[lima]

We do care about security and hash the phone numbers after sending the verification SMS (we only need to determine whether a given phone number is associated with a locked account - a hash is good enough for that).

Our problem is that criminals open hundreds of accounts with fake data and stolen credit card data, abuse our services until we get abuse complaints or detect it and lock them, then repeat that. This leads to legitimate customers suffering from bad IP reputation and is expensive to clean up.

Requiring phone numbers and blacklisting known throwaway providers has been extremely effectively in preventing this, without generating complaints from our legitimate customers. We don't want to use browser fingerprinting or other intrusive mechanisms for detecting sybil registrations.

What else do you suggest we do?