#TWILIOCON
Architecting Phone Based Security
Solutions
FREDRICK DEQUAN LEE, LEAD SECURITY ENGINEER @ TWILIO
#TWILIOCON
Call me Flee.
I’m part of Twilio’s Security Team
#TWILIOCON
Let’s talk about security.
#TWILIOCON
By the end of this talk,
1. How does Twilio think about security?
you’ll be able to answer these questions.
2. ...
SECURITY @ TWILIO
#TWILIOCON
Twilio. We’re a little different.
ImageCredit:catherineplease,fromTheNounProject
WE ARE MORE THAN
JUST FIREFIGHTERS.
#TWILIOCON
We are Builders.
We want to know how we can use Security to help
us do more.
#TWILIOCON
Wait a minute...
Aren’t we here to talk about Phones?
It ends up, phones are great devices for building
securit...
#TWILIOCON
What is Out of Bound Communication?
Using a separate network or channel to communicate about one
conversation(o...
#TWILIOCON
Banks use Out of Band Communication to send people
credit cards and the associated PIN number
securely.
The Cla...
#TWILIOCON
Out of Band Communication: The Classic Way.
1 TRANSACTION 2 DELIVERIES
Sending a customer a
new Credit Card
One...
#TWILIOCON
Phones are the New Hotness.
When it comes to Out of Band Communication and security.
#TWILIOCON
Out of Band Communication: The Modern Way.
1 TRANSACTION
Sending a customer a
new Credit Card
2 DELIVERIES
One ...
#TWILIOCON
These Twilio Customers Provide 2-Factor Authentication.
Two factor authentication is becoming more & more commo...
YOUR SERVER TWILIO’S SERVER
1. Generates a one time password (OTP)
2. Stores password in the PHP session
3. Deliver the us...
#TWILIOCON
Phones Enable Bi-Directional Communication.
Being able to both send and receive data from our users is an impor...
#TWILIOCON
Password Resets don’t work
when your Inbox gets Compromised.
Email addresses are usually the authority for User...
#TWILIOCON
Setup a website in your DMZ.
Password Resets don’t work, so let’s make them better.
1
2 When a user asks for a ...
TRUST BUT VERIFY
#TWILIOCON
Get to know Your Customers.
You can use a user’s phone to combat automation and
fraudulent signups.
Enter your ...
#TWILIOCON
#TWILIOCON
Site Image Verification: Explained.
Helps users recognize Phishing attempts by displaying
an image that they se...
#TWILIOCON
Site Image Verification: Twilio Picture Messaging
Use Twilio’s new Picture Messaging to perform Site Image Veri...
#TWILIOCON
Additional Security Info: Geolocation
Knowing where your customers access your
services from can help you detec...
#TWILIOCON
This is Not Rocket Science.
You could go and build these tomorrow.
#TWILIOCON
When all you have is a Hammer.
Avoid turning EVERYTHING into a Nail.
Things can go wrong with Out of Band Commu...
#TWILIOCON
Be Creative.
What Telephony Security Solutions can you Brain Storm?
• Telephony DOS Protection?
• Voice Biometr...
IN CONCLUSION
#TWILIOCON
Here are some Takeaways.
• Security is an __ENABLER__.
• Use Out of Band Communication for Delivery & __RECEIPT...
QUESTIONS?
flee@twilio.com
Architecting Phone Based Security Solutions
Architecting Phone Based Security Solutions
Upcoming SlideShare
Loading in …5
×

Architecting Phone Based Security Solutions

2,002 views

Published on

This is a talk about using Twilio to build security solutions given by Twilio's Lead Security Engineer, Fredrick DeQuan Lee, at TwilioCon 2013.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,002
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Architecting Phone Based Security Solutions

