Hacker News new | ask | show | jobs
Thousands of login request in few days - hackers?
1 points by kuasha 4808 days ago
It seems someone wrote an application to generate many thousands of authentication request from authentication service we created. They used some phone numbers to verify account that seems temporary (acquired from voip service). This seems a little wired. Why someone would do that? He managed to make the system spend some small amount for making the calls but that is probably what they spent to receive the phone calls.
1 comments
Jhsto 4808 days ago
Sometimes crackers do this to obtain accounts to your service or to reverse engineer some of their already stolen accounts. Not much can be said since you haven't specified the service in question.

You could implement CAPTCHA to your system and see if the bots struggle on it. Next step from it would be to make a CSRF protection, which is not visible in DOM. Something like this is used on Instagram.

link
kuasha 4807 days ago
Thanks. CAPTCHA/CSRF is not an option since it is meant to be an API called from applications. As a precaution make a phone call to verify the user. That guy went through all the things and theoretically we can actually track him down(costly though). I have blacklisted the phone- question is how many phone numbers do he have :). Added a per day free call limit to stop this for future attempts.
link