Protecting your users against phishing and malware

When developing applications we must be security aware and avoid the risk of creating security issues. Especially when sending messages to our users. In this article I’ll explain the common threats and a recommendation on how to avoid them.

Pay attention that these are just a few of the security measures that an organization must take to protect itself against hackers. Consult with your Information Security Officer which other measures apply to your organization.

Threats in messages

Phishing

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. Source Wikipedia: https://en.wikipedia.org/wiki/Phishing

Phishing prevention

To prevent phishing you can disallow the use of hyperlinks in your messages and inform your users that you never send emails containing hyperlinks and that they should never click on links in messages.

How to: Instead of a link, give the recipient instructions how to go to your site, or redirect them to a specific page. In user on-boarding or password reset-flows you can use a verification code which is valid for a limited time to verify the user. Although using an identity provider with two factor authentication has the preference, this is a good alternative when it’s not available.

Example Reset password process flow.

Password reset process

The user clicks on the forgot password link in the login page, On the forgot password page the user enters his email and submits the input, If a user with the provided email exists a reset token is generated, the token is send to the user, and the user is redirected to the ResetPassword page, On the ResetPassword page the user has to provide his email, the token and the new password, If the Email and Token combination is correct the new password is saved and the user is redirected to the login page.

Malicious attachments

Emails often include dangerous attachments that install keyloggers, ransomware, and other malware when opened by the victim. If your messages contain attachments then your users are vulnerable to malware attacks. Recently, various government organizations have been closed temporarily and had severe data losses due to ransomware infections.

Malware prevention

If we do not put attachments in our messages we can instruct our users not to open attachments in messages from us. As an alternative we can choose not to create the attachment at al. E.g. put a order confirmation in the body of the message. Otherwise you should provide the attachments as downloads in your application, typically by creating a personal page with available downloads.

Share your security policy

Notify your users that you will never use a hyperlink or an attachment in your communications and that they should never open a hyperlink or an attachment. Also instruct them to always navigate to your site by entering the address manually instead of using a bookmark or a link.

Follow the OutSystems Security Best Practices

In addition to the actions described above you should follow the OutSystems Platform Best Practices on security:

Set the Web Screen’s Roles

Be aware of sensitive data exchange

DON’T send sensitive information in screen parameters

Remember: Web Screen’s variables or Preparation outputs might be exposed in the URL or Viewstate

When applicable, use SSL for sensitive information

DO NOT rely on the Web Screen widgets interface to control permissions

Validate user’s Roles before executing Screen Actions

Use encrypted passwords in the database

Use Internal Access Only for Web Flows and Web Services

Take the Master Class on Security for an in depth explanation of these practices.