Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Architecting Phone Based Security Solutions


Published on

This is a talk about using Twilio to build security solutions given by Twilio's Lead Security Engineer, Fredrick DeQuan Lee, at TwilioCon 2013.

Published in: Technology
  • Be the first to comment

Architecting Phone Based Security Solutions

  1. 1. #TWILIOCON Architecting Phone Based Security Solutions FREDRICK DEQUAN LEE, LEAD SECURITY ENGINEER @ TWILIO
  2. 2. #TWILIOCON Call me Flee. I’m part of Twilio’s Security Team
  3. 3. #TWILIOCON Let’s talk about security.
  4. 4. #TWILIOCON By the end of this talk, 1. How does Twilio think about security? you’ll be able to answer these questions. 2. How can Twilio help you with security? 2A. What is Out of Band Communication? 2B. How can I use my existing threat intelligence with Twilio?
  6. 6. #TWILIOCON Twilio. We’re a little different. ImageCredit:catherineplease,fromTheNounProject
  8. 8. #TWILIOCON We are Builders. We want to know how we can use Security to help us do more.
  9. 9. #TWILIOCON Wait a minute... Aren’t we here to talk about Phones? It ends up, phones are great devices for building security solutions. Let’s see it in action.
  10. 10. #TWILIOCON What is Out of Bound Communication? Using a separate network or channel to communicate about one conversation(or transaction)
  11. 11. #TWILIOCON Banks use Out of Band Communication to send people credit cards and the associated PIN number securely. The Classic Example: The PIN Mailer Image Credit: Devochkina Oxana, from The Noun Project
  12. 12. #TWILIOCON Out of Band Communication: The Classic Way. 1 TRANSACTION 2 DELIVERIES Sending a customer a new Credit Card One for the card & one for the PIN.
  13. 13. #TWILIOCON Phones are the New Hotness. When it comes to Out of Band Communication and security.
  14. 14. #TWILIOCON Out of Band Communication: The Modern Way. 1 TRANSACTION Sending a customer a new Credit Card 2 DELIVERIES One mail for the card & one SMS for the PIN.
  15. 15. #TWILIOCON These Twilio Customers Provide 2-Factor Authentication. Two factor authentication is becoming more & more common. These Twilio customers already provide it.
  16. 16. YOUR SERVER TWILIO’S SERVER 1. Generates a one time password (OTP) 2. Stores password in the PHP session 3. Deliver the user’s OTP over voice or SMS Two Factor Authentication. Explained.
  17. 17. #TWILIOCON Phones Enable Bi-Directional Communication. Being able to both send and receive data from our users is an important feature that sets phones apart on the security front. We can use Twilio to facilitate those Bi-Directional exchanges.
  18. 18. #TWILIOCON Password Resets don’t work when your Inbox gets Compromised. Email addresses are usually the authority for User Identity. What happens when a user’s email gets compromised? All the linked sites are now compromised too.
  19. 19. #TWILIOCON Setup a website in your DMZ. Password Resets don’t work, so let’s make them better. 1 2 When a user asks for a reset, a link goes to their corporate email. 3 Clicking the verification links supplies them with a one-time-password. 4 User is sent an SMS asking for the one-time-password to verify. 5 The user responds with the one-time-password and is prompted to reset their password.
  21. 21. #TWILIOCON Get to know Your Customers. You can use a user’s phone to combat automation and fraudulent signups. Enter your Phone Number Ex. (555) 555 5555 Verify the Code we Sent You Enter the Code Here 1 32 YOUR CODE: 12345
  22. 22. #TWILIOCON
  23. 23. #TWILIOCON Site Image Verification: Explained. Helps users recognize Phishing attempts by displaying an image that they select from a collection when they attempt to login. If the image matches, they supply their credentials. THE PROBLEM: It doesn’t really work. Researchers at Harvard tricked 97% of test subjects in 2007.
  24. 24. #TWILIOCON Site Image Verification: Twilio Picture Messaging Use Twilio’s new Picture Messaging to perform Site Image Verification for your users using their own photos. 1. User attaches an image to a message & sends to your Twilio number. 2. Send the user’s Image along with information to verify authenticity & prevent fraud.
  25. 25. #TWILIOCON Additional Security Info: Geolocation Knowing where your customers access your services from can help you detect fraud. Also, classifying high risk access areas can help you keep track of risk scores.
  26. 26. #TWILIOCON This is Not Rocket Science. You could go and build these tomorrow.
  27. 27. #TWILIOCON When all you have is a Hammer. Avoid turning EVERYTHING into a Nail. Things can go wrong with Out of Band Communication - Make sure you expire One Time Passwords and have a Backup Plan for when they do.
  28. 28. #TWILIOCON Be Creative. What Telephony Security Solutions can you Brain Storm? • Telephony DOS Protection? • Voice Biometrics? • Out of Band Image Passwords? • Physical Phone Security? • Telephony Infrastructure Auditing? ;)
  30. 30. #TWILIOCON Here are some Takeaways. • Security is an __ENABLER__. • Use Out of Band Communication for Delivery & __RECEIPT__. • Reduce Automation w/ User Verification. • Reduce Phishing by Improving Site Verification. • Reduce Fraud by Combining Intelegent Sources.
  31. 31. QUESTIONS?