Joke Collection Website - Public benefit messages - How to solve the problem of SMS verification code interface being attacked?
How to solve the problem of SMS verification code interface being attacked?
Transmission time interval
Set the time interval for sending the same number repeatedly, which is generally set to 60- 120 seconds. This method can prevent the SMS interface from being maliciously attacked to a certain extent, without any harm to the user experience. However, it can't prevent hackers from changing their mobile phone numbers to attack, and the protection level is low.
Access limit
Limit the number of times a mobile phone number can obtain SMS verification code within a certain period of time. When adopting this strategy, there are several points to pay attention to in the product design process.
Define the upper limit value. According to the real business situation, it is even necessary to consider the future business development and set a suitable upper limit value to avoid complaints from users who cannot receive SMS verification code.
Define the lock-up period. It can be 24 hours, 12 hours, 6 hours. It needs to be defined according to business conditions.
IP restriction
Set the maximum transmission capacity of a single IP address in a certain period of time. This method can well prevent the attack of a single IP address, but it also has two obvious shortcomings:
For hackers who often change IP addresses to attack, this method has no good effect.
IP restrictions often lead to accidental injuries. For example, in some places where a unified wireless network is used, many users are connected to the same wireless network, and this IP address will easily reach the upper limit soon, thus causing users connected to the wireless network to be unable to receive the verification code normally.
Graphic verification code
Before sending SMS verification code, it must pass the verification of graphic verification code. This method can relatively prevent some attacks, so it is also a very common SMS anti-attack mechanism at present. However, the user experience is involved in the use process, and this strategy cannot be applied simply and rudely. The following points deserve serious consideration:
Is it necessary for users to enter the graphic verification code before obtaining the SMS verification code? Generally speaking, this will greatly affect the user experience. Although it is relatively safe, users are not happy to use it.
Can give a safe range. Considering the limitation of mobile phone number and IP, for example, when the same mobile phone number obtains SMS verification code for the third time on the same day, a graphic verification code appears; For example, after the same IP address gets the verification code more than 100 times on the same day, the graphic verification code appears.
Encryption restriction
By encrypting the parameters transmitted to the server, then decrypting them at the server, using token as the only authentication, and verifying the token at the back end, the SMS can be sent normally after the authentication is passed. This method can effectively prevent some attacks while ensuring the user experience, so it is also a common SMS anti-attack mechanism at present. At the same time, there are obvious shortcomings:
The encryption and decryption algorithm used may be cracked, so it is necessary to consider using the encryption and decryption algorithm that is difficult to crack.
If the algorithm is not cracked, it can effectively prevent message attacks, but it cannot prevent browser simulator attacks.
The above are several common SMS risk control strategies, which can be used comprehensively in the specific product design process.
Use third-party defense
Sms firewall
In order to find an excellent balance between product safety and excellent user experience. The product R&D team of Xinxin Technology combined the advantages of various risk control strategies to develop a short message firewall. Summarize from the following aspects:
In order to ensure excellent user experience, we should give up man-machine verification programs such as graphic verification code, which has the most serious impact on user experience, and realize non-inductive verification. So as to achieve a perfect user experience.
Combined with the user's mobile phone number, IP address and device fingerprint, different dimensions of risk control strategies are set. Coordinate all dimensions to achieve the most reasonable risk control limit index.
It will automatically expand the upper limit of risk control according to the business situation. When it is detected that a place is attacked, it will automatically increase the upper limit of risk control and return to the normal risk control standard when it is normal.
Considering the differences between new and old customers, VIP channels for old customers are specially added to ensure that when attacked, the channels for old customers are unimpeded under the condition of tight risk control indicators, thus reducing the accidental injury rate.
Through the above strategies, hackers can be prevented from stealing short messages by switching mobile phone numbers and IP addresses at will. At the same time, risk control strategies such as simulator detection and parameter encryption are added to effectively prevent hacker attacks.
You can observe the wind control results in real time through the wind control firewall console to achieve the effect of early warning when being attacked.
For more information, please pay attention to the new technology official website: newxtc.com.
Please click to enter a picture description.
Please click to enter a picture description.
Sms firewall
- Previous article:Provident fund activates SMS content?
- Next article:How to take a bus from Suzhou to Shanghai?
- Related articles
- Good words, sentences and paragraphs about wonderful sports meeting.
- What if the bank card is not used?
- I didn't get the ticket, but I received the booking message of 12306.
- What if the mobile phone number is suspended?
- 1069' s lawyer's letter was written with AliPay?
- A very unpleasant thing happened to my boyfriend at work recently, and he didn't reply to all the text messages I sent him at last. He said he wanted to be quiet. He used to be cold to me. ...
- Poems, short messages and words of missing lover in Mid-Autumn Festival.
- How to change bank card password on mobile phone
- Article 1034 of the Civil Code: Right to Privacy
- The messages and wishes for primary school students are very brief.