1Haz
Protection of API from abuse (signup and carding attacks)
I have a backend (API) and mobile apps.
Mobile apps user use same client_id (Oauth2).
Now I see many Bots signing up, adding credit card for checking them (carding)
I cannot throttle, limit them since the IP is always different also client_id for all mobile clients is the same.
What solutions would you propose to stop it?
If there is a way to identify each Mobile client uniquely I can throttle each for 1 request per second or something (to stop those automated Signup + Credit Card addition).
In the past fraudster created many accounts, but it could be also using one account (so I can also limit requests on it)
What are other solutions to this?
