What security precautions are there in the website SMS verification code interface?

Transmission time interval

Set the time interval for sending the same number repeatedly, which is generally set to 60- 120 seconds. This method can prevent the SMS interface from being maliciously attacked to a certain extent, without any harm to the user experience. However, it can't prevent hackers from changing their mobile phone numbers to attack, and the protection level is low.

Access limit

Limit the number of times a mobile phone number can obtain SMS verification code within a certain period of time. When adopting this strategy, there are several points to pay attention to in the product design process.

Define the upper limit value. According to the real business situation, it is even necessary to consider the future business development and set a suitable upper limit value to avoid complaints from users who cannot receive SMS verification code.

Define the lock-up period. It can be 24 hours, 12 hours, 6 hours. It needs to be defined according to business conditions.

IP restriction

Set the maximum transmission capacity of a single IP address in a certain period of time. This method can well prevent the attack of a single IP address, but it also has two obvious shortcomings:

For hackers who often change IP addresses to attack, this method has no good effect.

IP restrictions often lead to accidental injuries. For example, in some places where a unified wireless network is used, many users are connected to the same wireless network, and this IP address will easily reach the upper limit soon, thus causing users connected to the wireless network to be unable to receive the verification code normally.

Graphic verification code

Before sending SMS verification code, it must pass the verification of graphic verification code. This method can relatively prevent some attacks, so it is also a very common SMS anti-attack mechanism at present. However, the user experience is involved in the use process, and this strategy cannot be applied simply and rudely. The following points deserve serious consideration:

Is it necessary for users to enter the graphic verification code before obtaining the SMS verification code? Generally speaking, this will greatly affect the user experience. Although it is relatively safe, users are not happy to use it.

Can give a safe range. Considering the limitation of mobile phone number and IP, for example, when the same mobile phone number obtains SMS verification code for the third time on the same day, a graphic verification code appears; For example, after the same IP address gets the verification code more than 100 times on the same day, the graphic verification code appears.

Encryption restriction

By encrypting the parameters transmitted to the server, then decrypting them at the server, using token as the only authentication, and verifying the token at the back end, the SMS can be sent normally after the authentication is passed. This method can effectively prevent some attacks while ensuring the user experience, so it is also a common SMS anti-attack mechanism at present. At the same time, there are obvious shortcomings:

The encryption and decryption algorithm used may be cracked, so it is necessary to consider using the encryption and decryption algorithm that is difficult to crack.

If the algorithm is not cracked, it can effectively prevent message attacks, but it cannot prevent browser simulator attacks.

The above are several common SMS risk control strategies, which can be used comprehensively in the specific product design process.

Use third-party defense

Sms firewall

In order to find an excellent balance between product safety and excellent user experience. The product R&D team of Xinxin Technology combined the advantages of various risk control strategies to develop a short message firewall. Summarize from the following aspects:

In order to ensure excellent user experience, we should give up man-machine verification programs such as graphic verification code, which has the most serious impact on user experience, and realize non-inductive verification. So as to achieve a perfect user experience.

Combined with the user's mobile phone number, IP address and device fingerprint, different dimensions of risk control strategies are set. Coordinate all dimensions to achieve the most reasonable risk control limit index.

It will automatically expand the upper limit of risk control according to the business situation. When it is detected that a place is attacked, it will automatically increase the upper limit of risk control and return to the normal risk control standard when it is normal.

Considering the differences between new and old customers, VIP channels for old customers are specially added to ensure that when attacked, the channels for old customers are unimpeded under the condition of tight risk control indicators, thus reducing the accidental injury rate.

Through the above strategies, hackers can be prevented from stealing short messages by switching mobile phone numbers and IP addresses at will. At the same time, risk control strategies such as simulator detection and parameter encryption are added to effectively prevent hacker attacks.

You can observe the wind control results in real time through the wind control firewall console to achieve the effect of early warning when being attacked.

For more information, please pay attention to the new technology official website: newxtc.com.

Sms firewall

Please click to enter a picture description.

Please click to enter a picture description.

Sms firewall