SMS Authentication code interface is malicious attack how to do?

Source: Internet
Author: User
Tags manual http request
SMS Interface Verification code is commonly used in e-commerce, mobile APP, internet banking, Social Forum and other Internet industry, through SMS verification code for identity two times to ensure that the user identity is true and effective. However, a lot of users have recently received various types of registration text messages, verification SMS, technical staff to troubleshoot, found that the SMS Verification code interface was malicious attack, resulting in the verification code interface is brushed. So how to avoid being brushed. First, SMS Authentication code interface is how malicious attack (SMS interface is brushed)SMS authentication Code interface is mainly used for SMS bombing by malicious attacks. And the text bombing of the specific working principle is as follows: 1, the malicious attacker in the front page input the attacker's mobile phone number;
2, SMS bombing tool background server, the mobile phone number and the Internet collection can not be certified to send dynamic SMS URL combination, forming a URL to send dynamic SMS request;
3, through the background request page, the forgery user's request sends the different Business Server;

4, after the business Server receives the request, sends the dynamic text message to the attacked user's mobile phone.


Image is an example of an SMS bombing process

Usually SMS bombing is based on the web (based on the principle of client-side approach), consisting of two modules, including: A front-end Web page that provides input to the attacker's mobile phone number form; A background attack page such as PHP, Use the dynamic SMS URL and the front-end input of the attacker's mobile phone number from each website to send an HTTP request to send a dynamic text message to the user each time it is requested. The attacker receives a large number of messages that are not self-requested, resulting in the inability to use the mobile operator business normally.
        SMS interface is usually referred to the dynamic SMS sending interface of the website is collected by such SMS bombing tool as one of the sending channels.

Two, vulnerable to malicious scenes or websites  1, online polling station (need to fill in mobile phone number for verification)   2, the User online registration page (including SMS verification function)   3, Mobile SMS Dynamic Password login   Three, malicious click Mobile Phone SMS Verification Code of the way the user malicious click on the mobile phone SMS verification code There are two main ways, one is the manual frequent click; A continuous click through the software, in terms of harm, The harm of software continuous click is much bigger.   Four, prevent SMS authentication code interface by malicious means user malicious click on the phone SMS verification code, not only will increase the company's operating costs, but also to the company's image caused a very bad impact (general text messages will take the company's signature), So we must guard against this behavior, at present, the means of prevention mainly have the following aspects: 1, "SMS Send Interval Settings" Set the same number of repeated sending interval, generally set to 60-120 seconds. This feature further protects the user experience and avoids malicious sending of spam authentication messages that contain manual attacks. 2, "IP limit" according to their own business characteristics, set the maximum daily send volume of each IP 3, "mobile phone number Limit" according to business characteristics, set each mobile phone number per day the maximum send Volume 4, "process limit" will be mobile phone text verification and user name password settings divided into two steps, the user after setting the successful user name password, The next step is to verify your SMS. And you need to obtain a successful receipt for the first step before you can verify it.
5, "Binding pattern Check code" will be the graphics check code and mobile phone verification code binding, when the user input mobile phone number, the need to enter a graphics check code to trigger text messages, this can be more effective to prevent malicious software click. This is how large sites are now. If you register for NetEase email:


6, "Send volume Limit"--set the maximum daily send volume per mobile phone number.


Figure for a complete dynamic SMS verification code usage process

Reprint Address: http://www.cr6868.com/html/xyxw/2709.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.