7 Ways To Secure Your Account

7 Ways To Secure Your Account

Security threats come in from all angles, and keeping track of them all is a constant challenge.

There are many links that attackers can target in the communication chain — the link between you and your network, your passwords and tokens, and other sensitive places and information.  If your Twilio account is compromised, it can result in massive fraudulent charges, blocked phone numbers, loss of customer trust, and more.

Here are seven best-practices you can follow to keep your Twilio account — or any account — safer.

Keep your passphrases strong

First and foremost, use strong passphrases.

What does that mean these days? It turns out that a jumble of hard-to-remember characters is not as effective as a longer but easier to remember password. That’s why Twilio requires at least 14 characters but has no “special character” requirements.

It should go without saying: don’t share your passwords and don’t re-use passwords from one account to another. Password re-use makes it easy for an attacker to gain access to your other accounts when one password is leaked in a breach… as 773 million passwords have leaked already.

(You might want to check whether your passwords are among them, or use a library to check a leaked password database)

One other move we highly suggest: use a password manager to keep track of them can make your life easier and more secure.

Use MFA

Multi-factor authentication (MFA) enhances the strength of a passphrase by requiring an additional form of evidence (factor) to confirm your identity. A factor is something you know, have, are, or do.

For example, when you go to an ATM you must present your debit card (something you have) in addition to your PIN (your passphrase). MFA helps defend against identity theft: even if your credentials are leaked or stolen, an attacker won’t have access to the additional factor needed to get into your account. MFA is a great way to help protect your Twilio account.

Protect your account

Speaking of your Twilio account, it is very important to protect your auth token. Your auth token provides access to your Twilio account. You should change your auth token periodically, especially if you suspect that someone else has had access to it. (For more information, see Auth Tokens and How to Change Them.)

When you create sub-accounts for employees or co-collaborators, use the Twilio Console to assign them roles with the minimum level of permissions that will allow them to do their jobs. Giving your sub-accounts the least possible amount of privilege helps keep people from accidentally (or not so accidentally) breaching your security.

Secure your application

Your API keys let your application interact with Twilio as you. A stolen API key can make expensive phone calls, read sensitive text messages, or release your phone numbers—and you’ll get the blame!

Never bake your API keys into an application. If you accidentally check them into version control (and we’ve all done it!), anyone with access to your source repository can get them easily. Additionally, protecting your source code won’t stop sophisticated attackers from using a decompiler to retrieve the API keys from an app containing your keys.

You must protect the keys very carefully—don’t even leave API keys in plain text on your laptop! For a few more tips on keeping your auth tokens and API keys safe, check out Best Practices to Protect Your Auth Token and the Anti-Fraud Developer’s Guide.

Temporary access tokens can also provide unauthorized access if you are not careful. Your app should use Authy Two-factor Authentication (using Twilio's Authy API) to help protect you and your users. When you issue access tokens to a client, make them expire as quickly as practical to help prevent man-in-the-middle attacks.

Protect yourself while traveling

Your connection to the network is another potential attack vector. When you are traveling or working at a cafe, you are connecting to a network you might know nothing about.

Public WiFi is a very popular environment for man-in-the-middle attacks. Consider using a hotspot powered by Twilio Wireless. Another good solution is to use a VPN to encrypt your communications end to end while connected to an untrusted network.

Examine SSL certificates

Even when you are on a trusted network, it is important to pay attention to SSL certificates.

The point of SSL is to establish a handshake with a trusted source. Make sure that the certificates presented by websites you visit are correct and match what you expect.

Just FYI, here are the SHA256 fingerprint and serial number of the Twilio.com certificate (at least through March 1, 2020):

• SHA256: D0 ED 71 01 D3 B1 5B F7 60 A3 22 2D E5 95 D5 96 B4 3A 71 4D F1 4E FC C6 5F B4 5C 60 96 39 5D 80
• Serial: 06 34 66 EC AA AA 19 EE CB 51 E5 81 66 7C 68 52

Keep your OS, SDKs, and tools up-to-date

Finally, make sure you are using the most up-to-date version of your operating system, applications, and Twilio SDKs.

Outdated code and APIs can contain security vulnerabilities that can lead to a breach of creds or sensitive data. Check for the latest Twilio tools on our SDKs page. You can help us stay secure too: if you find a vulnerability, report it in our Bug Bounty, which has safe harbor for your peace of mind.

Keep your account secure... and your users’ trust

These are just a few of the steps you should be taking to keep yourself and your users safe and secure. While one blog post can’t cover the full array of security best practices, these steps will get you much further than not taking security into consideration

While not very difficult, these steps are very effective at preventing unauthorized access to your account and your use of the APIs. Make sure you think through security while building out your application - you and your users will appreciate your concern.

Brandon Sherman has been working with AWS infrastructure for four years and is a Senior Cloud Infrastructure engineer at Twilio, where the challenge of real-time cloud communications requires thinking about security in new and exciting ways. He wants to replace himself with microservices & APIs but until he manages to do that, you'll find him teaching anyone who will listen that they can be a "security person" too.