You create a service, and in it – registration by phone number? You are creating a problem for yourself and your users. This will not protect your service from spammers and unwanted registrations. It won’t protect your user account either. Let’s see why.
Why registration by phone number does not protect against spam
For the CIS, the cost of renting a number for 10 minutes for registration and receiving SMS starts from $0.03. Today, this protection at the price of hacking is close to solving captchas by Indians. Those. for $1, a user can create a couple of dozen accounts with which he can spam, write obscene things, increase statistics, etc.
In order to flood your service with bots, you no longer need a whole lakhta center with millions of dollars of budgets. Enough of an ordinary citizen of the CIS, who today saved on pizza and has some patience.
And if specifically in your country the purchase of SIM cards is strictly according to the passport, you still will not have a way to check whether this phone is really registered to a person with that name. At the same time, in such countries, the sale of numbers is still put on stream. Those. renting a number in the Russian Federation for registration in it will not be a problem. The only problem is you.
Why a phone number won’t protect you if your client breaks the law
For the same reason – you don’t know if the number belongs to the customer or not. Knowing the number or real IP address will not protect you from law enforcement when a client of your service messes up somewhere. They will still come to you and will pressure you to help find him, even if you are not to blame for anything. They don’t know how to work otherwise.
Even more, in a hypothetical situation where the client did something illegal, but registered with an anonymous number, you will have even more problems with law enforcement. Unable to find a person who allows himself anonymity, they will try to shake everything out of a person who cannot afford anonymity. Those. from the owner of the service.
Why the Phone Number Doesn’t Protect Your Customers
Today it is impossible to tell if your number belongs to you or not. Your phone may have a Trojan hardwired right from the factory, which receives SMS in the background and sends their contents to some kind of botnet. Usually, objections follow at this place – well, who needs you personally? And the truth is, you don’t need one. Botnets process everyone.
Now Trojans do not need to be caught in dubious places – they come straight from the factory, even in push-button phones. For Android, the situation is even worse. Not only do half of cheap Chinese smartphones come with the same Trojans from the factory, but they can also be hacked with small forces en masse. Through SMS-mailings with links to infected sites. For older versions, it is generally enough to send a properly formatted MMS, and the phone begins to live its own life. iOs also periodically break. This is where curiosities appear when your grandmother regularly receives Telegram or Google authorization codes on a push-button phone.
This is only the technical part of the problem. Next comes the administration. For example, attackers can reissue your client’s SIM card. And if you have not taken upon yourself the hemorrhoids of messing around with the demand for scans of documents, then the user will not prove in any way that he is he, if he wants to return the account linked to the phone.
Speaking of the CIS, one cannot fail to mention another problem. Wiretapping and interception of traffic are put on stream here and are available not only to special services. Rather, they sell this data. Or they just use it for their own purposes. No one is insured that tomorrow they will not quarrel over a parking lot with a person who turns out to be an employee of the FSB / SBU / Who-there-with-you. They have a fully developed SMS interception mechanism for two-factor authentication. This is an ordinary procedure, it is trained on Telegram to automatism.
There are many ways to simply lose a phone number – from losing a phone to revoking the number by the operator because there was a confusion with the documents. In short, registering with a phone number only checks one thing: that the user had access to that number at the time of registration.
And how then to register accounts?
By phone or mail, as usual. 95% of people still have not become more technically literate in security issues in 20 years of mass computerization. And that means all the other options are even worse. But for yourself, you must clearly understand that mail or phone is a way to quickly register, but not a way to hold or confirm an account. And this method is good only for online stores when you need to quickly place an order.
Gmail has had a standard practice for many years to restore access to an account if the phone is lost – these are backup one-time codes. You generate several one-time passwords that the user writes down on a piece of paper or somewhere else. Each can be entered exactly once. Those. if the user has lost access to the phone number, and on his account he has an SMS login, he can still log in using the combination phone number + plus a backup code.
If you want to do two-factor authentication, allow it through usb tokens. But still leave one-time codes. Tomorrow the token will break or your country will only allow the import of cryptographically unstable tokens.
It is important in principle to be able to disable two-factor authentication through the phone. Because even for those who understand security, there will be no way to close this hole in their account. Those who do not understand security will not be protected by the phone number anyway. Gone are the days when buying, forging and wiretapping numbers was expensive.