短信——如何避免破产?

发布于 2024-08-02 18:31:58 字数 503 浏览 7 评论 0原文

我正在编写一个新网站,需要用户输入他们的手机号码,我面临的问题是我需要确保用户实际上是(或者在本例中,有权访问)的所有者手机号码。

我提出的解决方案是,在提交号码后,我向他们发送一条带有令牌的短信,并要求用户在我的网站上输入令牌,就像 Google 日历那样。然而,我的预算很短,我需要确保用户 A 不会提交 100,000 个手机号码,如果发生这种情况,我很快就会破产,因为每条短信发送的费用约为 0.10 美元。

到目前为止,我已经提出了以下解决方案:

  • 使用验证码(让一些用户远离它,并且仍然容易受到手动注册的影响)
  • 限制给定 IP 地址请求的令牌数量(动态 IP、代理等)
  • 限制为给定手机号码发送的令牌数量(用户可以为所有可用号码请求令牌,并且当真实用户尝试请求令牌时)合法令牌,他的号码将被阻止)

这些解决方案都不是完美的,您建议我如何解决这个问题?

I'm coding a new website that will need users to enter their mobile phone number, the problem I'm facing is that I need to make sure that the user is in fact the owner of (or in this case, has access to) the mobile number.

The solution I've come up with is, upon number submission I send them a SMS with a token and ask the user to enter the token on my website, much like Google Calendar does. However I'm on a short budget and I need to make sure user A doesn't submit 100,000 mobile numbers, if that happens I'll be out of business in no time, since each SMS sent costs me about 0.10 USD.

So far, I've come up with the following solutions:

  • use a CAPTCHA (keeps some users away and it is still vulnerable to manual registrations)
  • limit the number of tokens a given IP address request (dynamic IPs, proxies, etc)
  • limit the number of tokens sent for a given mobile number (a user can request tokens for all the available numbers and when the real user tries to request a legitimate token, his number will be already blocked)

None of these solutions are perfect, how do you suggest I approach this problem?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

泼猴你往哪里跑 2024-08-09 18:31:58

在最近的一个项目中,我们将短信号码与用户帐户关联起来。每个帐户都需要验证码和电子邮件激活。用户可以通过令牌激活短信,就像您正在使用的那样。

您可以对 IP 地址进行速率限制(不是总限制)。 5 分钟内来自某个 IP 的请求不得超过 10 次或类似情况。

和/或您可以限制未完成的短信请求。 IP 地址请求 SMS 令牌后,必须先提交该令牌,然后该 IP 才能请求另一个 SMS 号码。或者每个 IP 每天未完成的 SMS 令牌不超过 10 个。

此外,就像 @Alan 所说,我们对每月的短信设置了上限。

In a recent project, we were associating SMS numbers with a user account. Each account needed a CAPTCHA and email activation. The user could activate SMS via token, like you are using.

You could rate limit IP addresses (not a total limit). No more than 10 requests from an IP within 5 minutes, or something like that.

And/or you could limit outstanding SMS requests. After an IP address requests a token for SMS, it must be submitted before that IP can request for another SMS number. Or no more than 10 outstanding SMS tokens per IP per day.

Also, like @Alan said, we put a cap on our SMS messages per month.

蔚蓝源自深海 2024-08-09 18:31:58

我将结合使用 CATPCHA 和限制给定手机号码的请求。

此外,您应该能够通过 SMS 聚合器指定每月的预设限制。达到该限制后,服务将关闭。这样,如果您是攻击的受害者,您只需承担有限的金钱责任。

您可以使用一项自动化服务来代替短信,该服务拨打电话号码并说出一次性密码(通过文本 2 语音)。这些服务的定价与短信类似,并且不太可能被滥用垃圾邮件,因为开销更大。

Twilio 每分钟收费 0.03 美元,在本例中,每次通话收费 0.03 美元。

I would use a combination of CATPCHA and Limit the requests of a Given Mobile Number.

In addition you should be able to specify with your SMS aggregator a preset limit per month. After you reach that limit, service is shutoff. That way if you are a victim of an attack, you will only be liable for a limited amount of money.

Instead of SMS, you can make use of an automated service that calls a phone number speaks out a One Time Password (via Text 2 speech). These services are similar in pricing to SMS, and less likely to get spam abused, as there is more overhead.

Twilio cost $0.03 a minute, or in this case, $0.03 a call.

独享拥抱 2024-08-09 18:31:58

您可以像 Twitter 那样,让用户向您发送令牌(而不是您向他们发送短信)。

这将要求您找到一个可以让您免费(或接近免费)接收短信的提供商,但这可能会更容易。

You could do what Twitter does, which is have the user text you the token (rather than you texting it to them).

This will require you to find a provider that let's you receive texts for free (or close to it), but that might be easier.

著墨染雨君画夕 2024-08-09 18:31:58

为什么短信要花你一毛钱?使用与每个 SMS 系统关联的电子邮件地址(至少在美国)。

http://www.sms411.net/ 2006/07/how-to-send-email-to-phone.html

Why is SMS costing you a dime? Utilize the EMAIL address that is associated with every SMS system (at least here in the U.S).

http://www.sms411.net/2006/07/how-to-send-email-to-phone.html

最冷一天 2024-08-09 18:31:58

如果有人尽最大努力滥用系统,他们很可能会找到一种方法来做到这一点。
结合使用您已经想到的技术可能是阻止大多数恶意用户的最佳方法。

限制人们可以做的事情(10分钟内来自1个ip的请求不超过10个,一个电话号码每周只能收到3条短信,号码输入之前验证码),但更重要的是,如果人们无法控制消息的内容没有真正的理由来利用它。

If someone tries their best to abuse a system, they will more than likely find a way to do it.
Using a combination of the techniques you've already come up with is likely the best way to thwart most malicious users.

Limit what people can do (no more than 10 requests from 1 ip in 10 minutes, one phone number can only recieve 3 texts a week, captcha before number entry), but more importantly, if people have no control over the content of the message there's no real reason to exploit it.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文