Architecting Phone Based Security Solutions
33
#TWILIOCON Architecting Phone Based Security Solutions FREDRICK DEQUAN LEE, LEAD SECURITY ENGINEER @ TWILIO
-
Upload
twilio -
Category
Technology
-
view
1.630 -
download
2
description
This is a talk about using Twilio to build security solutions given by Twilio's Lead Security Engineer, Fredrick DeQuan Lee, at TwilioCon 2013.
Transcript of Architecting Phone Based Security Solutions
#TWILIOCON
Architecting Phone Based Security Solutions
FREDRICK DEQUAN LEE, LEAD SECURITY ENGINEER @ TWILIO
#TWILIOCON
Call me Flee. I’m part of Twilio’s Security Team
#TWILIOCON
Let’s talk about security.
#TWILIOCON
By the end of this talk,
1. How does Twilio think about security?
you’ll be able to answer these questions.
2. How can Twilio help you with security?
2A. What is Out of Band Communication?
2B. How can I use my existing threat intelligence with Twilio?
SECURITY @ TWILIO
#TWILIOCON
Twilio. We’re a little different.
Imag
e C
redi
t: c
athe
rine
plea
se, f
rom
The
Nou
n P
roje
ct
WE ARE MORE THAN
JUST FIREFIGHTERS.
#TWILIOCON
We are Builders.We want to know how we can use Security to help
us do more.
#TWILIOCON
Wait a minute...Aren’t we here to talk about Phones?It ends up, phones are great devices for building security solutions. Let’s see it in action.
#TWILIOCON
What is Out of Bound Communication?
Using a separate network or channel to communicate about one
conversation(or transaction)
#TWILIOCON
Banks use Out of Band Communication to send people
credit cards and the associated PIN number
securely.
The Classic Example: The PIN Mailer
Image Credit: Devochkina Oxana, from The Noun Project
#TWILIOCON
Out of Band Communication: The Classic Way.
1 TRANSACTION 2 DELIVERIESSending a customer a new Credit Card
One for the card & one for the PIN.
#TWILIOCON
Phones are the New Hotness. When it comes to Out of Band Communication and security.
#TWILIOCON
Out of Band Communication: The Modern Way.
1 TRANSACTIONSending a customer a new Credit Card
2 DELIVERIESOne mail for the card & one SMS for the PIN.
#TWILIOCON
These Twilio Customers Provide 2-Factor Authentication.
Two factor authentication is becoming more & more common.
These Twilio customers already provide it.
YOUR SERVER TWILIO’S SERVER
1. Generates a one time password (OTP)
2. Stores password in the PHP session
3. Deliver the user’s OTP over voice or SMS
Two Factor Authentication. Explained.
#TWILIOCON
Phones Enable Bi-Directional Communication.
Being able to both send and receive data from our users is an important
feature that sets phones apart on the security front.
We can use Twilio to facilitate those Bi-Directional exchanges.
#TWILIOCON
Password Resets don’t workwhen your Inbox gets Compromised.
Email addresses are usually the authority for User Identity.
What happens when a user’s email gets compromised?
All the linked sites are now compromised too.
#TWILIOCON
Setup a website in your DMZ.
Password Resets don’t work, so let’s make them better.1
2 When a user asks for a reset, a link goes to their corporate email.
3 Clicking the verification links supplies them with a one-time-password.
4 User is sent an SMS asking for the one-time-password to verify.
5 The user responds with the one-time-password and is prompted to reset their password.
TRUST BUT VERIFY
#TWILIOCON
Get to know Your Customers.You can use a user’s phone to combat automation and
fraudulent signups.
Enter your Phone Number
Ex. (555) 555 5555
Verify the Code we Sent You
Enter the Code Here
1 32
YOUR CODE:
12345
#TWILIOCON
#TWILIOCON
Site Image Verification: Explained.
Helps users recognize Phishing attempts by displaying
an image that they select from a collection when they
attempt to login. If the image matches, they supply
their credentials.
THE PROBLEM: It doesn’t really work. Researchers at
Harvard tricked 97% of test subjects in 2007.
#TWILIOCON
Site Image Verification: Twilio Picture Messaging
Use Twilio’s new Picture Messaging to perform Site Image Verification
for your users using their own photos.
1. User attaches an image to a message & sends to
your Twilio number.
2. Send the user’s Image along with information to
verify authenticity & prevent fraud.
#TWILIOCON
Additional Security Info: Geolocation
Knowing where your customers access your
services from can help you detect fraud.
Also, classifying high risk access areas can
help you keep track of risk scores.
#TWILIOCON
This is Not Rocket Science.You could go and build these tomorrow.
#TWILIOCON
When all you have is a Hammer.Avoid turning EVERYTHING into a Nail.
Things can go wrong with Out of Band Communication - Make sure you
expire One Time Passwords and have a Backup Plan for when they do.
#TWILIOCON
Be Creative.What Telephony Security Solutions can you Brain Storm?
• Telephony DOS Protection?
• Voice Biometrics?
• Out of Band Image Passwords?
• Physical Phone Security?
• Telephony Infrastructure Auditing? ;)
IN CONCLUSION
#TWILIOCON
Here are some Takeaways.• Security is an __ENABLER__.
• Use Out of Band Communication for Delivery & __RECEIPT__.
• Reduce Automation w/ User Verification.
• Reduce Phishing by Improving Site Verification.
• Reduce Fraud by Combining Intelegent Sources.
