OTP flood attacks
How to prevent and stop OTP flood attacks
In an increasingly interconnected world, businesses and developers increasingly need to use telecommunication services to interact with their customers. These productivity tools however can provide a means for hackers to cause financial harm to a business; thus, it is important to implement measures within your applications that mitigate or prevent such attacks.
Most modern applications implement one-time passwords or OTP to verify users accessing their system, however, hackers can spam this function with the intent of causing financial harm to a business. A hacker may generate random numbers and use software to simulate a legitimate sign-up or login attempt, this can result in 1000s of messages being sent to fake numbers.
This type of attack is called SMS pumping or OTP flood attack. This process involves the hackers/attacker compromising the phone number field in order to receive OTP codes, the main goal of this type of attack is to receive a share of the communication revenue (between the sender and receiver) by sending a flood of SMS messages to a large pool of numbers from a specific mobile network operator (MNO). The attackers get money by infiltrating the traffic between a customer's click send the account to a distant destination country and eventually draining the account balance. As a result, the customer might be seeing a drastic drop in available balance and messages to unknown destinations in their Message Logs
There are measures that you can take to prevent this kind of attack.
- Review your account SMS geographic permissions and disable all countries that you do not plan to send messages to via Global Sending
- Implement a basic anti-flooding system on your app (For example, make sure your app will not send more than 1 message per X minutes to the same mobile number range)
- Detect when repeat actors are using your platform to make requests.
- Incorporate CAPTCHA or any sort of challenge-response test to determine whether your users are human and not bot. This adds a bit of friction and slows down fraudsters who spam your SMS verification workflow.