Security Measures by all Telecom Operators/SMS Aggregators

It has been observed with grave concern that misleading SMS have beendisseminated to the telecom subscribers, as relevant operators/ sms aggregators had not employed sufficientsecurity controls to mitigate such threats. Furthermore, some of them are not maintaining required logs.
In order to safeguard against such attacks in future, following security measures be included, along with other effective standard security controls by all Telecom operators:

No.	Recommendations	Applicable To
1	All licensees should manage their servers within Pakistan, as per the license awarded to them, which clearly mentions to establish, maintain and operate in Pakistan.	All Licensees
2	Bind static IP addresses with user accounts for API / Web portal Access to foreign IP addresses should be blocked through geo-fencing at firewalls.	All Licensees
3	Maintain all types of logs including but not limited to Access Log, Events Log, “Failed” .	All Licensees
4	Login Attempts with complete IP details” and “API failed connections”, in accordance with clause 6 (5) of CTDISR 2000, issued by PTA .	All Licensees
5	Password baselining restrictions be implemented i.e. blocking of account on a limited number of failed attempts.	All Licensees
6	Dedicated / Managed services of Web Application Firewall (WAF) be used to secure networks from layer 7 attacks.	All Licensees
7	Security from roaming SMS links be ensured.	Whoever Providing SMS Service
8	Two-factor authentication (2FA) be implemented for all customers on every login to SMS application. An OTP be used for every broadcast message.	SMS Aggregator/ CMOs
9	Weblinks in the SMS content be blocked, as it generally refers to phishing links.	SMS Aggregator/ CMOs
10	Personal Data Requests should not be allowed in the SMS.	SMS Aggregator/ CMOs

Related Posts