Login principle, risk and Countermeasures of mobile verification code

Time:2022-5-11

Mobile authentication code login is a common application login method, which is simple and convenient without memorizing the password. Apps that can be seen on the market basically support this login method. Many applications also integrate login and registration. Registration + login is done at one go, which saves users a lot of trouble. I feel like I have one machine in hand and the world at large.

Login principle

The principle of mobile phone verification code login is very simple. For a normal login process, just look at the following figure:

WX20220114-220950@2x

In practical application, there will be some cases where the verification code cannot be received. The possible reasons are as follows:

  • On the mobile terminal, the SMS is intercepted or deleted by some software as spam, or the SMS cannot be received because the mobile card is in arrears.

  • On the application server side, some SMS sending fails due to program errors or security control policies.

  • In the SMS platform or telecom operator system, the sending fails due to blacklist, keywords, flow control, or some other technical reasons.

For the problem of not receiving SMS, the system will add the function of retransmission verification code. If it cannot receive multiple retransmissions, the system can support the way of uplink SMS or voice verification code, both of which are variants of SMS verification code.

  • Uplink SMS allows the user to send several characters generated by the system in advance to the SMS number specified by the system. Based on this, it can verify that the user has the control right of the specified mobile phone, so as to authenticate the user’s identity.

    上行短信验证码

  • The voice verification code can be initiated by the user, or actively pushed when the system receives the receipt of unsuccessful SMS sending. The user’s mobile phone will receive an automatic voice call, including the verification code required for login.

Security risks and Countermeasures

The security risk of mobile phone verification code is mainly malicious use and theft.

Because the mobile phone verification code is widely used, in order to have a more comprehensive understanding, the security risk mentioned here is not limited to login, and all scenarios using mobile phone verification code may exist. The coping strategy here is mainly to solve or reduce the security risk of mobile phone verification code through various technical solutions from the perspective of system developers.

SMS fraud

Fraudsters first obtain the user’s mobile phone number, and then pretend to be financial institutions, public power departments, relatives and friends. After entering the user’s mobile phone number request verification code in the application, they ask the user for the corresponding mobile phone verification code. If the user doesn’t pay attention, it may cause money loss.

短信诈骗示意图

To solve these problems, system developers can consider the following schemes:

  • Statement in the verification code: the staff will not ask for it, and do not disclose it to others. However, in some special cases, people will ignore these warnings.

  • Track the user’s common login features, such as the device, IP, WiFi and region when obtaining the verification code are not commonly used. The system can immediately notify the user by SMS or voice that there may be security risks. Please operate with caution; The system can also directly upgrade the security level and require more authentication methods, such as obtaining the authentication code again, entering the security code, brushing the fingerprint, identifying the face, inserting the u-shield and so on.

There is also a relatively hidden way of fraud. The fraudster directly sends the address of the fake phishing website to the user. When the user obtains the verification code from the phishing website, the fraudster takes the user’s mobile phone number to the real website to request the verification code. At this time, the user will receive a real verification code. After the user enters the verification code in the phishing website, the fraudster can take this verification code to the real website.

In view of this situation, the previous method of identifying common login characteristics of users is still effective. In addition, the SMS platform and telecom operators also have the responsibility to check the SMS content. The SMS platform needs to verify the real identity of the sender, review the SMS content, and provide a dynamic flow control mechanism, which can filter out most fraudulent SMS.

In fact, telecom operators can identify the location of mobile phones. If telecom operators can provide a secure location authentication service, they can also solve most of the problem of verification code fraud. For example, when the front-end submits the verification code authentication, it carries the location identification provided by telecom operators. Application service providers can take this location identification to find telecom operators to verify the location. Of course, this is only an assumption, and there is no such method in reality.

SMS attack

There may be two scenarios of SMS attacks:

  • Users keep clicking on the front end to obtain the verification code. They may be worried that they can’t receive the verification code, lose their patience to wait, or send it to other mobile phone numbers maliciously.

