Verification code SMS API anti-fraud-Short Message Service(SMS)-阿里云帮助中心

What is verification code fraud?

In identity verification scenarios such as user registration, logon, and password resets, SMS messages are a common method for sending one-time verification codes. During verification, the service provider sends a one-time code that the user must enter to confirm their identity. If your verification code system has insufficient defenses or security vulnerabilities, attackers can exploit it by using programs to send repeated requests for verification codes to one or more numbers in bulk. This activity is known as verification code fraud. The following are common characteristics of this type of attack:

Sudden spike in SMS volume: The number and frequency of sent messages increase dramatically, far exceeding normal business levels.
Sequential target phone numbers: For example, 133**1247, 1331248, and 133**1249.
Concentrated attack requests: Requests originate from a small set of IP addresses, target sequential phone numbers, or occur within a specific time frame.

Impact of verification code fraud

Verification code fraud causes direct financial losses, harasses users who receive SMS bombing attacks, and creates security risks such as account hijacking and information theft. These issues can lead to decreased brand trust, privacy breaches, and other negative consequences.

Financial losses: SMS fraud generates a large volume of messages, resulting in significant costs for your business.
Business disruption: Responding to attacks, handling user complaints, and implementing security upgrades consume time and resources, distracting from core business operations.
Information leakage: Fraudulent messages are sent directly to individuals' phones. If an attacker obtains the verification code, it can lead to user privacy breaches and account hijacking.
Damaged brand trust: When users receive a flood of verification codes without initiating any action, it erodes their trust in your brand.

Recommended anti-fraud measures

You can effectively defend against most fraud attacks by increasing security awareness, continuously monitoring for anomalies, and enhancing your technical defenses. Implement multiple protective measures in your application, such as collecting request information to identify and block abnormal requests before they are processed. This prevents attackers from exploiting security vulnerabilities to send fraudulent messages in bulk. Additionally, you should configure verification code anti-fraud monitoring and an SMS sending frequency limit in the Short Message Service console to block messages that exceed normal sending volumes. If fraud occurs because these defenses are not in place, follow the stop-loss plan to take emergency action and implement these anti-fraud measures as soon as possible. The following protective measures are recommended:

Improve your application logic: Enhance your application to identify and block abnormal SMS requests.

Add a CAPTCHA | Use Phone Number Verification Service | Limit abnormal verification code requests
Set up alerts: Enable monitoring and set sending frequency limits for verification codes in the Short Message Service console. When a threshold is reached, the platform notifies designated contacts and blocks further requests that exceed the limit.

Enable anti-fraud monitoring | Set the SMS sending frequency limit | Set sending thresholds for international messages | Operation guide
Secure your account: Use a RAM account to make API calls. Keep your AccessKey confidential and rotate it regularly to reduce the risk of leakage.
Stop-loss plan: If you detect fraud, stop it immediately by suspending the SMS API or deleting the message template. After taking these emergency steps, implement the protective measures described above to prevent future incidents.

Strengthen your application's defenses

Attackers primarily exploit SMS APIs on the client side, so strengthening your client-side security controls is critical. You cannot rely solely on server-side protections.

Increase verification complexity

Make the user verification process in your application more complex. For example, use a CAPTCHA. Users must solve the CAPTCHA before requesting a verification code. This helps distinguish between human users and bots, identify artificial traffic, and make fraud attacks more difficult. You can use the CAPTCHA feature of Phone Number Verification Service, which offers slide, point-and-click, and puzzle challenges. For more information, see CAPTCHA.

Use one-click logon

For mobile app logon or registration, use Phone Number Verification Service. This service integrates with carrier data gateways to enable fast, one-click logon without requiring an SMS verification code. This avoids exposing an SMS request API, which helps prevent bulk fraud attacks.

The one-click logon page displays the masked phone number of the current SIM card (for example, 151****6600) and states that China Mobile provides the authentication service. Users can click the one-click logon button to complete the logon process or choose to log on with a different phone number. Before logging on, users must agree to the China Mobile Terms of Service, the user agreement, and the privacy policy.

Alibaba Cloud also provides other authentication methods, such as integrated authentication. For more information, see What is Phone Number Verification Service? and Best practices for Phone Number Verification Service.

Limit abnormal client requests

Collect request characteristics in your application to identify and block abnormal, concentrated requests. To effectively defend against fraud attacks, implement the following measures:

Limit the frequency of verification code requests: Set a minimum interval between verification code requests, typically 60 seconds. After this period, users can request a new code.
Set an expiration time for verification codes: Define a validity period for verification codes. If a code is not used within this time, it expires, and the user must request a new one.
Limit requests by IP address: Identify the source IP address of requests and limit the frequency and volume of verification code requests from a single IP address to block abnormal traffic.
Limit requests by phone number: Identify the recipient phone number and limit the number and frequency of verification code requests for the same number.

Enable alerts in Short Message Service

Alibaba Cloud Short Message Service supports various alert settings. Add alert contacts and configure alerts. When an alert is triggered, the platform notifies the designated contacts so they can take immediate action.

