I have a website where a user needs to register with his mobile phone number. It is verified by sending a verification code by SMS, each SMS costs me €0,10.
I have already implemented a check that if a user enters the same phone number twice he gets the notification "There is already a code sent to your phone number".
But I am worrying about the following: What if someone with malicious intent makes a bot to insert random phone numbers so a lot of SMS's will be sent and it will cost me a lot of money.
A basic solution would be to set the amount of attempts in the session, and if a certain amount is sent to block the session. But a bot could erase its session each try so that ain't really secure I guess.
I could use something like (an invisible) Captcha but I am actually wondering if there is also another server-side solution for this?
I could make a table to log the IP-address and amount of inputs, but people using 4G or a shared Wifi would be excluded so also that ain't a valid solution.
Is there another way to protect against this other then Captcha?
