3

I'm developing a merchant page where users can pay their bills. On this page, users must fill in their bank details (Card number, card holder name, expiration date, CVC).

As a verification, we have a phone field where the user inputs a phone number and submits (with AJAX). After that, an SMS with OTP is sent to that number. In this part, intruders (or hackers) can spam it by sending fake queries, which will cost us some money.

How do we defend from this type of attack? How do we set a limit for users to only allow one request (1 SMS) in two minutes?

The option of creating a database and storing phone numbers and sender IP is not a suitable variant.

schroeder
  • 129,372
  • 55
  • 299
  • 340
Daler
  • 31
  • 2
  • 1
    Why are you using SMS for this? Why not an emailed one-time link? – schroeder Oct 25 '19 at 13:31
  • 2
    Why does the user need to fill in his phone number each time rather than use the one that is on file? – Ángel Oct 25 '19 at 15:21
  • 1
    Don't reinvent the wheel: Use a 2FA provider that has solved this and other problems, e.g. how to block premium numbers. – Martin Schröder Oct 26 '19 at 11:48
  • @schroeder we do not ask user's email for sign up, but we require phone number – Daler Oct 30 '19 at 07:39
  • @Ángel which file do you mean? – Daler Oct 30 '19 at 07:39
  • @ReinstateMonica-M.Schröder, 2FA is not an option, not every user in our audience know what is it and how to use it. – Daler Oct 30 '19 at 07:40
  • It's looking more and more that this is a much more complex scenario than what you presented. It is also looking like you have fundamental design issues. This is looking more like a programming question than a security question. – schroeder Oct 30 '19 at 08:35
  • @DalerAzimov 2FA isn't limited to SMS: There are products that fall back to voice if needed (i.e. if the target number is a land line). – Martin Schröder Oct 30 '19 at 08:56
  • @DalerAzimov I mean the information (phone number) you already have of your client. Sending an OTP, but to a number that is provided by the potential attacker adds about zero security. – Ángel Oct 30 '19 at 21:37

1 Answers1

3

You have two areas where you can control this. First, you can control the user/number pair spamming by recording the number you sent an SMS to and limiting the number of messages your system can send to that number.

For the case where someone generates multiple users and multiple numbers, you can control that on the user-creation process before the SMS part. In this case, you can limit the number of accounts created by an IP in a certain timeframe. That prevents the SMS from being a problem in the first place.

And you always have the opportunity to rate-limit the total number of texts your system sends.

schroeder
  • 129,372
  • 55
  • 299
  • 340
  • Thanks for your answer, Schroeder. The problem with area one – to record all data it will need to create DB and it will require a lot of memory. Now, service is not big enough and this solution is okay, but in future, this service is going to be big, and to record all data will be problematic. – Daler Oct 30 '19 at 07:38
  • The problem with area two – it also require a lot of memory to record all data. In addition, on this project, people sign up and using this service is optional choice, not every user is going to use it, and it will require a lot of memory to record absolutely all project data, this is not an option. I need solution to protect only one page from spamming. Thanks. – Daler Oct 30 '19 at 07:38
  • I don't think you understand. This requires very little space and can be maintained in memory easily. Especially since the items do not need to persist. No DB needed. – schroeder Oct 30 '19 at 07:41
  • Can you explain this to me in a little more details? Thanks. – Daler Oct 30 '19 at 07:42
  • Please tell me that you are logging when you send SMS ... – schroeder Oct 30 '19 at 08:31