tags:

views:

283

answers:

5
+4  Q: 

SMS - How to avoid Bankruptcy?

I'm coding a new website that will need users to enter their mobile phone number, the problem I'm facing is that I need to make sure that the user is in fact the owner of (or in this case, has access to) the mobile number.

The solution I've come up with is, upon number submission I send them a SMS with a token and ask the user to enter the token on my website, much like Google Calendar does. However I'm on a short budget and I need to make sure user A doesn't submit 100,000 mobile numbers, if that happens I'll be out of business in no time, since each SMS sent costs me about 0.10 USD.

So far, I've come up with the following solutions:

  • use a CAPTCHA (keeps some users away and it is still vulnerable to manual registrations)
  • limit the number of tokens a given IP address request (dynamic IPs, proxies, etc)
  • limit the number of tokens sent for a given mobile number (a user can request tokens for all the available numbers and when the real user tries to request a legitimate token, his number will be already blocked)

None of these solutions are perfect, how do you suggest I approach this problem?

A: 

Why is SMS costing you a dime? Utilize the EMAIL address that is associated with every SMS system (at least here in the U.S).

http://www.sms411.net/2006/07/how-to-send-email-to-phone.html

Stephen Wrighton  2009-08-21 20:41:58
This is a fine approach, but you have to force your users to enter in their carrier right? Plus if they switch carriers, they have to remember to switch their accounts.
Alan  2009-08-21 20:47:07
This is definitely US-specific.
Michael Borgwardt  2009-08-21 20:51:38
Yep, I'm not in the US.
Alix Axel  2009-08-21 20:52:32
+2  A: 

I would use a combination of CATPCHA and Limit the requests of a Given Mobile Number.

In addition you should be able to specify with your SMS aggregator a preset limit per month. After you reach that limit, service is shutoff. That way if you are a victim of an attack, you will only be liable for a limited amount of money.

Instead of SMS, you can make use of an automated service that calls a phone number speaks out a One Time Password (via Text 2 speech). These services are similar in pricing to SMS, and less likely to get spam abused, as there is more overhead.

Twilio cost $0.03 a minute, or in this case, $0.03 a call.

Alan  2009-08-21 20:45:41
And if you go the Twilio route, you can give me $0.02 a call made, since I save you $0.07 :D
Alan  2009-08-21 20:52:44
@Alan, Twilio keeps saying "International dialing not enabled.", since my web app is not for an US audience it isn't useful for me.
Alix Axel  2009-08-23 16:03:07
Well looks like I won't be making that $0.02 per call ;) Srsly though, I had posted this prior to your comment about being non US based. Search around, there is likely to be a similar service for your region.
Alan  2009-08-24 15:11:41
Twilio is international now: http://www.twilio.com/international-calling-rates
Barnabas Kendall  2009-08-31 17:55:36
+4  A: 

In a recent project, we were associating SMS numbers with a user account. Each account needed a CAPTCHA and email activation. The user could activate SMS via token, like you are using.

You could rate limit IP addresses (not a total limit). No more than 10 requests from an IP within 5 minutes, or something like that.

And/or you could limit outstanding SMS requests. After an IP address requests a token for SMS, it must be submitted before that IP can request for another SMS number. Or no more than 10 outstanding SMS tokens per IP per day.

Also, like @Alan said, we put a cap on our SMS messages per month.

CoverosGene  2009-08-21 20:50:24
A: 

If someone tries their best to abuse a system, they will more than likely find a way to do it. Using a combination of the techniques you've already come up with is likely the best way to thwart most malicious users.

Limit what people can do (no more than 10 requests from 1 ip in 10 minutes, one phone number can only recieve 3 texts a week, captcha before number entry), but more importantly, if people have no control over the content of the message there's no real reason to exploit it.

Jak  2009-08-21 21:09:41
The contents of the message is going to be a simple token (aka password), still I believe this could be exploitable by my competitors to make me lose money.
Alix Axel  2009-08-21 22:44:54
+2  A: 

You could do what Twitter does, which is have the user text you the token (rather than you texting it to them).

This will require you to find a provider that let's you receive texts for free (or close to it), but that might be easier.

Aaron Maenpaa  2009-08-24 12:54:11

related questions

Which XML structure is best suited for an all round API?
Testing SMS code without access to a texting plan
SMS Communication Through The Internet
How do you store cell phone numbers in a database?
View SMS in Windows Mobile via Managed Code
Incoming SMS - redirect to server via HTTP
Free SMS API
Developing applications for Nokia 5310
Which SMS aggregators also provide voicemail services?
Using Microsoft SMS Sender to send out smses in batch?
SMS alerting to respond to error situations faster
Using Microsoft SMS Sender to send out smses in batch?
RoR + SMS: Rails web app architecture to send/receive SMS?
SMS + Web app: Providers of SMS "Long codes" for use by U.S. carrier subscribers within U.S.?
Is there a PHP security framework that protects phone numbers as well as passwords?
Are there any MVC web frameworks that support multiple request types?
What is the best way to handle incoming SMS messages?
Text message receiving API - UK and USA
What can you use to get an application to be able to receive SMS message?
How do you handle unsolicited responses (like incoming calls) when handling sms with a gsm modem
How do we get arround Apple's decission to skip sms templates for iPhone?
ASP.NET and sending SMS/making phone calls
'Reliable' SMS Unicode & GSM Encoding in PHP
How to programmatically send SMS on the iPhone?
Programmatic SMS