Is Someone Else Using Your Twilio Account? Best Practices to Protect Your Auth Token

With over 5 billion mobile phone users in the world, attackers are constantly finding ways to take advantage of unsuspecting people via their connected devices. Smishing — using SMS to socially engineer information — is a very common attack that telecommunications carriers are working to address. Posing as a trustworthy entity, a bad actor sends text messages to request personal information such as passwords or credit card numbers. If even a few people fall for the bait the scheme can pay off, especially if the attacker is using stolen Twilio account credentials to send the messages.

At Twilio, we place an immense value on trust, which is why we want to help protect you and your users from smishing attacks. In this post, we share a few best practices for protecting your account.

Best Practices for Fraud and Phishing Prevention with Twilio

Someone who steals your Twilio auth token can use your account as you, doing whatever they want with no repercussions. Fraudsters can make calls, send messages using your trusted identity, download logs, or change the URL settings of your Twilio phone numbers. 

When your auth token is abused, it can very quickly lead to massive charges to your Twilio account. Even worse, if your auth token falls into the wrong hands, it can irreparably damage your reputation and erode the trust between you and your customers.

To address these situations, we have increased our detection controls for fraudulent account activity. We want to specifically emphasize precautions that customers can take to avoid unwarranted account access in the first place. Here are some basic security practices to help you protect your Twilio auth token from fraudulent usage. 

Keep your auth token safe

Never give out your auth token, store it on the internet, or leave it out in the open. Treat it as carefully as you do a password—because that’s exactly what it is.

Don’t hard-code keys or tokens

Never hard-code keys or tokens in your app. It is trivial to retrieve these credentials by decompiling the app. To further avoid such exposure during app development, make the Twilio API calls from your server and not the client.

Don’t push credentials to public repositories

Absolutely never push your tokens to public repos on GitHub. If you do so mistakenly, rotate them immediately (see next tip). Set your auth token as an environment variable and then reference the variable from your code. This protects the auth token from being exposed and prevents the code from making API calls from an unauthorized environment

Rotate your tokens regularly

Periodically change your auth tokens so that if they have been compromised they will not continue to be available for phishing or other criminal activity. A common rule of thumb is to treat credentials like a toothbrush — rotate them every three months and don’t share them with others. 

Create limited-scope tokens

Consider using time-based API access tokens for more granular authentication mechanisms instead of using the SID and auth token.

Monitor your account

Keep an eye on your account and watch for any charges you don’t recognize.

Protecting your auth token is a core part of a good general security strategy. Twilio is committed to building and maintaining trust, and we want to equip you with the right tools and advice for properly securing your apps and managing your data. For more information check out the User Authentication & Identity docs.

Avoiding Fraud and Phishing by Design

Proper security in your web application starts with the simple best practices we’ve outlined here. By guarding your account credentials and remaining vigilant for any fraudulent activity, you can protect your customers, reputation, and bottom line.

For more information on avoiding fraud and protecting your account, see our anti-fraud developer’s guide.