SMS - How to avoid Bankruptcy?
Asked Answered
D

5

5

I'm coding a new website that will need users to enter their mobile phone number, the problem I'm facing is that I need to make sure that the user is in fact the owner of (or in this case, has access to) the mobile number.

The solution I've come up with is, upon number submission I send them a SMS with a token and ask the user to enter the token on my website, much like Google Calendar does. However I'm on a short budget and I need to make sure user A doesn't submit 100,000 mobile numbers, if that happens I'll be out of business in no time, since each SMS sent costs me about 0.10 USD.

So far, I've come up with the following solutions:

  • use a CAPTCHA (keeps some users away and it is still vulnerable to manual registrations)
  • limit the number of tokens a given IP address request (dynamic IPs, proxies, etc)
  • limit the number of tokens sent for a given mobile number (a user can request tokens for all the available numbers and when the real user tries to request a legitimate token, his number will be already blocked)

None of these solutions are perfect, how do you suggest I approach this problem?

Doodlesack answered 21/8, 2009 at 20:34 Comment(0)
U
6

In a recent project, we were associating SMS numbers with a user account. Each account needed a CAPTCHA and email activation. The user could activate SMS via token, like you are using.

You could rate limit IP addresses (not a total limit). No more than 10 requests from an IP within 5 minutes, or something like that.

And/or you could limit outstanding SMS requests. After an IP address requests a token for SMS, it must be submitted before that IP can request for another SMS number. Or no more than 10 outstanding SMS tokens per IP per day.

Also, like @Alan said, we put a cap on our SMS messages per month.

Upswell answered 21/8, 2009 at 20:50 Comment(0)
R
3

I would use a combination of CATPCHA and Limit the requests of a Given Mobile Number.

In addition you should be able to specify with your SMS aggregator a preset limit per month. After you reach that limit, service is shutoff. That way if you are a victim of an attack, you will only be liable for a limited amount of money.

Instead of SMS, you can make use of an automated service that calls a phone number speaks out a One Time Password (via Text 2 speech). These services are similar in pricing to SMS, and less likely to get spam abused, as there is more overhead.

Twilio cost $0.03 a minute, or in this case, $0.03 a call.

Rhigolene answered 21/8, 2009 at 20:45 Comment(3)
And if you go the Twilio route, you can give me $0.02 a call made, since I save you $0.07 :DRhigolene
@Alan, Twilio keeps saying "International dialing not enabled.", since my web app is not for an US audience it isn't useful for me.Doodlesack
Well looks like I won't be making that $0.02 per call ;) Srsly though, I had posted this prior to your comment about being non US based. Search around, there is likely to be a similar service for your region.Rhigolene
M
3

You could do what Twitter does, which is have the user text you the token (rather than you texting it to them).

This will require you to find a provider that let's you receive texts for free (or close to it), but that might be easier.

Melodize answered 24/8, 2009 at 12:54 Comment(0)
H
0

Why is SMS costing you a dime? Utilize the EMAIL address that is associated with every SMS system (at least here in the U.S).

http://www.sms411.net/2006/07/how-to-send-email-to-phone.html

Hearty answered 21/8, 2009 at 20:41 Comment(2)
This is a fine approach, but you have to force your users to enter in their carrier right? Plus if they switch carriers, they have to remember to switch their accounts.Rhigolene
This is definitely US-specific.Shu
T
0

If someone tries their best to abuse a system, they will more than likely find a way to do it. Using a combination of the techniques you've already come up with is likely the best way to thwart most malicious users.

Limit what people can do (no more than 10 requests from 1 ip in 10 minutes, one phone number can only recieve 3 texts a week, captcha before number entry), but more importantly, if people have no control over the content of the message there's no real reason to exploit it.

Toandfro answered 21/8, 2009 at 21:9 Comment(1)
The contents of the message is going to be a simple token (aka password), still I believe this could be exploitable by my competitors to make me lose money.Doodlesack

© 2022 - 2024 — McMap. All rights reserved.