This guide will provide you with some simple steps you can take in order to protect yourself against possible bot attacks.
If you’re looking to send One Time Passwords - OTP messages, then security should be considered, because the control of the SMS request is in the hands of the recipient. In the worst-case scenario, a script could be activated on your website to request an enormous amount of SMS messages, which may result in a significant loss of money, which may escalate into tens of thousands of euros worth of damage!
There are means available that help to avoid bot attacks and artificially inflated SMS traffic. We highly recommend applying all three:
Presenting CAPTCHA each time someone requests a PIN code via SMS on your website or application is the best way to avoid two-factor authentication PIN code attacks. While this is an extra step for real users and may seem like an annoyance, it will eliminate the possibility of someone running a spam bot attack and continuously requesting PIN codes for different phone numbers.
A single person requesting PIN codes to different numbers and completing CAPTCHA would be simply too time-consuming for a hacker.
Limit the number of SMS PIN code requests
Another thing you could try is to set a limit on the number of SMS requests per IP address or per session. So, if a hacker tries to request more than five SMS PIN code requests from the same IP within, say, 30 minutes, all additional requests could be rejected internally.
While public IP addresses can be spoofed, potential hackers would need to switch IP addresses after a set number of requests – which would be a lot of hassle.
Disable SMS delivery to destinations you don’t need
The SMS service is global in its nature, but if your clients are based only in selected countries, there isn’t a need to enable worldwide SMS delivery.
Messente can easily disable SMS delivery to all destinations where you don’t want to send SMS messages. Then, whenever someone tries to receive an SMS to a ‘disabled’ country via Messente, we reject the request at our end, at no cost to you. While this won’t protect you from SMS bot attacks in your target market, this method will reduce the risk to your business.