You know...you could just intercept SMS after n attempts in x time and ask the customer for auth to continue. Should attack continue, suspend SMS with cust's auth for z time. Most bank SMS auth attacks will not outlive a multi-hour SMS ban. Could also auto reply with a note to call phone or use email should it be urgent and legitimate. Copyright 2012 Bobjim Ps your registration system blows. Had it not taken me a half an hour to get to the point where I could make this post, I wouldn't have copyrighted this idea in the hope that I'll be able to sue you down the road for stealing it. Good day.