0

I am implementing an SMS registration system for my Django project. like Whatsapp or telegram messenger, users can register and login just with mobile number. and OTP code.

But i found a problem in my application.

when user enter his number, my app send an OTP to user with SMS. he can't request new OTP with SMS in less than 3 minutes. and a user can request totally 10 OTP with SMS in a day. but if a hacker write a bot to enter different mobile number, my app can't detect that.

for example a bot that has a dictionary of 10000 mobile numbers, enter this numbers one by one. my app just send OTP with sms to 10000 different mobile number. and I will have to pay a lot of many to my SMS service provider.

how can i prevent from this problem? how messengers like Whatsapp solve this problem?

Alex Mercer
  • 475
  • 1
  • 5
  • 14

1 Answers1

1

There are multiple things that you could do to prevent bot spamming. You could use captcha like recaptcha from Google or if you don't want any visible input you could take look at the honypot approach (Add a field hidden for normal users by css/js that bots will fill, if input is filled ignore form).

Other thing you could do is at a rate limit on the register/login page, there is a Django app that provides this https://github.com/jsocol/django-ratelimit.

Krukas
  • 657
  • 3
  • 10
  • thanks krukas. are these ways only for web app? is there a specific way when clients are android/ios apps and i use Token-authentication of DRF? or i should use captcha, ratelimit and ... for mobile apps too? – Alex Mercer Jun 17 '19 at 16:43
  • 1
    DRF comes has default support for ratelimit (https://www.django-rest-framework.org/api-guide/throttling/). And if you are worried at monitoring so you can send notifications and maybe actively block IPs, But if you are not a big player I would worry much about bots. – Krukas Jun 17 '19 at 18:18