Security Rules and Recommendations
These guidelines are meant to help you securely perform authentication and other user actions on the Infobip platform.
For easier navigation through the Infobip security essentials, take a few minutes to get familiar with the basic rules, including User Verification and Changing User Account`s Contact Information.
The next important part of this page involves recommendations where you can learn about password management, sharing confidential information, secure file transfers, and more.
SUPPORT FOR TLS
As of April 16, 2021, we will support only TLS v1.2. The support for previous versions will be discontinued. If you are using a TLS version lower than 1.2, you won't be able to send any requests to our platform after the changes have been applied. If you are not sure which TLS version you are currently using or need assistance with an upgrade to a new version, please feel free to contact email@example.com and we'll be more than happy to assist you.
After a user account has been created, the traffic can`t be sent from this account without proper verification. Right after the login, the unverified user will see a pop-up message: “This user has not yet been verified to send traffic! Please contact your account manager for verification.“
The verification process pertains to the first time users of the client`s main account and any of the sub-account(s) in use that connects to the Infobip platform via our web interface and/or API.
Changing User Account’s Contact Information
New users are able to input and/or modify the GSM number and email address fields on the Infobip web interface during the first 7 days from the date the user account has been created. Modification of your own or other user’s contact details will be disabled after that date to ensure that authentication flows are not interrupted (2FA and/or email verification forms).
After input fields are disabled, users will see a pop-up message: “To edit GSM and email address, please contact your Infobip account manager or firstname.lastname@example.org.”
Security parameters can be adjusted under Account Settings on the Infobip web interface.
Increase Password Strength for ALL Users
There are 5 levels of password strength on the Infobip web interface that you will be able to choose from. Each has a description of associated parameters related to length and complexity. Infobip recommends using the very strong level (except where the protocol proprietary restrictions apply):
- Min length: 10
- Must contain alphanumeric characters [a-zA-Z0-9]
- Must contain a lowercase character
- Must contain an uppercase character
- Must contain a digit
- Must not contain the username
- Does not contain repeated characters
- Must contain non-alphanumeric characters
Follow these important password tips to help protect your account:
- Do NOT use the same password for different users
- Do NOT use passwords that you use elsewhere, especially for other online channels/services
- CHANGE passwords periodically, on a quarterly basis at least
- Set Maximum Login Attempts to 5 to protect your account from brute-force attacks
- NEVER share your passwords or API keys with 3rd parties, including Infobip staff. Instead, use the Infobip web interface password reset form or manage API keys over the appropriate interface.
Entry Point-Specific Users
Use separate user accounts for HTTP/SMPP API and Infobip web interface access. Different security measures apply for each (explained in the paragraphs below).
IP safelisting allows you to create lists of trusted IP addresses or IP ranges from which human users or APIs can access the Infobip platform.
When using IP safelisting, please keep in mind the following conventions and best practices:
- IP safeliting on the user-level (regardless if used by a human user or API). This setting is available only to the Infobip administrators.
- Allowed IP ranges/individual addresses are applied on the user level only. This makes them applicable in the scenarios where separate users are used for API and web interface logins:
- API – typically using static IP addresses or company/ISP ranges; a good option for IP safelisting features.
- Web interface – might originate from dynamic source IP addresses (e.g., users working from home, connecting via mobile network or when traveling); use IP safelisting with caution.
- If you wish to set an IP safelist, provide a full range of IP addresses used for SMPP/HTTP API connectivity to your Infobip account manager.
- IP safelist set for users override the domain safelisting.
IP safelist for HTTP API key and basic authentication are complementary (different restrictions apply, depending on the authentication method used).
API-Related Security Controls
This section provides information on how to increase security for API connectivity.
To mitigate the risk of network data transfer interception:
- Stop using a combination of unsecured HTTP and SMS over URL parameters due to a high risk of network data transfer interception.
Stop using the unencrypted HTTP/SMPP connection and switch to the following:
- SSL/TLS encrypted connections (preferred option due to a faster setup and more robust failover mechanism).
- Contact email@example.com for an IPsec VPN connection implementation (less preferred due to the need for manual setup and more complex incident management in case of availability issues).
This will provide an encrypted data path between your platform and Infobip.
- Refrain from using GET methods for sending messages
To mitigate the risk of password abuse, use a time-constrained API key or token authorization type.
API Key Validity
- API sessions expire one hour after the last successful token, and this option cannot be modified on the client's account level.
- API keys, on the other hand, are sessionless and sent with each request. They have a validity period that can be set per API key after which the API key is considered invalid/expired.
For more information on the API key model and how to update your API key, refer to our Infobip API Developer Hub API Key article.
Web Interface Related Security Controls
Two-Factor Authentication (2FA) is a cloud messaging security solution that confirms the identity of the user and protects the system from phishing or hacking attacks.
Once you set up the 2FA for the account, it affects all users.
Enabling 2FA for user accounts using API will not impede connectivity.
To enable 2FA on the Infobip web interface itself, navigate to Settings > Edit Account, and use the toggle to turn two-factor authentication ON.
Verify the Authenticity of Login Page to Prevent Phishing Attacks
Pay close attention to the URL and site content:
Check Favicon. Websites can put whatever icon they want in the tab.
Look at the domain name. The domain name can help confirm that you are landing on a legitimate Infobip site.
Check the site's security status in your browser's address bar. For most browsers, a safe website will display a green padlock icon to the left of the website's URL. You can click the padlock icon to verify the details of the website (e.g., the type of encryption used). For example:
- Multiple dashes or symbols in the domain name.
- Domain names that imitate actual businesses (e.g., "inf0bip", "infoblp" or "infob1p").
- Domain extensions like ".biz" and ".info". These sites tend not to be credible.
