We have an asp.net public webservice for existing customers to order a product:
https://www.example.com/webservices/customers/webservice.asmx?op=OrderProduct
Some of the fields are:
<CustomerEmailAddress>string</CustomerEmailAddress>
<CustomerPassword>string</CustomerPassword>
<ProductCode>string</ProductCode>
<Quantity>string</Quantity>
<Color>string</Color>
We use the CustomerEmailAddress and CustomerPassword to check if the customer is legitimate.
Question: How can we stop a non-customer from trying to guess the CustomerPassword and CustomerEmailAddress (including malicious automated scripts to do so)?
We had thought of locking the customer account after 100 incorrect password attempts but if some script tried to guess it then a legitimate customer may have their account blocked (even though it wasn't them trying to access it).
We had also thought of counting access attempts by IP address but we're not sure if someone could forge an IP address. Also we're not sure what happens if they distribute the script to thousands of computers.
UPDATE
I think rather than focus on or punish a particular CustomerEmailAddress, I could simply focus on an IP address that repeatedly gets CustomerEmailAddress or CustomerPassword wrong. E.g. after 100 fails, block the IP for a day. Then a week etc.
That way a particular CustomerEmailAddress won't have their account blocked.
CodePudding user response:
2-factor authentication would have my vote too, best security.
If email/sms/text not possible Time-based One-Time Password could be an option.
The 100 attempts IP block, could be made temporary:
First 100 fail tries lock for X minutes.
Second 100 fail tries lock for X*2 minutes.
etc.
If successful, reset count
CodePudding user response:
Possibly the Update in the original question could suffice:
UPDATE
I think rather than focus on or punish a particular CustomerEmailAddress, I could simply focus on an IP address that repeatedly gets CustomerEmailAddress or CustomerPassword wrong. E.g. after 100 fails, block the IP for a day. Then a week etc.
That way a particular CustomerEmailAddress won't have their account blocked.
CodePudding user response:
You can use 2-factor authentication on time of login by sending OTP to customer's email addresses or SMS on their registered number. This will help identify if any attempt is malicous.