Security Measures by all Telecom Operators/SMS Aggregators.

  1. It has been observed with grave concern that misleading SMS have beendisseminated to the telecom subscribers, as relevant operators/ sms aggregators had not employed sufficientsecurity controls to mitigate such threats. Furthermore, some of them are not maintaining required logs.
  2. In order to safeguard against such attacks in future, following security measures be included, along with other effective standard security controls by all Telecom operators:
No.RecommendationsApplicable To
1All licensees should manage their servers within Pakistan, as per the license awarded to them, which clearly mentions to establish, maintain and operate in Pakistan.All Licensees
2Bind static IP addresses with user accounts for API / Web portal Access to foreign IP addresses should be blocked through geo-fencing at firewalls.All Licensees
3Maintain all types of logs including but not limited to Access Log, Events Log, “Failed” .All Licensees
4Login Attempts with complete IP details” and “API failed connections”, in accordance with clause 6 (5) of CTDISR 2000, issued by PTA .All Licensees
Password baselining restrictions be implemented i.e. blocking of account on a limited number of failed attempts.
All Licensees
6Dedicated / Managed services of Web Application Firewall (WAF) be used to secure networks from layer 7 attacks.All Licensees
7Security from roaming SMS links be ensured.Whoever Providing SMS Service
8Two-factor authentication (2FA) be implemented for all customers on every login to SMS application. An OTP be used for every broadcast message.SMS Aggregator/ CMOs
9Weblinks in the SMS content be blocked, as it generally refers to phishing links. SMS Aggregator/ CMOs
10Personal Data Requests should not be allowed in the SMS. SMS Aggregator/ CMOs

Related Posts