This is the SMS verification code for APP registration and website login for identity verification, but it has become an accomplice to harassing mobile phone users.
Recently, this newspaper has received many complaints from users, reflecting that their mobile phones are suddenly "winded": in the case of non-personal operation, they receive several verification code messages registered with their mobile phone numbers every minute, and they can receive hundreds of such messages a day, which is extremely disturbing.
What the hell is going on here? The all-media reporter of Hubei Daily conducted an investigation.
A man in Wuhan receives more than 30,000 harassment verification codes every month.
On July 17th, Ms. Yin revealed to reporters that from 17: 00 to 18: 30 that day, her mobile phone suddenly received more than 40 SMS verification codes, and the SMS numbers started with "106". The platforms for sending SMS messages were all formal institutions, including Alipay, Tencent Technology, Gaode Map, Public Comment, Sina News, Hungry, Alibaba, Meituan. com, Tuniu Travel Network, 58 Tongcheng and Baiguoyuan.
"I didn’t get off work at that time, I didn’t have time to play mobile phones at all, and I logged in a lot in a short time. This is by no means my own doing." Ms. Yin said that she estimated that she was being maliciously harassed.
According to the problem reflected by Ms. Yin, the reporter consulted Hubei Mobile Company and learned that this was a malicious attack by the hacker program "SMS bomber". This kind of software uses the "send mobile phone verification code" interface of websites or apps, which can realize mass websites to send multiple verification code information to the same mobile phone number. The most powerful "SMS bomber" can send more than 100 SMS messages to the same mobile phone number in one minute.
The background record of Hubei Mobile Company’s 10086 customer service platform shows that recently, a male user’s mobile phone in Wuhan received more than 30,000 SMS messages to register or retrieve the password, and sometimes the user had no choice but to turn it off.
It is not uncommon for criminals to maliciously harass with spam messages. A few years ago, mobile phone users in Zhejiang and Guangdong were retaliated by spam messages for giving "bad reviews" to merchants in online shopping. After receiving the report, the public security organs dug up the black industry interest chain behind the "SMS bomber" and arrested the relevant people involved.
Nowadays, although the naked "SMS bombing" software on the Internet has disappeared, many brushing softwares such as praise, praise and number of fans have SMS bombing function. In the software forum, the reporter downloaded a variety of small programs for the registration and verification of user accounts on Taobao, Sina, Momo and other websites. These softwares all have the functions of automatically copying mobile phone numbers, automatically copying short messages, and automatically obtaining verification codes every 5 seconds.
A website maintenance engineer told reporters that for professionals, it is very simple to make a "SMS bomber" program. By integrating the interface links of SMS verification codes of massive websites and recycling the designated mobile phone number to send normal verification code requests such as user registration and password modification, the purpose of harassment can be achieved.
Helpless, operators can only suspend the user authentication SMS reception function.
For advertising spam messages, communication operators in our province have already had countermeasures.
According to the data of the Provincial Communications Administration, in 2007, the problem of spam messages began to "bubble" in our province. Subsequently, at the request of the competent authorities, the operator raised the original price of advertising and marketing short messages from 3 cents to 5 cents to one in 0.1 yuan, and set technical thresholds such as the limit on the number of short messages sent per hour (no more than 500).
Since 2015, operators have cooperated with Tencent, 360 and other enterprises to establish a spam message interception system. Through the correlation analysis of keywords, polyphonic words, homophonic words and special symbols, the sources of short messages are blacklisted to realize automatic interception of spam messages. In the first half of this year, the advertising and marketing SMS business volume in our province dropped by more than 20% year-on-year.
A technical expert of Hubei Mobile Company said that the spam messages of advertising promotion can be solved step by step through price leverage and technical means, but the verification code messages basically come from the platforms (Weibo, Alipay, etc.) in the "white list" monitored by operators, so it is difficult for operators to distinguish whether the user’s mobile phone is a normal login verification behavior or a malicious harassment behavior by criminals with "SMS bombers".
Unbearable, Ms. Yin edited SMS 502 and sent it to 10086 through consultation. After the "SMS bomb protection function" was activated, the harassment of SMS by verification code was terminated. However, this protection function is a "double-edged sword", which is equivalent to the operator turning off the user authentication short message receiving function, which will affect the user’s normal use of verification codes such as bank transactions and e-commerce shopping.
"At present, there is no effective interception method in the industry." Technical experts from Hubei Telecom Company said that it is impossible for the operator’s server to be attacked by "SMS bombers". Users who are harassed like Ms. Yin are generally caused by the leakage of their mobile phone numbers and illegal use by criminals. Without the user’s permission, operators dare not turn off the user’s SMS receiving function without authorization.
Strengthen port control, verification code protection system needs to be established urgently.
Experts from the Provincial Communications Administration believe that to prevent the "SMS bomber" attack, we can learn from the experience of intercepting harassing calls, actively identify features through big data, and actively mark the abnormal login and registration behavior of the problematic mobile phone number, and then the system will conduct machine intervention or manual intervention according to the interception standard.
At present, the "harassing phone early warning system" can monitor the user’s call behavior. When a number is found to have more than 100 calls in one hour, and most of the calls are less than 10 seconds, the system can intelligently analyze and generate a database of harassing phone numbers independently, thus realizing the system’s active interception. "The difficulty now is to determine the standard, just as how many verification codes a mobile phone number receives in a unit time is harassment, etc., which requires the cooperation of industry authorities and operators. At present, the company has started special technical research." The technical staff of Hubei Mobile Company revealed.
A technical expert from Wuhan Jiyi Network Technology Co., Ltd., who is engaged in the development of verification code products, told the reporter that at present, the number of SMS verification codes sent by various apps and websites in China is 100 billion to 200 billion each year. Although users who receive short messages don’t have to pay money, the operating companies of these apps and websites need to pay 3 cents to 5 cents each to the communication operators. If a "SMS bomber" maliciously sends verification codes, it will not only harass users, but also increase the unnecessary tariff expenses of enterprises. It is suggested that the operating companies of various apps and websites strengthen port control, increase "secondary verification" such as numbers, pictures and behaviors before users enter their mobile phone numbers to send verification codes, limit the number of single IP requests and send verification articles, and add a security lock. (Hubei Daily all-media reporter Liu Tianzong trainee reporter Zuo Chen intern Zhan Lingqi)
关于作者