I am coding a new website that will need users to enter their mobile number, the problem I am facing is that I need to make sure that the user actually owns (or in this case access to) mobile phone number.
The solution that I came up with is that when I send the number, I send them an SMS with a token and ask the user to enter the token on my website, like Google Calendar. However, I have a short budget, and I need to make sure that user A does not send 100,000 mobile numbers, if this happens, I will not be in business as soon as possible, since each SMS sent costs about $ 0.10.
So far I have come up with the following solutions:
- use CAPTCHA (removes some users and is still vulnerable to manual registrations)
- limit the number of tokens to a given IP address request (dynamic IP addresses, proxies, etc.)
- limit the number of tokens sent for this mobile number (the user can request tokens for all available numbers, and when a real user tries to request a legitimate token, his number will be blocked)
None of these solutions are perfect, how do you suggest me to approach this problem?
source
share