  1. 1. #TWILIOCON Architecting Phone Based Security Solutions FREDRICK DEQUAN LEE, LEAD SECURITY ENGINEER @ TWILIO
  2. 2. #TWILIOCON Call me Flee. I’m part of Twilio’s Security Team
  3. 3. #TWILIOCON Let’s talk about security.
  4. 4. #TWILIOCON By the end of this talk, 1. How does Twilio think about security? you’ll be able to answer these questions. 2. How can Twilio help you with security? 2A. What is Out of Band Communication? 2B. How can I use my existing threat intelligence with Twilio?
  5. 5. SECURITY @ TWILIO
  6. 6. #TWILIOCON Twilio. We’re a little different. ImageCredit:catherineplease,fromTheNounProject
  7. 7. WE ARE MORE THAN JUST FIREFIGHTERS.
  8. 8. #TWILIOCON We are Builders. We want to know how we can use Security to help us do more.
  9. 9. #TWILIOCON Wait a minute... Aren’t we here to talk about Phones? It ends up, phones are great devices for building security solutions. Let’s see it in action.
  10. 10. #TWILIOCON What is Out of Bound Communication? Using a separate network or channel to communicate about one conversation(or transaction)
  11. 11. #TWILIOCON Banks use Out of Band Communication to send people credit cards and the associated PIN number securely. The Classic Example: The PIN Mailer Image Credit: Devochkina Oxana, from The Noun Project
  12. 12. #TWILIOCON Out of Band Communication: The Classic Way. 1 TRANSACTION 2 DELIVERIES Sending a customer a new Credit Card One for the card & one for the PIN.
  13. 13. #TWILIOCON Phones are the New Hotness. When it comes to Out of Band Communication and security.
  14. 14. #TWILIOCON Out of Band Communication: The Modern Way. 1 TRANSACTION Sending a customer a new Credit Card 2 DELIVERIES One mail for the card & one SMS for the PIN.
  15. 15. #TWILIOCON These Twilio Customers Provide 2-Factor Authentication. Two factor authentication is becoming more & more common. These Twilio customers already provide it.
  16. 16. YOUR SERVER TWILIO’S SERVER 1. Generates a one time password (OTP) 2. Stores password in the PHP session 3. Deliver the user’s OTP over voice or SMS Two Factor Authentication. Explained.
  17. 17. #TWILIOCON Phones Enable Bi-Directional Communication. Being able to both send and receive data from our users is an important feature that sets phones apart on the security front. We can use Twilio to facilitate those Bi-Directional exchanges.
  18. 18. #TWILIOCON Password Resets don’t work when your Inbox gets Compromised. Email addresses are usually the authority for User Identity. What happens when a user’s email gets compromised? All the linked sites are now compromised too.
  19. 19. #TWILIOCON Setup a website in your DMZ. Password Resets don’t work, so let’s make them better. 1 2 When a user asks for a reset, a link goes to their corporate email. 3 Clicking the verification links supplies them with a one-time-password. 4 User is sent an SMS asking for the one-time-password to verify. 5 The user responds with the one-time-password and is prompted to reset their password.
  20. 20. TRUST BUT VERIFY
  21. 21. #TWILIOCON Get to know Your Customers. You can use a user’s phone to combat automation and fraudulent signups. Enter your Phone Number Ex. (555) 555 5555 Verify the Code we Sent You Enter the Code Here 1 32 YOUR CODE: 12345
  22. 22. #TWILIOCON
  23. 23. #TWILIOCON Site Image Verification: Explained. Helps users recognize Phishing attempts by displaying an image that they select from a collection when they attempt to login. If the image matches, they supply their credentials. THE PROBLEM: It doesn’t really work. Researchers at Harvard tricked 97% of test subjects in 2007.
  24. 24. #TWILIOCON Site Image Verification: Twilio Picture Messaging Use Twilio’s new Picture Messaging to perform Site Image Verification for your users using their own photos. 1. User attaches an image to a message & sends to your Twilio number. 2. Send the user’s Image along with information to verify authenticity & prevent fraud.
  25. 25. #TWILIOCON Additional Security Info: Geolocation Knowing where your customers access your services from can help you detect fraud. Also, classifying high risk access areas can help you keep track of risk scores.
  26. 26. #TWILIOCON This is Not Rocket Science. You could go and build these tomorrow.
  27. 27. #TWILIOCON When all you have is a Hammer. Avoid turning EVERYTHING into a Nail. Things can go wrong with Out of Band Communication - Make sure you expire One Time Passwords and have a Backup Plan for when they do.
  28. 28. #TWILIOCON Be Creative. What Telephony Security Solutions can you Brain Storm? • Telephony DOS Protection? • Voice Biometrics? • Out of Band Image Passwords? • Physical Phone Security? • Telephony Infrastructure Auditing? ;)
  29. 29. IN CONCLUSION
  30. 30. #TWILIOCON Here are some Takeaways. • Security is an __ENABLER__. • Use Out of Band Communication for Delivery & __RECEIPT__. • Reduce Automation w/ User Verification. • Reduce Phishing by Improving Site Verification. • Reduce Fraud by Combining Intelegent Sources.
  31. 31. QUESTIONS? flee@twilio.com

×