How to Mitigate Interception of TOTP via Compromised Voicemail
It’s common today to use a phone number as part of a user’s profile to increase confidence the account is not fraudulent and to implement two-factor authentication (2FA) to help reduce account takeovers. However, any authentication or verification mechanism will attract attackers who will try to abuse it, and they get very creative when it comes to legacy technologies that use telephones.
Twilio offers two APIs which are designed to simplify phone verification (Verify) and two-factor authentication (Authy). Both APIs support the ability to verify or authenticate users via a phone call. This article explains how voicemail can be abused for these use cases and how Verify and Authy provide protection against attack.
Time-based one-time passwords (TOTPs), temporary passcodes used to authenticate users, are commonly used for 2FA. Even if a user's primary password is compromised, an attacker cannot gain access to the application without the ...
A Developer’s Guide to Responding to National Security Letters
When the FBI Shows Up at Your Office with an NSL
When you receive thousands of requests from law enforcement each year, it’s actually not a surprise when a representative from the FBI shows up at your office to deliver a request for information. There are no cloaks or daggers involved, just a sealed manila envelope.
The San Francisco FBI office is very familiar with working with tech companies and will reach out with a call or email to find a time to stop by. If parking is bad – like it often can be around the Twilio office – the FBI representative might even be willing to hand you the request right on the street.
So receiving government requests for information can be a fairly administrative, straightforward process.
But as we outlined in a blog post in July, National Security Letters are unusual for requests because they’re steeped in ...
Announcing the Twilio Transparency Report
Twilio Publishes Two National Security Letters as Part of Second Half 2017 Transparency Report
Today, Twilio is publishing our sixth semi-annual transparency report detailing total volume of government requests for information received by Twilio, how Twilio responded to such requests and how Twilio notified users of such requests.
Twilio’s transparency report for the second half of 2017 reflects a continued increase in the number of requests for information received from international government agencies. In the second half of 2017, Twilio received 1581 government requests for user information from government agencies in 24 countries.
In the United States, Twilio reports receiving 340 requests from federal, state and local agencies. These requests include two National Security Letters that Twilio sought and obtained permission to publish.
- You can view our most recent transparency report for the second half of 2017 on the Twilio Transparency Reporting page.
- You can download the Transparency Report ...
Twilio on the FCC Vote to Dismantle Net Neutrality Protections
The fight is far from over. Congress needs to hear from innovators and consumers.
Twilio is disappointed in the 3-2 vote by the Federal Communications Commission to rollback the Open Internet Order, which gave internet-based companies the kind of clear, transparent protections needed to innovate and compete free of indiscriminate practices by internet service providers.
Congress should now step in to instruct the FCC to establish clear rules that ensure consumers’ communications are not being blocked by providers.
We are proud to power the communications of non-profit organizations helping consumers take action on this issue. Here’s what you can do.
- Text “RESIST” to 50409
- Go to https://www.battleforthenet.com/
- Call 1-844-USA-0234 to be connected to your elected officials.
As a software-based communications platform, Twilio has and continues to strongly support the common sense rules developed under the Open Internet Order. We believe it represents the appropriate legal framework ...
Regarding Mobile Apps with Hard-coded API Keys
A security report recently announced that Android and iOS apps were discovered to contain hard-coded Twilio credentials, meaning the data from the associated Twilio accounts were potentially at risk of exposure to bad actors. The Twilio platform itself remains secured and un-compromised, and we have no evidence that data from any of the apps was accessed by an unauthorized party. Nonetheless, we’d like to offer our community some clarity on what exactly transpired.
When a developer makes a request to Twilio’s REST API, they have to pass along secret credentials, or API keys, to authenticate their account. If a developer exposes those keys into the public, someone can come along and access that developer’s Twilio account. It’s like leaving your car keys in an unlocked car — once someone realizes you’ve made the mistake they can drive your car wherever they want.
One way ...
Twilio and “Friend-to-Friend Invitations”
Many apps nowadays send out invite messages to a user’s contacts in order to get that user’s friends on the platform — I mean, hey, if your user thinks your product is cool, why not encourage them to tell their friends about it? Apps that do friend-to-friend invites typically access the end user’s contact list to find phone numbers of their friends and partially or fully automate the process of sending out the invitations to those friends as text messages. In a lot of cases (and certainly if you’re using a platform like Twilio to send these), the friend will receive the text messages from a phone number provided by the app, rather than directly from the end user’s phone number. As a result, these messages may be perceived as spam by the user’s friends. Uh oh.
Let’s dive into how you avoid this ...
It’s About Trust: Twilio’s New Transparency Report
The trust you place in Twilio for your vital communications is of paramount importance. The purpose of Twilio’s transparency report is to provide the visibility you deserve and expect from a cloud service.
Twilio Transparency Report – Second Half of 2016
The objective of Twilio’s semi-annual transparency report is to inform you of the total volume of government requests for information received by Twilio, how Twilio responded to the requests and how often Twilio notified users of the requests.
You can view our most recent transparency report for the second half of 2016 here.
You can download a text file of our transparency report from our GitHub repository here.
Please email email@example.com with specific questions or feedback on the transparency report.
Integrating Social Impact Into Your Company: How Twilio.org Pledged 1%
A lot of people think about social impact initiatives as purely philanthropic, a side project a company takes on to give back, something that is separate from the financials and commercially driven initiatives of a business. In Twilio.org, Twilio’s social impact program, we don’t take this approach.
In the past three years since launching Twilio.org, we’ve learned that social responsibility must be as critical to our success as a company as any other initiative. We actively build ties so that when we build a better company, we also increase our ability to generate social impact. And when our social impact program grows, so too does our business. Creating a virtuous cycle between the two and actively making them inextricably tied is important for the sustainability of both efforts.
Pledge 1% influenced Twilio’s ability to create this virtuous cycle so that Twilio was no longer ...
Why We Support User Privacy
Twilio is proud to stand with Microsoft in defense of user privacy. Trust and transparency are pillars of what cloud service providers like Twilio offer to our developers, customers and end users. You rightfully expect us to protect your privacy, sensitive data and personal information.
Microsoft has filed a suit in federal court to challenge the practice of government agencies issuing blanket nondisclosure orders when issuing requests for user information. These nondisclosure orders bar companies like us from notifying our users when their data is being requested and can be issued for an unlimited amount of time. Just as troubling, these orders can be issued without the requester having to provide any specific proof of the need for nondisclosure.
This is why we have filed an amicus brief in support of Microsoft’s position along with Apple, Lithium Technologies and Mozilla.
“Supporting Microsoft is about trust”, says Twilio’s Associate ...
Testing SDKs at Twilio
The SDK Engineering group at Twilio is responsible for building and maintaining two real-time communications products – Twilio Client – a set of web and mobile SDKs for making and receiving VoIP calls, and Programmable Video – a set of SDKs for adding video chat capabilities to developers’ apps.
We’ve seen first-hand how the testing requirements for building video SDKs differ vastly from those for typical REST services as our teams build both the back-end infrastructure that supports these real-time communications services as well as developer SDKs. We’ve learned a few things along the way:
Firstly – mobile development comes with a set of test dimensions and special considerations.
Secondly – development of real-time media has unique requirements of its own.
To address all these requirements, we have developed a unique and comprehensive testing approach that allows us to iterate quickly and ship with confidence.
How We Test SDKs In Collaboration With TestDevLab ...