- It has been observed with grave concern that misleading SMS have beendisseminated to the telecom subscribers, as relevant operators/ sms aggregators had not employed sufficientsecurity controls to mitigate such threats. Furthermore, some of them are not maintaining required logs.
- In order to safeguard against such attacks in future, following security measures be included, along with other effective standard security controls by all Telecom operators:
| No. | Recommendations | Applicable To |
|---|---|---|
| 1 | All licensees should manage their servers within Pakistan, as per the license awarded to them, which clearly mentions to establish, maintain and operate in Pakistan. | All Licensees |
| 2 | Bind static IP addresses with user accounts for API / Web portal Access to foreign IP addresses should be blocked through geo-fencing at firewalls. | All Licensees |
| 3 | Maintain all types of logs including but not limited to Access Log, Events Log, “Failed” . | All Licensees |
| 4 | Login Attempts with complete IP details” and “API failed connections”, in accordance with clause 6 (5) of CTDISR 2000, issued by PTA . | All Licensees |
| 5 | Password baselining restrictions be implemented i.e. blocking of account on a limited number of failed attempts. | All Licensees |
| 6 | Dedicated / Managed services of Web Application Firewall (WAF) be used to secure networks from layer 7 attacks. | All Licensees |
| 7 | Security from roaming SMS links be ensured. | Whoever Providing SMS Service |
| 8 | Two-factor authentication (2FA) be implemented for all customers on every login to SMS application. An OTP be used for every broadcast message. | SMS Aggregator/ CMOs |
| 9 | Weblinks in the SMS content be blocked, as it generally refers to phishing links. | SMS Aggregator/ CMOs |
| 10 | Personal Data Requests should not be allowed in the SMS. | SMS Aggregator/ CMOs |