- Keep in mind as well that ".com" sites, while not inherently unreliable, are the easiest domain extensions to obtain.
Check the website's connection type. The Infobip web interface website has an "https" tag which is more secure and therefore more trustworthy than a site using the more common "http" designation. This is because "https" sites' security certification is a process that most illegitimate sites would not bother with.
Look at the file path. Infobip web interface has straightforward file paths depending on the part of the web interface you want to visit. In case of any doubts related to the path, please contact our Support (firstname.lastname@example.org).
Evaluate the URL. A website's URL consists of the connection type ("HTTP" or "HTTPS"), application (e.g., "portal"), domain name itself (e.g., "infobip"), extension (".com"), and the file path (e.g. "/dashboard"). Even if you've verified that the connection is secure, remain on the lookout for the following red flags:
- The Favicon – websites can put whatever icon they want in the tab.
- Domain Name – this is a part of the URL and it’s trustworthy, as long as you know what you’re looking for.
- File Path/Director – this is a part of the URL and it’s trustworthy, as long as you know what you’re looking for.
- Web content area – this can be whatever the attacker wants it to be, including a very convincing spoof of an Infobip's legitimate website.
Look for broken English on the website. If you notice a large number of poorly-spelled (or missing) words, generally bad grammar, or awkward phrasing, you should question the site's authenticity. Even if the site in question is technically legitimate insofar as it isn't a scam, any inaccuracies in language will also cast doubt on the accuracy of its information, thereby making it a poor source.
Review Certificate details:
Most browsers allow you to view the certificate by clicking the padlock icon in the address bar.
- Click the padlock icon
- Click More Information
- Click View Certificate
- Click the padlock icon
- Click View Certificate
- Click 3-dot menu > More tools > Developer tools
- Click the Security tab and View certificate.
- Click the padlock icon > Certificate.
- When you click the Certificate Information, you will get all the information the CA verified before it issued the certificate.
The Infobip certificate looks like this:
Sharing Confidential Information
This section is a quick guide on how to safely use and store confidential information.
How to Use S-Pass
S-PASS is an Infobip app for sharing confidential information with the Infobip employees, clients, and other 3rd parties. Please note that shared information is readable only once, and then it is permanently erased from S-PASS.
It is possible to create and send a secret note to a recipient or access and read a secret note if you have received a token from the sender. In both cases, it is necessary to access https://s-pass.app/ using a web browser of your choice (it might look different in different web browsers).
Store a Secret
1. Access S-PASS. Click Write a secret note to share a secret with someone or Read a secret note if you have received a token for reading secret notes.
2. Write/paste the secret note you want to send. Select how long you want your secret note to remain stored. It will be kept until it been read. When finished, click Store secret.
Anyone with the token will be able to access your secret note during the time period you specified.
Your secret note is now stored. In the Secret stored! pop-up, copy the token OR copy the direct link to share your secret.
Your confidential information will be accessible only by the person who has the token or the link. Until viewed, the information is encrypted, unreadable to everyone and stored in the Infobip system.
Read a Secret
If you have a direct access link, paste it in a web browser and under the Secret: there is a gray box with the shared secret. If you have an access token, go to https://s-pass.app/, click Read a secret note, paste your token, and click Submit token.
Once you read the secret note, it will be deleted from the system.
Secure File Transfer
Using the Infobip web interface, you can define methods for the transfer of Reports exports from Infobip towards the file transfer resources in your ownership. Methods enabled for this purpose are FTP and SFTP.
FTP is a file transfer protocol providing basic, unencrypted file transfer capability. Although it enables both anonymous access and authenticated sessions, the user credentials and data payload are transferred over public networks in cleartext, posing a HIGH risk to unauthorized access to confidential data and the spreading of concealed malware. Being completely replaced with more secure alternatives (SFTP, FTPS, SCP...), the FTP protocol should ONLY be used on extremely trusted and isolated systems or for public access anonymous FTP - none applicable to Infobip use cases.
We recommend using SFTP (Secure FTP). All it takes is implementing an SFTP server on the client-side and providing access parameters, either via the Infobip web interface EXPORT feature or towards Customer Care.
Secure implementations usually include the following steps:
- Specifying a non-standard port (other than 22)
- Safelisting incoming (sender) IP addresses; when it comes to Infobip, these would be 18.104.22.168 and 22.214.171.124
- Using dedicated credentials for EACH client user (i.e., credentials dedicated solely for Infobip)
- Choosing long, complex passwords (12 characters minimum)
- Changing passwords regularly (e.g., every three months)
Apart from security reasons, usage of the encrypted data transfers is - in many industries worldwide - a regulatory compliance requirement included in the security policy of businesses.
When you choose the insecure version of FTP, you accept related security risks, while Infobip renounces any liability possibly resulting from such use.
Client`s Internal Processes
Reinforce internal credentials storage and management to mitigate a potential risk of internal data leakage in the future which might result in unauthorized access to the Infobip platform and traffic costs.
For safekeeping of your passwords, consider using one of the commercial-grade password management tools.
Potential Risks if Controls Are Not Implemented
Credentials leak due to traffic interceptions when using unencrypted HTTP/SMPP traffic. This can happen in the following circumstances:
When using unsecured HTTP combined with the basic authorization (username and password contained in the encoded form in the Authorization header) - which might have occurred on any node in between your network, ISPs and proxy services (if used), and the Infobip web interface.
When applying MITM methods between the client network and the Infobip platform.
In an insecure (plaintext) format in any kind of storage (digital and analog); Infobip stores users' passwords in a one-way hashed format with access privileges limited to only a few trusted employees; access is not granted to any 3rd party.
In an insecure (plaintext) format during exchange/communications (via electronic channels, telephone, even live discussions).
When you have not changed your password in a long time.