By the end of this talk,
1. How does Twilio think about security?
you’ll be able to answer these questions.
2. How can Twilio help you with security?
2A. What is Out of Band Communication?
2B. How can I use my existing threat intelligence with Twilio?
We are Builders.
We want to know how we can use Security to help
us do more.
Wait a minute...
Aren’t we here to talk about Phones?
It ends up, phones are great devices for building
security solutions. Let’s see it in action.
What is Out of Bound Communication?
Using a separate network or channel to communicate about one
Banks use Out of Band Communication to send people
credit cards and the associated PIN number
The Classic Example: The PIN Mailer
Image Credit: Devochkina Oxana, from The Noun Project
Out of Band Communication: The Classic Way.
1 TRANSACTION 2 DELIVERIES
Sending a customer a
new Credit Card
One for the card &
one for the PIN.
Phones are the New Hotness.
When it comes to Out of Band Communication and security.
Out of Band Communication: The Modern Way.
Sending a customer a
new Credit Card
One mail for the card &
one SMS for the PIN.
These Twilio Customers Provide 2-Factor Authentication.
Two factor authentication is becoming more & more common.
These Twilio customers already provide it.
YOUR SERVER TWILIO’S SERVER
1. Generates a one time password (OTP)
2. Stores password in the PHP session
3. Deliver the user’s OTP over voice or SMS
Two Factor Authentication. Explained.
Phones Enable Bi-Directional Communication.
Being able to both send and receive data from our users is an important
feature that sets phones apart on the security front.
We can use Twilio to facilitate those Bi-Directional exchanges.
Password Resets don’t work
when your Inbox gets Compromised.
Email addresses are usually the authority for User Identity.
What happens when a user’s email gets compromised?
All the linked sites are now compromised too.
Setup a website in your DMZ.
Password Resets don’t work, so let’s make them better.
2 When a user asks for a reset, a link goes to their corporate email.
3 Clicking the veriﬁcation links supplies them with a one-time-password.
4 User is sent an SMS asking for the one-time-password to verify.
5 The user responds with the one-time-password and is prompted to reset their password.
Get to know Your Customers.
You can use a user’s phone to combat automation and
Enter your Phone Number
Ex. (555) 555 5555
Verify the Code we Sent You
Enter the Code Here
Site Image Verification: Explained.
Helps users recognize Phishing attempts by displaying
an image that they select from a collection when they
attempt to login. If the image matches, they supply
THE PROBLEM: It doesn’t really work. Researchers at
Harvard tricked 97% of test subjects in 2007.
Site Image Verification: Twilio Picture Messaging
Use Twilio’s new Picture Messaging to perform Site Image Veriﬁcation
for your users using their own photos.
1. User attaches an image to a message & sends to
your Twilio number.
2. Send the user’s Image along with information to
verify authenticity & prevent fraud.
Additional Security Info: Geolocation
Knowing where your customers access your
services from can help you detect fraud.
Also, classifying high risk access areas can
help you keep track of risk scores.
This is Not Rocket Science.
You could go and build these tomorrow.
When all you have is a Hammer.
Avoid turning EVERYTHING into a Nail.
Things can go wrong with Out of Band Communication - Make sure you
expire One Time Passwords and have a Backup Plan for when they do.
What Telephony Security Solutions can you Brain Storm?
• Telephony DOS Protection?
• Voice Biometrics?
• Out of Band Image Passwords?
• Physical Phone Security?
• Telephony Infrastructure Auditing? ;)
Here are some Takeaways.
• Security is an __ENABLER__.
• Use Out of Band Communication for Delivery & __RECEIPT__.
• Reduce Automation w/ User Veriﬁcation.
• Reduce Phishing by Improving Site Veriﬁcation.
• Reduce Fraud by Combining Intelegent Sources.