At Twilio, we value trust
Posted: Sun Dec 22, 2024 9:40 am
At Twilio, we value trust, which is why we want to protect you and your users from smishing attacks. In this article, we’ll share some best practices to help protect your account.
Best practices to protect yourself against fraud and phishing with Twilio
Someone who steals your Twilio authentication token can use your account as you, doing whatever they want without any repercussions. Fraudsters can make calls, send messages using your trusted identity, download logs, or change the URL parameters of your Twilio phone numbers.
When your authentication token is hijacked, it philippines mobile number example can quickly result in significant fees for your Twilio account. Even worse, if your authentication token falls into the wrong hands, it can cause irreparable damage to your reputation and the trust between you and your customers.
To address these situations, we have enhanced our controls to detect fraudulent account activity. We want to emphasize precautions customers can take to prevent unwanted access to their account. Here are some basic security practices to help protect your Twilio authentication token from fraudulent use.
Protect your authentication token
Never give your authentication token away, store it on the Internet, or leave it lying around. Protect it as carefully as you would a password, because that’s exactly what it is.
Do not hardcode keys or tokens
Never hardcode keys or tokens into your application. It is not easy to retrieve these credentials by decompiling the application. To avoid exposing keys or tokens during application development, make Twilio API calls from your server, not the client.
Do not send credentials to public repositories
Never push your tokens to public repositories on GitHub. If you do so by mistake, rotate it immediately (see next tip). Set your authentication token as an environment variable, and reference the variable from your code. This prevents the authentication token from being exposed and the code from making API calls from an unauthorized environment.
Rotate your tokens regularly
Change your authentication tokens regularly so that they are no longer exploitable for phishing or other cyberattacks if they have been compromised. The rule is to think of credentials like a toothbrush: rotate them every three months and do not share them with others.
Best practices to protect yourself against fraud and phishing with Twilio
Someone who steals your Twilio authentication token can use your account as you, doing whatever they want without any repercussions. Fraudsters can make calls, send messages using your trusted identity, download logs, or change the URL parameters of your Twilio phone numbers.
When your authentication token is hijacked, it philippines mobile number example can quickly result in significant fees for your Twilio account. Even worse, if your authentication token falls into the wrong hands, it can cause irreparable damage to your reputation and the trust between you and your customers.
To address these situations, we have enhanced our controls to detect fraudulent account activity. We want to emphasize precautions customers can take to prevent unwanted access to their account. Here are some basic security practices to help protect your Twilio authentication token from fraudulent use.
Protect your authentication token
Never give your authentication token away, store it on the Internet, or leave it lying around. Protect it as carefully as you would a password, because that’s exactly what it is.
Do not hardcode keys or tokens
Never hardcode keys or tokens into your application. It is not easy to retrieve these credentials by decompiling the application. To avoid exposing keys or tokens during application development, make Twilio API calls from your server, not the client.
Do not send credentials to public repositories
Never push your tokens to public repositories on GitHub. If you do so by mistake, rotate it immediately (see next tip). Set your authentication token as an environment variable, and reference the variable from your code. This prevents the authentication token from being exposed and the code from making API calls from an unauthorized environment.
Rotate your tokens regularly
Change your authentication tokens regularly so that they are no longer exploitable for phishing or other cyberattacks if they have been compromised. The rule is to think of credentials like a toothbrush: rotate them every three months and do not share them with others.