Set alert contacts: Designate contacts to receive SMS alert notifications. When your message usage reaches a specified threshold, the platform sends an alert message to these contacts.
Enable verification code anti-fraud monitoring: Set monitoring and alert thresholds for domestic messages. When the alert threshold is reached, the platform sends an alert.
Set SMS sending volume alerts: Configure daily or monthly sending limits. When the number of sent messages reaches the alert threshold or quota limit, the platform sends an alert.
Set verification code SMS sending frequency: For domestic messages, you can set sending limits per minute, hour, or day for the same phone number. When a limit is reached, further messages are blocked.
Set international message sending thresholds: Configure daily or monthly sending limits for international messages. You can also set limits for specific countries or regions.

Enable verification code anti-fraud monitoring

The verification code anti-fraud monitoring feature is available only for messages sent to the Chinese mainland.

Log on to the Short Message Service console and go to the General Settings > Domestic Messages > Security Settings page.
Turn on the verification code anti-fraud monitoring switch.
Click Modify Configuration, and then specify the Monitoring activation threshold and Alert trigger threshold.

An anti-fraud alert is triggered when the number of verification code messages meets both the Monitoring activation threshold and the Alert trigger threshold. The system then sends an SMS message to the designated contacts.
- Monitoring activation threshold: The number of verification code messages sent per hour.
- Alert trigger threshold: The success rate of verification code messages in the current hour and the percentage increase in message volume compared to the same hour on the previous day.
Example: Assume a company sets the Monitoring activation threshold to 1,000 messages. For the Alert trigger threshold, it sets the success rate to below 80% and the growth rate to above 50%. An anti-fraud alert is triggered if all three conditions are met in a given hour: more than 1,000 verification code messages are sent, the success rate is below 80%, and the message volume has increased by more than 50% compared to the same hour on the previous day. The system then sends an alert to the designated contacts.
Click OK to save the settings.

Set SMS sending volume alerts

Log on to the Short Message Service console and go to the General Settings > Domestic Messages > Security Settings page.
In the Total sending threshold section, click Modify Configuration. Set daily and monthly alert thresholds and quota limits.
- Alert threshold: When the number of sent messages reaches this value, Short Message Service sends an alert to the designated contacts.
- Quota limit: When the number of sent messages reaches this value, the platform suspends the SMS sending service.
Click OK to save the settings.

Set the SMS sending frequency limit

Only Alibaba Cloud accounts with enterprise verification can configure the SMS sending frequency limit. If you have an individual account and need this feature, change to enterprise verification.

Log on to the Short Message Service console and go to the General Settings > Domestic Messages > Sending Frequency Settings page.
Click Sending frequency settings and set the sending limits for verification codes with the same signature to the same phone number per minute, hour, or calendar day.
Click OK to save the configuration. The settings take effect after 15 minutes. When the SMS sending frequency reaches the threshold, the platform blocks further messages.

Set international message sending thresholds

Log on to the Short Message Service console and go to the International/Hong Kong, Macao, and Taiwan Messages > International Message Settings page.
Choose global configuration or route management. For detailed instructions, see Set alerts for international messages.
- Global configuration: Configure global daily and monthly sending thresholds. When a threshold is reached, the platform triggers an alert or suspends the SMS service.
- Route management: Configure daily sending thresholds for specific countries or regions. When a threshold is reached, the platform triggers an alert.

Secure your Alibaba Cloud account

Create RAM users for your Alibaba Cloud account and grant them specific permissions to access resources. Always grant permissions cautiously. An AccessKey (AK) is a permanent access credential that Alibaba Cloud provides to users. Keep it confidential to prevent leakage.

Use a RAM account: The primary Alibaba Cloud account has extensive permissions. Use a RAM user for API calls and daily operations.
Follow the principle of least privilege: Review and manage the security settings for your RAM users, granting them only the minimum permissions required. For more information, see Manage the security settings of a RAM user.
Avoid hardcoding your AccessKey: Do not embed your AccessKey directly in your code. Use environment variables to store your AccessKey to prevent leakage and potential financial losses.
Rotate your AccessKey regularly: Rotate any AccessKey that has been in use for more than 90 days to reduce the risk of leakage. For instructions, see Rotate the AccessKey of a RAM user.

Quick stop-loss plan for fraud

If you discover fraudulent activity, you can take the following measures to immediately stop the losses. These measures may affect the normal sending of SMS messages. We recommend that you strengthen your application's defenses as soon as possible after you take these actions.

Suspend the SMS API: Disable the SMS sending API in your application and then implement better security measures for your website or API.
Add numbers to a blocklist: If you identify abnormal phone numbers involved in the fraud, add them to a blocklist. Subsequent messages to these numbers will be blocked. Only accounts with enterprise verification can configure a blocklist. For instructions, see Configure a blocklist.
Temporarily delete the message template: Delete the message template that is being abused. Once deleted, messages using this template can no longer be sent. If you choose this option, you must re-apply for a new message template to resume the service.
Handle a leaked AccessKey: Follow the instructions in Handle a leaked AccessKey to resolve the issue. After addressing the leak, review and limit the permissions of the AccessKey, and continue to rotate it regularly to reduce future risks.

Next steps

If you enable verification code anti-fraud monitoring and receive an alert message, check whether the sending frequency, SMS sending volume, and recipient phone numbers match your current business needs. If they do not match, set a daily sending threshold or an SMS sending frequency limit. Once the limit is reached, API calls to send messages fail, which protects your funds. If the activity matches your business needs, consider adjusting the monitoring activation threshold and alert trigger threshold.