Is Someone Else Using Your Twilio Account? Best Practices to Protect Your Auth Token
Time to read: 2 minutes
With over 5 billion mobile phone users in the world, attackers are constantly finding ways to take advantage of unsuspecting people via their connected devices. Smishing — using SMS to socially engineer information — is a very common attack that telecommunications carriers are working to address. Posing as a trustworthy entity, a bad actor sends text messages to request personal information such as passwords or credit card numbers. If even a few people fall for the bait the scheme can pay off, especially if the attacker is using stolen Twilio account credentials to send the messages.
At Twilio, we place an immense value on trust, which is why we want to help protect you and your users from smishing attacks. In this post, we share a few best practices for protecting your account.
Someone who steals your Twilio auth token can use your account as you, doing whatever they want with no repercussions. Fraudsters can make calls, send messages using your trusted identity, download logs, or change the URL settings of your Twilio phone numbers.
When your auth token is abused, it can very quickly lead to massive charges to your Twilio account. Even worse, if your auth token falls into the wrong hands, it can irreparably damage your reputation and erode the trust between you and your customers.
To address these situations, we have increased our detection controls for fraudulent account activity. We want to specifically emphasize precautions that customers can take to avoid unwarranted account access in the first place. Here are some basic security practices to help you protect your Twilio auth token from fraudulent usage.
Never give out your auth token, store it on the internet, or leave it out in the open. Treat it as carefully as you do a password—because that’s exactly what it is.
Never hard-code keys or tokens in your app. It is trivial to retrieve these credentials by decompiling the app. To further avoid such exposure during app development, make the Twilio API calls from your server and not the client.
Absolutely never push your tokens to public repos on GitHub. If you do so mistakenly, rotate them immediately (see next tip). Set your auth token as an environment variable and then reference the variable from your code. This protects the auth token from being exposed and prevents the code from making API calls from an unauthorized environment
Periodically change your auth tokens so that if they have been compromised they will not continue to be available for phishing or other criminal activity. A common rule of thumb is to treat credentials like a toothbrush — rotate them every three months and don’t share them with others.
Consider using time-based API access tokens for more granular authentication mechanisms instead of using the SID and auth token.
Keep an eye on your account and watch for any charges you don’t recognize.
Protecting your auth token is a core part of a good general security strategy. Twilio is committed to building and maintaining trust, and we want to equip you with the right tools and advice for properly securing your apps and managing your data. For more information check out the User Authentication & Identity docs.
Proper security in your web application starts with the simple best practices we’ve outlined here. By guarding your account credentials and remaining vigilant for any fraudulent activity, you can protect your customers, reputation, and bottom line.
For more information on avoiding fraud and protecting your account, see our anti-fraud developer’s guide.
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.