Is there an attack vector for SMS verification code using a bunch of parallel requests
I'm trying to elaborate a login scenario with SMS verification code. Not sure whether it's an attack vector or not.
Assume, we have a N = 3 digit code sent to a user mobile phone (3-digit code just for the sake of simplicity in calculations, it's usually 4 to 6 digits). So we have 1000 different codes to send.
We have M >= N users in the system.
What if Eva (attacker) chooses 1000 phone numbers, sends 1000 parallel requests (one for each phone number) to login with an SMS code. Code generation should be random and equally distributed along the whole range, therefor each phone number should get a unique code (but it's also a great chance that some phone numbers get the same code). Eva picks a code, e.g. 001, and sends a verification request for each phone number with this code (#1 - 001, #2 - 001, ..., #1000 - 001).
It seems for me right now that Eva would be able to get an access to at least one of the accounts. Also it's usual to allow users several attempts to input the valid code, which increases Eva's chances to guess the code for a phone number. She could repeat the same steps until she gets access to all accounts. Is it correct? What are the measures to mitigate this scenario?
We could block requests from the same IP, but Eva could have different IP for each request. I believe we can't differentiate it from the case when 1000 legitimate users make a login request.
UPD2:
Eva doesn't control any of users' phones.
UPD1:
I'm talking about scenario in which Eva visits the site (anonymous to the site, not logged in):
- step 1: Login form with 'Enter you phone number' -> types in a phone number (#1) (SMS is sent to #1)
- step 2: Verification form with 'Enter code sent' -> Eva can type in
here any code she wants (she could guess the correct code with
1/1000probability).
So Eva could programmatically send 1000 login requests (1 request per 1 phone number) to the site API at the same time, 1000 SMS codes will be sent (1 code per 1 phone number), then she could sent 1000 verification requests with the same code (1 request per 1 phone number).
UPD2: I'm trying to describe a situation when 1000 buckets represent a unique code (000-999). When we generate 1000 random codes at once, it's highly probable that each of the buckets will contain 1 stone (corresponding code was generated). Practically some of the buckets will contain several stones, while others would contain none. But in a big picture I expect that all buckets have 1 stone (or at least tends to it). Stone (code) was sent to some phone number from 1000 phone numbers we picked. So we pick stone1 and use it with every phone number. At some time we should hit I expect. So it seems that we could gain access to some account easily?
B1 (000) - No1111
B2 (001) - No1135, No7356
B3 (002) - x
B4 (003) - No4279
...
B5 (999) - No8912
So we pick B4 (003) and send this code for each phone number (making 1000 requests total). When we send { code: 003, number: 4279 } we should get an access to the account?
