短信前验证一下,保证发验证码短信请求是在业务页面点击。
3.增加友好的图形验证码
即当用户进行“获取动态短信” 操作前,弹出图片验证码,要求用户输入验证码后,服务器端再发送动态短信到用户手机上,该方法可有效缓解短信轰炸问题。
由于当前验证码在攻防对抗中逐步被成功自动化识别破解,我们在选用安全的图形验证码也需要满足一定的防护要求。
4.同号码短信发送频率限制
采用限制重复发送动态短信的间隔时长, 即当单个用户请求发送一次动态短信之后,服务器端限制只有在一定时长之后(此处一般为60-120秒),才能进行第二次动态短信请求。该功能可进一步保障用户体验,并避免包含手工攻击恶 意发送垃圾验证短信。
5.不同号码请求数量限制
根据业务特点,针对不同手机号码、不同访问源IP访问请求进行频率限制,防止高并发非法请求消耗更多的短信包和服务器性能,提高业务稳定性。
6.场景流程限定
将手机短信验证和用户名密码设置分成两个步骤,用户在填写和校验有效的用户名密码后,下一步才进行手机短信验证,并且需要在获取第一步成功的回执之后才可进行校验。
7.启用https协议
为网站配置证书,启用https加密协议,防止传输明文数据被分析。
8.单IP请求限定
使用了图片验证码后,能防止攻击者有效进行“动态短信”功能的自动化调用。但若攻击者忽略图片验证码验证错误的情况,大量执行请求会给服务器带来额外负担,影响业务使用。建议在服务器端限制单个 IP 在单位时间内的请求次数,一旦用户请求次数(包括失败请求次数)超出设定的阈值,则暂停对该 IP 一段时间的请求。
若情节特别严重,可以将 IP 加入黑名单,禁止该 IP 的访问请求。该措施能限制一个 IP 地址的大量请求,避免攻击者通过同一个 IP 对大量用户进行攻击,增加了攻击难度,保障了业务的正常开展。
阿里云安全专家提示,企业可以根据业务的实际情况考虑,从以上8大方式中选择并组合成最适合企业自身的防担心接口被刷方案。
并且提高技术人员在实际活动中的安全意识,提前防范风险。
防止短信接口被刷最佳实践推荐
阿里云安全专家参考了大量企业进行防止短信接口被刷的策略,总结出以下四种方式组合是防止短信接口被刷的最佳方案:
- 1.使用体验更好的验证码服务防止攻击;
- 2.如果需要使用短信验证码功能,可以在“短信验证码”处增加滑块验证(简单的验证码可以被破解)防止被恶意刷短信接口。
- 3.在登录页面增加逻辑判断,提高攻击门槛,例如:增加账号检验功能
- 4.使用阿里云云盾WAF的数据风控功能、CC自定义功能、精准访问控制等高级防护功能对接口进行防护。
本文作者:云安全2016
阿里聚安全验证码服务目前提供了滑动验证,通过生物特征判定操作计算机的是人还是机器,从而取代传统验证方式。
通过引入前端组件对用户请求进行验证,可信用户通过验证直接进入业务流程,恶意用户则拦截。