On our site, we are receiving lots of fake login attempts to random users. Because of this users are getting OTP SMS and we are incurring SMS costs. The login is not attempted by the same user but by a bot.
The IPs are different in all these calls but the user-agent is the same. So, whenever we have this issue we block the user-agent in Cloudflare.
Do you have any solution around protecting websites from fake login attempts?
Typically you wouldn’t send an SMS unless the username and password are validated. If this is the case, a strong password policy and a rotation of all passwords will help.
If you are sending SMS without a valid password, consider not doing that.
We are in B2C business. All these users are new users to our platform.
Signups with a SMS verification?
If so, then things are a lot more complicated. I’d look into hCaptcha, or other techniques to increase the man hour cost of abusing the signup form. You might also consider verifying their email address before sending an SMS.
This topic was automatically closed after 30 days. New replies are no longer allowed.