Security Incident Analysis and Captcha Strategy for Preventing SMS Spam Attacks

Background

During a night shift the system sent 200 SMS messages per hour, reaching the daily limit and incurring a loss of about 400 RMB. Investigation of backend logs revealed that the SMS API was being called every 10 seconds, indicating a hacker‑driven attack.

Fault Analysis

The company uses the RingRing SMS provider, which lacks built‑in alert and blocking features. Attackers forged IP addresses and phone numbers to bypass the API, exhausting both per‑app and total daily SMS limits.

A temporary mitigation was added: if more than 30 messages are sent within 10 minutes and over 60 % of numbers belong to the same country, SMS sending is disabled for 10 minutes and an alarm is raised.

Captcha Types Evaluated

Text Captcha

Simple to implement but easily broken by OCR when noise and lines are added.

Slider Captcha

Considered for its user experience and resistance to brute‑force, but rejected due to UI costs and uncertain suitability for international markets.

npm install rc-slider-captcha
import SliderCaptcha from 'rc-slider-captcha';
const Demo = () => {
return (
<SliderCaptcha
request={async () => {
return {
bgUrl: 'background image url',
puzzleUrl: 'puzzle image url'
};
}}
onVerify={async (data) => {
console.log(data);
// verify data
return Promise.resolve();
}}
/>
);
};

reCAPTCHA v3

Chosen for its easy integration, built‑in console, and trusted Google backing. The score returned (0–1) indicates human likelihood. Initially the score threshold was set to 0.5, then lowered to 0.3, and finally made configurable down to 0.1 to reduce user friction.

// Return value
{
score: 1  // 0 = bot, 1 = human
}

reCAPTCHA v2

Added as a fallback when v3 score is low, providing a visible challenge to improve security.

Two‑Factor Authentication (2FA)

Implemented using OTP apps such as Google Authenticator. Each user receives a unique secret (SHA‑1 hashed) that generates time‑based codes; the server validates these codes on each login or sensitive operation.

Multi‑Verification Strategies

Combining different captchas (e.g., v3 + v2) and switching to a stronger method after failed attempts can increase security while balancing user experience.

Risks, Costs, and Benefits

No captcha guarantees 100 % security; attackers may use OCR, machine‑learning, or logic bypasses. However, stronger methods like graphic‑matching, TOTP, and 2FA raise the security level and protect both company and user data.

Conclusion

Captchas are essential for preventing malicious logins, but traditional slider captchas are vulnerable. The recommended approach combines graphic‑matching verification, TOTP dynamic passwords, and multi‑factor authentication to enhance overall security.