

Thousands of login request in few days - hackers? - kuasha

It seems someone wrote an application to generate many thousands of authentication request from authentication service we created. They used some phone numbers to verify account that seems temporary (acquired from voip service). This seems a little wired. Why someone would do that? He managed to make the system spend some small amount for making the calls but that is probably what they spent to receive the phone calls.
======
Jhsto
Sometimes crackers do this to obtain accounts to your service or to reverse
engineer some of their already stolen accounts. Not much can be said since you
haven't specified the service in question.

You could implement CAPTCHA to your system and see if the bots struggle on it.
Next step from it would be to make a CSRF protection, which is not visible in
DOM. Something like this is used on Instagram.

~~~
kuasha
Thanks. CAPTCHA/CSRF is not an option since it is meant to be an API called
from applications. As a precaution make a phone call to verify the user. That
guy went through all the things and theoretically we can actually track him
down(costly though). I have blacklisted the phone- question is how many phone
numbers do he have :). Added a per day free call limit to stop this for future
attempts.

