Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SMS - How to avoid Bankruptcy?

Tags:

mobile-phones

sms

business-logic

identification

registration

I'm coding a new website that will need users to enter their mobile phone number, the problem I'm facing is that I need to make sure that the user is in fact the owner of (or in this case, has access to) the mobile number.

The solution I've come up with is, upon number submission I send them a SMS with a token and ask the user to enter the token on my website, much like Google Calendar does. However I'm on a short budget and I need to make sure user A doesn't submit 100,000 mobile numbers, if that happens I'll be out of business in no time, since each SMS sent costs me about 0.10 USD.

So far, I've come up with the following solutions:

  • use a CAPTCHA (keeps some users away and it is still vulnerable to manual registrations)
  • limit the number of tokens a given IP address request (dynamic IPs, proxies, etc)
  • limit the number of tokens sent for a given mobile number (a user can request tokens for all the available numbers and when the real user tries to request a legitimate token, his number will be already blocked)

None of these solutions are perfect, how do you suggest I approach this problem?

like image 428
Alix Axel Avatar asked Aug 21 '09 20:08

Alix Axel

2 Answers

In a recent project, we were associating SMS numbers with a user account. Each account needed a CAPTCHA and email activation. The user could activate SMS via token, like you are using.

You could rate limit IP addresses (not a total limit). No more than 10 requests from an IP within 5 minutes, or something like that.

And/or you could limit outstanding SMS requests. After an IP address requests a token for SMS, it must be submitted before that IP can request for another SMS number. Or no more than 10 outstanding SMS tokens per IP per day.

Also, like @Alan said, we put a cap on our SMS messages per month.

like image 133
Gene Gotimer Avatar answered Sep 25 '22 06:09

Gene Gotimer

I would use a combination of CATPCHA and Limit the requests of a Given Mobile Number.

In addition you should be able to specify with your SMS aggregator a preset limit per month. After you reach that limit, service is shutoff. That way if you are a victim of an attack, you will only be liable for a limited amount of money.

Instead of SMS, you can make use of an automated service that calls a phone number speaks out a One Time Password (via Text 2 speech). These services are similar in pricing to SMS, and less likely to get spam abused, as there is more overhead.

Twilio cost $0.03 a minute, or in this case, $0.03 a call.

like image 24
Alan Avatar answered Sep 26 '22 06:09

Alan
Sign in to Comment

Related questions

Twilio: Messaging is unavailable for this phone number
Read sms using swift [closed]
SMSManager returns RESULT_ERROR_GENERIC_FAILURE despite trying everything
AWS Cognito is sending SMS messages without my permission
How to encode french/spanish characters to use clickatell's http api?
Android sms status
send free SMS from C# + ASP.NET
send SMS via SMPP
How can I get a phone number customers can sms to that posts the information to my website?
Send and receive SMSes in PHP
Block incoming calls and sms in android
How to send SMS to mobile using SMTP server in windows application?
Insert SMS programmatically on Android 4.4.2
Twilio not delivering sms messages to some users
How can I send SMS messages like Twitter does?
Any way I can send SMS? [closed]
could one emulator send a SMS to itself
Android - Get result from change default SMS app dialog
Generate VCard and Send Via Twilio
When does aws sns sms SENDERID gets changed from custom-id to aws's default-id "NOTICE"?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!