[WEB SECURITY] my website captcha broken??
Pavol.Luptak at nethemba.com
Sat Jan 31 06:52:53 EST 2009
On Sat, Jan 31, 2009 at 12:11:42AM -0600, Luis Matus wrote:
> I need some advice. I work for a company that provides sms service on line
> from our web site. The websites uses captcha but some how hackers have
> been able to break the captcha or work around it, because they (hackers)
> have created a web capable to send sms through our website.
- definitely use stronger CAPTCHA and check its strength using
http://www.captchakiller.com/ (it breaks the most of all CAPTCHAs)
- allow to send only limited amount of SMSes from one IP address per defined
time period (e.g. 10 SMSes from 1 IP address per one day)
- allow to send only limited amount of SMSes from one IP subnet (e.g /24) per
defined time period (e.g. 100 SMSes from one /24 IP subnet per one day)
In this scenario attackers can still use some big botnets with many very
different IP addresses and solve very difficult CAPTCHAs, but it will be much
more complicated and probably they will target a different SMS portal :-)
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 197 bytes
Desc: Digital signature
More information about the websecurity