Skip to main content

Security measures

Attackers can try to exploit your SMS OTP integration in multiple ways. When your implementation is not secured appropriately, malicious actors can target and profit from your web forms with SMS OTP by targeting your SMS messaging channels.

An example of a common exploitation is SMS pumping, a type of fraud attack in which malicious actors trigger high SMS traffic towards paid providers thus profiting from your infrastructure and making your organisation incur in additional costs.

To protect your integration and mitigate the risks of fraudulent behaviours, make sure that you implement the security measures described on this page.

Important

The information in this page is for guidance only. Note that this is not a complete list of all security measures you should take, and should not be taken as definitive advice.

The most important secure practices are to:

  • Restrict sending SMS messages to countries outside of target markets.
  • Rate limit sending to countries outside of target markets.
  • Implement a sophisticated CAPTCHA. For example, reCAPTCHA.
  • Perform a manual or automatic review of SMS statistics per country.
  • Apply counter measures to all processes that include SMS processes, such as registration, login, update user data, opt-out and more.

Note that you should apply these measures to your web forms or any other service on your side of the implementation.

Measures known to be circumvented by attackers

Malicious actors may design their attacks to circumvent the security mitigations you put in place. Below, you can find known cases of measures that have proven ineffective:

  • Limiting the number of requests per IP address.
    • Attackers use bot nets to utilise many different IPs.
  • Blocking IPs or IP ranges.
    • Attackers use bot nets to utilise many different IPs.
  • Blocking multiple SMS to the same MSISDN.
    • Attackers generate many random MSISDNs.
  • Blocking SMS to many different MSISDNs from one IP address.
    • Attackers circle different MSISDNs through different IPs.
  • Using simple CAPTCHA solutions.
    • Attackers use text recognition or cheap labour to solve CAPTCHA.
  • Watching out for a high number of undelivered messages per country.
    • Attackers return fake DLR (Delivery Report).

Though the above measures have proven ineffective, you should prioritise fixing any identified vulnerabilities and follow the best security practices.

On this page