The new update? My perspective on the phone verification…
What an amazing patch this may seem. Everyone posting how this will change the game of rank quality in dota which further fuels the hype train. Well, don't put away your pitch forks yet because there are still ways to exploit the system.
I'm a QA tester and social engineer for a company that specializes breaking in or finding loop holes to exploit.
After experimenting with this update, I've already found a few ways to bypass this feature that they implemented. In time, the community will figure these out but I'll speed things up here so Valve don't have to deal with a million of post about the same thing.
Let's start off with phone verification.
Using a phone to implement a 2 step verification to safe guard your account is great. It allows another layer of physical security that the attacker has to get hold of or they could social engineer there way by calling your phone company and acting as you, to try to get or change the information that you have with them. Nowadays, phone companies are already catching up with this and are placing more safe guard to prevent this but there will always be loop holes to exploit. Again, this is GREAT as a 2 step verification process.
Now, implementing a phone verification so you can play rank is on a very low scale of security/prevention/determent. It will only prevent and give excuse to players who don't really want to play rank because of the extra step. Anyone willing to play rank will overcome this barrier. Given that there is more unique phone numbers then people who play dota, you have about an endless amount of phone number to use.
How to overcome this barrier?
Using your own phone number.
Need more phone number so your accounts can get verified?
You can generate them online or downloading an app on your phone that generates a number where you will receive calls and text. Or you can call a friend, a family, co-worker, or anyone that you know that doesn't play dota to use their number as a verification.
Let me expand on generating a new number just for verification purposes.
There's services online or on your phone app that you can download, that allows you to create a temporary number for X amount of days or years. Obviously, this service requires paying them but there's usually a free X days/weeks for trials. By creating a temporary number, you can have Valve send a code to that number, get the code, put the code in your account, and your set to play rank.
Here is what Valve, quoted from the patch update.
"Online services that provide phone numbers are not allowed"
Clearly, this will deter people who have a moral standard but for everyone else who WANTS to play rank, they will break this line.
Currently, there is no way Valve can fully 100% stop phone verifications from online services but there are a few things that Valve can add to stop the crisis.
Here are some ways.
1. Everytime when you press FIND MATCH in rank, a notification code will be sent to your number so you can start the que. Failure to do so in X minutes will result in X hours ban from Rank.
Obviously, this is very inconvenience for players, but using inconvenience to help deter will increase the likely hood of less determined players. This will also force players with multiple account that plays on rank to pay for a phone, phone plans, and/or generating more numbers/keeping numbers which wil costs a lot of money.
2. Unique IP for rank dota and ID verification step for rank.
When playing dota, the only time you can play rank is when your logged in a specific IP. You can always use a vpn or other services to mask/change your current IP but this will deter less determined players.
3. ID verification for one location/unique address, similar to unique ip: you upload an ID with your address, so Valve knows where your playing, and if you were using a vpn or other services and Valve pinged you at a russian or chinese location, they can stop you from playing rank and ban your account from rank for X amount of hours.
4. Phone verification code sent every week to your number so your account stays verified. Like earlier, this will cost people who have multiple accounts that play ranks, a lot of money. At the moment, it looks like this is a one time phone verified activation to play rank but if it becomes a weekly activation, that will stop most people with multiple accounts due to a financial barrier.
There is a lot more of which Valve can do and these were just the top of my head but the problem is that these are very inconvenience for players and we need to use inconvenience to help combat and deter boosters/smurfers.
The current system for number verification is bad. A great system for moral and ethical people but we already know most players on dota aren't. Also, it doesn't seem like there's a punishment for using phone number generating services because it's almost impossible to crack down on a legit vs generated numbers.
In the end, anyone who is determined to play rank dota, will find a way.