Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to design a secure SMS interface". In daily operation, I believe many people have doubts about how to design a secure SMS interface. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to design a secure SMS interface"! Next, please follow the editor to study!

Why would anyone want to browse the SMS interface?

1. Be connected to the bomber

SMS bombers have always existed, and they will collect some unprotected websites and use them as bombers' puppets.

2. Maliciously attack competitors

If the SMS interface is requested once, it will trigger the operator fee of a few cents, which is also considerable when the order of magnitude is large.

3. When programmers are bored

Programmer: I'm so bored. Attack the XXX website. Just like seeing a complete pen cap at school, there is always an impulse to break it, have you been tricked, .

Back to the point, you beat 99% of the people.

-your verification speed beat 99% of the people.

The easiest way is to add a CAPTCHA. Every time a user takes the initiative to get a text message, he / she needs to complete the verification of the picture CAPTCHA / slide CAPTCHA.

The implementation is simple, and it can also prevent some attackers, but whether it is a picture or sliding verification, it can be cracked. Once cracked, your SMS interface is unguarded against the attacker, very dangerous.

No one can keep texting.

-your SMS message has reached the limit.

General CAPTCHA types are generally used in scenarios such as login, password change, registration, etc. Generally speaking, they are not high-frequency operations, so we can impose restrictions on the number of individual users and globally:

For example, a mobile phone number can only be called 5 times in an hour, and only 20 times in a day.

In addition, the global limit is set according to the historical trend. For example, if the total number of SMS messages of CAPTCHA fluctuates around 300000 every day in the first 30 days, we can set the maximum number of SMS calls per day to 400000. If the limit is exceeded, the alarm will be given.

To a certain extent, the above upper limit can stop the loss in time in the case of attack, but there is also a small probability of manslaughter or local impact on the whole, so we need to see the actual impact.

For example, the trend is normal in the past few days, but when there is a promotion or activity one day, or any sudden traffic comes in, this global cap will affect the use of normal users.

For example, a user may obtain the verification code frequently for a period of time due to various reasons, resulting in the upper limit of SMS verification, which will affect the inability of all SMS interfaces to be used.

Risk control? Risk control!

-the risk of your operation was detected and the operation was rejected

As our business becomes larger and larger and the users we face become more and more complex, the simple rules we mentioned above are difficult to cope with the complexity of the business or users.

At this time, we need to dynamically and real-time adjust our rules and processing methods through data analysis, as well as provide risk analysis, forecasting and other functions. At this time, we may need to have an independent risk control service.

Small partners who have done payment business may come into contact with more, payment risk control is far more complicated than SMS risk control, prevention and control rules and strategies can reach thousands or even tens of thousands.

Well, as we have seen above, determine the risk level according to the scenarios of different templates, and then do different operations. This piece actually involves risk control. It is only relatively elementary, for example, how to determine the risk level? What do you need to do for each risk level? How to configure dynamically and so on.

Take a chestnut:

We can collect the user's behavior track (registration time, login times, page visits, etc.) to analyze a user, determine the user's risk level, and then determine which text messages he can send.

According to the historical trend of the template, automatically judge the reasonable range of the corresponding SMS template. If the upper limit is reached, it is considered that there is a risk operation, and the corresponding processing can be done.

Configure the appropriate rules, if a device repeats the SMS operation N times per unit time, and there is no feedback, it is considered that there is a risk.

Wait

Risk control is not only suitable for risk identification of SMS interface, but also includes registration, login, payment operation and so on. This is not achieved overnight, it takes a long time to accumulate and build.

For example, the user behavior trajectory and template trend mentioned above need to be supported by a comprehensive burial point and data platform. And if the business requirements are relatively high, you also need to develop a rule engine suitable for your own business. But when the risk control system is built, the effect is also obvious!

Of course, risk control service is not without reference. A domestic company has been committed to the research of payment risk control service and is quite familiar with the risk control business. After a long time experiment, we launched the short message risk control service-short message risk control firewall.

At this point, the study on "how to design a secure SMS interface" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.