- It has been observed with grave concern that misleading SMS have beendisseminated to the telecom subscribers, as relevant operators/ sms aggregators had not employed sufficientsecurity controls to mitigate such threats. Furthermore, some of them are not maintaining required logs.
- In order to safeguard against such attacks in future, following security measures be included, along with other effective standard security controls by all Telecom operators:
|1||All licensees should manage their servers within Pakistan, as per the license awarded to them, which clearly mentions to establish, maintain and operate in Pakistan.||All Licensees|
|2||Bind static IP addresses with user accounts for API / Web portal Access to foreign IP addresses should be blocked through geo-fencing at firewalls.||All Licensees|
|3||Maintain all types of logs including but not limited to Access Log, Events Log, “Failed” .||All Licensees|
|4||Login Attempts with complete IP details” and “API failed connections”, in accordance with clause 6 (5) of CTDISR 2000, issued by PTA .||All Licensees|
Password baselining restrictions be implemented i.e. blocking of account on a limited number of failed attempts.
|6||Dedicated / Managed services of Web Application Firewall (WAF) be used to secure networks from layer 7 attacks.||All Licensees|
|7||Security from roaming SMS links be ensured.||Whoever Providing SMS Service|
|8||Two-factor authentication (2FA) be implemented for all customers on every login to SMS application. An OTP be used for every broadcast message.||SMS Aggregator/ CMOs|
|9||Weblinks in the SMS content be blocked, as it generally refers to phishing links.||SMS Aggregator/ CMOs|
|10||Personal Data Requests should not be allowed in the SMS.||SMS Aggregator/ CMOs|