|
|
|
|
|
|
by abernard1
634 days ago
|
|
|
Some of this can be fixed with architecture, some with tech practices. In no specific order: - Create a concept of an "enrollment" that is different than an "account." It allows record-keeping for the steps leading up to a malicious account created. - Require mobile phone validation if possible if you're a consumer-facing company. This makes it much more difficult to create fake accounts without a phone farm. - Get a good WAF and put your `/enrollments` endpoint behind it. Serve the `/enrollments` endpoint exclusively from the CDN associated with your WAF. Having that page served behind the WAF/CDN allows you to block traffic with rules if you can identify patterns to the malicious behavior - Separate the writes into the enrollments data store/database from any reads and your main production database. Make conversion of an enrollment to account process async, with a rate-limited architectural queue that can be paused if necessary |
|
|