How do I confirm that a phone number is legit, or that it is connected? I want to prevent users signing up with bogus numbers.
Is there a way to programmatically make a call or something? Or find out if the phone is alive, connected?
The only way you can be sure that the phone number is actually connected is to send them a text-message with a unique verification-key and then have them enter that in your web-form.
Check out VoiceXML. That's a service that allows you to interact with a caller by reading and writing XML.
Also checking if a number is legit or connected isn't the same as proving that's the user's phone number. They could be entering a number of someone else that exists, or even a random phone number that happens to work.
This depends heavily on the country the mobile number is in.
I know a SMS Gateway service in Germany, for example, that checks out whether a number is connected (at least for german numbers, maybe for other european countries too) as an addition to their SMS delivery services. It costs a few cents per poll.
You would have to check with SMS gateways around the world to see what they can offer in that department.
The safest and simplest, as Espo says, is certainly to just send a confirmation SMS.
Related
Here is the scenario:
For a person to become a member of a club, the person needs to register and upon registration the member:
must provide a mobile number
is given a unique card associated with
his or her person
In order for the member to make use of the club computers and services, the person must:
Step 1: get the physical card scanned in front of a machine (RFID) stationed in a specific shop/branch/office
Step 2: enter a one-time-use random 4-digit code received by SMS on the mobile number originally registered. (The code expires after 5 minutes.)
I consider the membership card as something-that-you-own and the random one-time-use code as something-that-you-know. The card and the 4-digit code are therefore the two factors. If the card is lost or stolen, the 4-digit-code is still unknown to the thief. And if the mobile phone (SIM Card) is lost or stolen, the card is still required to proceed in making use of the club services. . Hence the two are independent from each other.
Is this correct?
Thanks
It was concluded that the above scenario is a grey area, leaning however mostly to the conclusion that it is not a 2-factor-authentication scenario.
Rationale:
When someone presents a bank credit or debit card at an ATM, the person has two tools: the card and the pin.
The card is the something-that-you-own; and
The pin is the something-that-you-know.
Therefore the PIN is definitely a knowledge factor...
The above scenario also has exactly the same two tools, a card and a pin.
However
The bank card pin is theoretically stored in your mind while in the above scenario, the PIN is received by SMS.
A mind cannot be stolen. A mobile phone can be stolen. For these reasons, the SMS PIN seems to become an invalid knowledge factor in this case.
The argument that follows is: What is the SMS PIN then? Why send it in the first place?
The SMS Pin seems to be a method to verify that the phone is still in your possession. But it cannot be considered as a knowledge factor per se.
We have an MVC application which we need to do some security check before we let user to start using system. The use case is below;
We have Company table which stores valid IP addresses(also range). And company has associated users. If a user logs in from an unidentified email address, we need to make sure that user is still working for corresponding company. Therefore, we use company email address to validate the user.
I have 2 ways to implement this;
1) Generate a token, and send a link with token as query string to the user, when user clicks on this link, I will validate the user for a certain period of time(1 day)
2) Sending user's email a 6 digit number when user successfully logs in, and ask user to enter that pin number. If the pin is valid, then validate the user.
I recently see many big companies using pin numbers and your mobile no. That made me think that the second method is more secure than the first one(I have no facts, only assumption). Is that true?
Which one of these methods is more secure? if non of them, what is the best way of implementing this use case.
Thanks
Have you looked at IP spoofing - I wouldn't recommend using IP addresses for security.
1) - I don't understand how that is secure...
2) - called two factor authentication and would typically involve sending a pin to a mobile, and not an email.
If implemented properly 2) should be secure, but that is an additional step and not a complete security model. I would start by looking at the authentication that is part of MVC5.
If you want to have a jump start on two factor authentication without building a solution from scratch, look at this open source framework that can easily integrate into an MVC4 application. As Joe R mentioned, relying on IPs for security is not a standard practice.
I am sending a large number (over 70 within 1-2 minutes) emails with identical subject and content to the same Gmail account from a third-party email server. Address is formatted as 'gmailusername+person.name#gmail.com', where 'gmailusername' is the same for all messages, and 'person.name' is different for every message.
The first 3 messages arrived normally, but the rest seem to have disappeared.
Is where a Gmail limitation on recieving multiple nearly identical messages? Where can I find info on it?
The email content is a few lines of plain text. The account is used for testing, in production setting these emails will go to different addresses. These 70+ emails to the same address are the only emails that are being sent by the server at the time, i.e. there is not much other activity sending email from the same server to other Gmail addresses.
Technically, it's not a limit that's stopping you, it's their anti-spam filters; if their servers receive many identical e-mails differing only be recipient within a short space of time from a single sender, they'll often or not block them, obviously there are some algorithms going on behind the scenes to establish if it is actually spam (i.e. is the sender server part of a known spam network, is the sender on the trusted senders list of the recipients etc.) although we'll know exactly what goes in to deciding if the e-mail should be considered spam or not. ;)
You'll find most of the popular e-mail providers (Yahoo, Gmail etc.) do this.
Most mailing list providers get around this by automatically fragmenting how many e-mails are sent to a single provider in an hour - not to mention the bigger mailing providers are often or not more trusted by the e-mail providers that their content is legitimate.
While I think you're in the sending limit, do be aware Google will disable your account for 24 hours if they believe you are spamming. More information here.
I have seen Gmail limit emails, yes. But since you're testing, can you just change the subject with a time stamp, number, or guid? That might help.
"Testing Message 1", "Testing Message 2", etc.
Edit:
You won't run into limiting problems if you can either a) setup your own relay (very hard, but refer to this for a little help) or b) use an email campaign service provider such as MailChimp or Postmark. Note that it's good to be educated on the difference between "transactional" email and normal, bulk-advertising email.
We have an application that includes a voting component.
To try and minimise voter fraud we allow N number of votes from the same IP address within a specific period. If this limit is hit we ignore the IP address for a while.
The issue with this approach is if a group of people from a school or similar vote they quickly hit the number. Their voting can also occur very quickly (e.g. a user in the class asks his classmates to vote which causes a large number in a short period).
We can look to set a cookie on the user's computer to help determine if they are sharing accounts or check the user agent string and use that too.
Apart from tracking by IP, what other strategies do people use to determine if a user is a legitimate or a shared account when the actual IP is shared?
If your goal is to prevent cheating in on-line voting, the answer is: you can't, unless you use something like SSL client certificates (cumbersome).
Some techniques to make it harder would be using some kind of one time token sent trough e-mail or SMS. Every smart kid knows how to cheat control cookies using privacy mode of modern web browsers.
Hey guys - I know this is not a strictly programming question but I'm building an application where users sign up to traffic alerts.
I have the whole thing dusted but I haven't got an 'unregister button'
I know its good UI to have one, but I was hoping if someone knew the legalities of the topic?
The user can sign in and uncheck what alerts to receive, but not scrub their details -
On the email sent I have an unsubscribe button.
Seeing as this is going to the public, can I turn round to my boss and say "by law we need one" else he might just turn around and try and charge the client, and I don't agree with that for something so rudimentary
Check out CAN-SPAM. One of the requirements for mass email marketing is a one-click unsubscribe button.
See http://en.wikipedia.org/wiki/E-mail_marketing
Specifically:
To comply with the Act's regulation of commercial e-mail, services typically require users to authenticate their return address and include a valid physical address, provide a one-click unsubscribe feature, and prohibit importing lists of purchased addresses that may not have given valid permission.