Protect Your GatewayAPI Account Against Scammers
SMS fraud is a major problem worldwide, with many either being harassed or scammed via SMS.
Increasingly, the scammers have also started to target companies that send A2P SMS traffic, where the scammers use the companies’ accounts as part of various scams.
At GatewayAPI, we take security very seriously and have introduced a number of security measures, including requirements for URL whitelisting and 2FA when logging in, as well as providing a number of tools that can help protect your account from abuse. In addition, we continuously monitor traffic and intervene if there is something that differs from the normal patterns.
With that said, we cannot catch everything, and we therefore also encourage our customers to review the security of their GatewayAPI account as well as review the security of the systems connected to our APIs to ensure that there are no vulnerabilities.
Below we will go over the different types of attacks taking place today, and then we will detail what you can do to protect yourself against them.
Examples of SMS scams
There are many different types of SMS scams and the aim of the attacks is usually to enrich the scammers via various ingenious methods.
To give you an understanding of what fraudsters can gain by accessing your account or exploiting your signup flow, we have included some of the most common SMS scams:
- SMS phishing messages (also called Smishing) that contain a link where the aim is to extract information from the user or get the user to download malware.
- SMS spam that promotes, for example, payday loan services and pages with adult content or contain political messages.
- SMS traffic pumping, also known as SMS toll fraud, SMS 2FA Premium Rate Fraud or Artificially Inflated Traffic (AIT) where a bot is used to request thousands of 2FA verification codes, which are sent to numbers where the scammers receive a share of the revenue generated.
Below you can read more about what you can do to help ensure that your account is not involved in one of the above scams.
In your GatewayAPI dashboard, you have the option of setting up IP whitelisting, which has the effect that only approved IP addresses can send SMS messages from your GatewayAPI account.
This security measure ensures that even if your API keys or systems have been compromised, other parties will not be able to use your account to send SMS messages. It is thus a fast and efficient method to greatly improve the security of your GatewayAPI account.
The IP whitelist feature can be further increased in security by using a virtual private network (VPN). If your company uses a VPN you can add the IP address of the VPN to your allowed IP addresses. Even if your token is shared and someone gets access to your network, they will not be able to perform any API calls without additional access to your VPN.
Read more about how to set up IP whitelisting on the GatewayAPI platform here.
Under your GatewayAPI settings, you have the option of setting up geo permissions, which can protect your account against misuse by ensuring that your account is only able to send SMS messages to enabled countries. Please also note that this feature is only applied to the REST API.
If it matches your SMS business case, you can choose to disallow all countries by default and then enable those countries that you are sending SMS traffic to. This is especially relevant for customers that manage SMS broadcasts themselves.
If you instead offer e.g. a SaaS service to customers all over the world where SMS communication is integrated in the service, it may be difficult to predict in advance which countries you are going to send SMS traffic to via your GatewayAPI account. In this case you might consider enabling all countries except specific high risk countries instead.
Read more about how to set up geo permissions in our FAQ section.
Increase the security of systems connected to APIs
We often see that hackers gain access to systems that have been connected to our APIs. This way, fraudsters are able to send SMS traffic through GatewayAPI, even though the security of the GatewayAPI platform has not in fact been compromised.
We have therefore collected a number of the most important security-related focus areas, which you can review and assess the relevance of in relation to your system and your setup. Often, a combination of these security measures will cause hackers and bots to move on to easier targets, unless of course you have been specifically singled out.
Set up extra protection on login flows
Protect your login flow against brute force attacks, where a bot tries to guess the password by going through thousands of combinations. This can be easily countered by setting a limit on how many times a user can enter an incorrect password before a time-out is inserted on login attempts. It can be, for example, three attempts before a time-out of one minute is implemented.
In addition, you can encourage or require two-factor authentication when users create an account and afterwards log in to your system. Here it is also important that you use several of the other security mechanisms, so that you are not vulnerable to traffic pumping, which was described above.
You can also consider implementing reCAPTCHA or hCAPTCHA to counter attacks from bots.
Insert a rate limit
Set up protection against that the same messages can be sent thousands of times within a short period of time. This is achieved by setting a rate limit on the number of SMS messages that can be sent per second/minute/hour from a user or collectively from your account, allowing you to halt the broadcast in due time. It is particularly relevant if, for example, you offer software solutions where SMS communication is integrated, which the end users can use.
Limitations on API Endpoints
It can also be beneficial to keep track of all API endpoints. Even if an API endpoint is in a testing phase, there should be a limit on how many messages that can be sent through the endpoint.
To conclude this blog post, we have listed a number of best practices when it comes to IT security:
- Choose a strong password for your GatewayAPI account and the systems connected to the APIs belonging to GatewayAPI.
- Update your passwords regularly.
- Ensure that the right people have access to GatewayAPI and systems connected to GatewayAPI and that their access level matches their use.
- Make sure that login information or credentials are not shared with third parties or via channels that are not safe. If they are, create a new password or generate new API keys.
Thank you for reading this post! We hope that it has enlightened you on what additional security measures you can implement to avoid your GatewayAPI account being involved in an SMS scam
If you have any questions about the information above, you are always welcome to contact us on the support chat or at firstname.lastname@example.org.