  • The attacker directly calls the interface for sending verification code and sends a large number of verification code requests at extreme times, which may be sent to a user or a group of users.

Such operations will first waste SMS resources and cause losses to application service providers; Malicious attacks will also send a large number of text messages to innocent users, causing harassment attacks.

短信攻击示意图

To deal with this problem, the following schemes can be considered:

  • Add other verification.

    Before obtaining the SMS verification code, you must pass these verifications, such as graphic verification code, sliding verification code, mathematical formula verification code, etc. These methods can increase the difficulty of sending SMS verification code, reduce the manual sending speed, and try to avoid the automatic operation of robot.

  • Limit the current of the operation.

    For example, the countdown of sending SMS verification code is common in the front end. Generally, it can be sent again after several seconds after requesting the verification code each time. Because if the attacker obtains the service interface that sends the verification code, he can get rid of the restrictions of the front-end logic. Therefore, the back-end can also adopt the same strategy to control the frequency of device ID, mobile phone number, IP, user, service type, etc., as well as their various combinations. Application developers can also control according to the characteristics of the sending results, such as the empty number rate. If there are too many empty numbers, it may be the mobile phone number randomly generated by the robot. Based on the limitation of single frequency, more time control can be added, and different threshold restrictions can be made in time dimensions such as minutes, hours and days.

  • Provide users with an SMS unsubscribe entry.

    When users frequently receive verification code SMS not initiated by themselves, they can provide a unsubscribe entry to enable users to close the SMS verification code in a short time. At this time, the application service can ignore the request to send verification code to users, or directly remove the function entry to send verification code.

However, this kind of control should be based on the premise that it does not affect the normal business operation of users as much as possible, otherwise the gains will not pay off.

  • For example, the difficulty of graphic verification code should not be too high. After all, most businesses are not 12306. If you copy it, you may be self defeating.

  • As another example, for current limiting control, assuming that normal users generally only operate at some time of the day and do not do something 24 hours a day, they can do so: each mobile phone number can only be sent x times per hour and Y times per day. These two values should comply with X>Y。

  • For serious attacks, a circuit breaker mechanism should be set, and availability has to be sacrificed at this time. For example, a large number of verification code requirements for different mobile phone numbers have poured in in a short time, which is likely to be attacked by DDoS. Due to limited resources, the operation of normal users will also be affected. You can rely on the global current limit and directly close the verification code service for a period of time when the current limit is triggered.

Network eavesdropping

It is assumed that the user receives the login verification code and submits it to the server for verification after entering it correctly. During the transmission from the mobile phone to the server, many network devices and server systems will pass through. The content submitted by login may be intercepted and obtained. At this time, the attacker can block the request and log in with the user’s mobile phone number and verification code.

网络窃听示意图

To deal with this problem, it is generally necessary to encrypt the network transmission content. For example, the commonly used HTTPS communication can ensure that the transmission content between the two ends is secure and not eavesdropped. For transmission security, this is generally enough.

However, HTTPS is not a silver bullet. If an attacker secretly imports his own certificate on the client, and then makes the network requests proxy by himself, and then sends them to the target address, the attacker can still get the requested content. If you want to experience this way, you can try fiddler. There is also the possibility of wrong sending of HTTPS certificate. If someone else’s certificate is issued to the attacker, the secure transmission will be meaningless at this time.

https中间人拦截

For higher security, the transmitted content can be encrypted and decrypted in the application. The client encrypts the data to be transmitted according to the agreement with the server, and then sends it to the network. After the attacker intercepts it, if there is no effective decryption means, it can ensure that the data will not be eavesdropped. The key of encryption is to ensure that the key is secure and will not be stolen or replaced. It can be transmitted through other secure channels or even offline. For the verification code, which is only used for verification, the slow hash operation can also be carried out after adding salt. Even if the attacker gets the transmission content, it is very difficult to crack it.

Local eavesdropping

If malicious software or unofficial software is installed on the system, especially in pirated system, root or jailbroken mobile phone system, the attacker can also easily intercept and steal the SMS verification code; At the same time, encryption and decryption in network eavesdropping may also lose its function, because the software is no longer trusted. It is difficult to determine whether there is anything fishy between different operations.

In recent years, a concept called trusted execution environment (TEE) has been introduced into mobile devices. It is independent of the operating system, separate applications and run alone. Some even have separate processors and storage, which is difficult to enter and crack externally. Some key operations are encapsulated here, such as fingerprint collection, registration and authentication, key generation and use, copyright video decoding and display, and so on. If the processing of SMS verification code is also put here, it will undoubtedly be much safer. However, it needs to solve many communication problems, and the benefit may not be proportional to the cost. This technology is rarely seen in desktop computers. Maybe the desktop environment has a relatively mature security system, but it should not be difficult to migrate from the mobile terminal.

SMS sniffing

SMS sniffing is also a kind of eavesdropping technology, but it is a way of attacking telecom network communication.

Now mobile phones generally use 4G and 5g networks, but the “SMS sniffing” technology is only aimed at 2G networks. Criminals suppress the base station signal through special equipment, or choose places with poor network quality, or use 4G pseudo base stations to deceive mobile phones, which will lead to network frequency reduction and reduce the 3G and 4G communication of mobile phones to 2G.

In 2G network, only the base station can verify the mobile phone, but the mobile phone cannot verify the base station. The attacker can set up a pseudo base station to connect the target mobile phone, and then obtain some connection authentication information. Then he can impersonate the target mobile phone to connect to the real base station, and then dial another mobile phone of the attacker to get the target mobile phone number through caller ID.

The base station itself does not communicate with each mobile phone with signals in a specific direction, but sends signals to the surrounding in the form of broadcasting. Therefore, each mobile phone can actually receive the signals of other mobile phones. The 2G network does not encrypt the data, and the SMS content is transmitted in clear text, so you can sniff the SMS of the target mobile phone. In addition, 2G communication protocol is open source, so the technical threshold of this matter is not high.

短信嗅探原理

Because this kind of attack requires that the mobile phone cannot move. If the base station is switched, it will be useless. Therefore, the attack is generally carried out in the dead of night. For ordinary users, they can choose to turn off or turn on the flight mode when sleeping; In addition, the opening of volte allows both phones and text messages to go through 4G channels, but network degradation is difficult to prevent; Or buy a mobile phone that can identify the pseudo base station, but there is no guarantee that it can be 100% identified; Or you can only wait for the mobile operator to shut down the 2G network.

For application system developers, we should realize the insecurity of communication channel. When necessary, turn on the two factor verification. In addition to the SMS verification code, you can also use a variety of secondary verification methods, such as SMS uplink verification, voice call transmission, special password verification, common device binding, biometric recognition, dynamic selection of authentication methods and so on.

Replay attack

Suppose that some transaction services need to verify the identity of users through SMS verification code. If an attacker intercepts the transaction request message and sends it to the server for many times, and the server only checks whether the verification code is correct, multiple transactions may actually occur. At this time, the attacker does not need to decrypt the transmitted content.

重放攻击示意图

At this time, the verification code should be limited to use only once. When the server receives the transaction request, it should first check the verification code, set or delete the verification code after passing the check, and then process the transaction. No matter whether the transaction is successful or not, the verification code can not be used again. In addition, a shorter validity period should be set when generating the verification code. If the user does not actually submit it, the attacker must use it within the validity period to increase the difficulty of attack.

Of course, you can also use the more general anti duplication release section. For example, each request verification code first obtains a random number from the back end. If the random number has been used, it cannot be used again. If the random number does not exist, it cannot process the request. Of course, the random number can also be generated at the front end. If the server receives a duplicate random number, it will reject the request, but it needs to prevent the random number from being tampered with in the transmission process, which can be signed by the key.


The above is the main content of this article. I have little talent and learning. If there are mistakes and omissions, please correct them.

For more architecture knowledge, please pay attention to the firefly architecture of official account. Original content, please indicate the source for reprint.