I'd like to play back credit card numbers for verification purposes; however, when you do this it exposes the redacted CC in the Request Inspector logs. Of course, I can turn these logs off, but Infosec wants more assurances that Request Inspector remains off and that we have steps in place in case it gets turned back on while live calls are arriving or is turned on and forgotten about.
Aside from seeking to have Twilio set it in a permanent state, I've proposed trying to code a status check that would account for either scenario.
That said though, is the Boolean/Toggle for Request Inspector available to be read from the API?
Example lazy code:
IF(Request inspector = 1) say "Please confirm that you wish to pay xx amount"
else if(request inspector = 0) say "Please confirm that you wish to pay x amount using your credit card 400000000000000"
Basically:
If inspector is on, don't read the CC.
If it's off, you can read CC
Twilio developer evangelist here.
In reality, you should enable PCI mode in your voice settings which is permanent.
As far as I know, you can't read or change the status of the request inspector via the API.
What I might suggest is that for testing you create a separate project within the Twilio console which is responsible for all its own resources. When you run in a test mode you can then use the credentials for this project and log or repeat actions and confirmations as you require. Then, when you run in production mode, you use your production account credentials which are in PCI mode.
Related
We're using the thingsboard CE for a smarthome application. We're considering the claim process to let the user to add a new device. We developed a proof of concept following the process described in here: https://thingsboard.io/docs/user-guide/claiming-devices/
Now we're considering the use case of removing the device to let another user to add it (like selling the device to another person), but when we reclaim the device (according to "Device Reclaiming API Request") the device doesn't have the secretKey, so, we cannot let another user claim the device.
Are we missing something? Is there another way to do what we want?
I'd suggest handling it in the rule chain. One solution would be to have a button on a management dashboard. Clicking the button sets a "reclaim flag" to true (or you can do it direct from default attribute edit window). The rule chain receives this action, notices the flag and does the following:
Adds a secretKey attribute
Re-enables device claiming (I think once a device is claimed it can't be reclaimed again by default)
Flips the "reclaim flag" back to false
Changes the "owner" of the device back to the tenant (optional but I recommend it).
Alternatively, if you didn't want to deal with the flag bit, you could have the rule chain listen for any time an device has it's owner changed to the tenant. Might be a little less secure though.
We are using the graph API to send a message to the General channel of a Microsoft Team, which has a number of members.
We would like to allow any members to interact with the message via an adaptive card.
This is doable using say Action.OpenUrl or .Submit, however we need to know which user it is which is interacting. I imagine this must be a fairly common thing to do.
What solutions and options are available to do this?
For example, is it possible to obtain the user's Team id at the time an action is invoked ?
Every activity sent to the bot has a from property that identifies the user that sent the activity. You can see the full activity schema here. I advise you to run your bot in debug mode so that you can see all the data your bot receives. If you want to run your bot in debug mode and talk to the bot using Teams instead of Emulator, you can use tunneling: https://learn.microsoft.com/azure/bot-service/bot-service-debug-channel-ngrok
I am developing an iOS app, where I would need to access the phone number of the user logging in, query the DB to check if the phone number exists as an entry & finally display an alert to the user. Is it possible?
Read Apple response on this kinda app rejection..
"For security reasons, iPhone OS restricts an application (including its preferences and data) to a unique location in the file system. This restriction is part of the security feature known as the application's "sandbox." The sandbox is a set of fine-grained controls limiting an application's access to files, preferences, network resources, hardware, and so on."
so its not possible to read the user number by your application, best way to ask him to enter and validate at your server end!
More detail about SandBox here
It's not possible to detect phone numbers from an app.
However, there are solutions that allow phone number verification (after the user inputs his phone number) by placing missed calls.
I have used such a solution provided by an India-based company named ZipDial.
Check the section titled "Mobile Number Verification" in the link above.
I use the Facebook API for iOS, which enables posting content to the Facebook wall. The API allows custom links to be added next to "Like" and "Comment". I would like to add "Get App" here which links to my app on App Store, but how do I do this when my App ID will not be known to be before the app is actually approved? ("Chicken-and-egg" situation)
Possible solutions:
A) Link to a temporary URL which is changed to the App Store link after approval
B) Wait until version 1.1 to add this, when the App ID is known
Is there any other way to accomplish this?
You get an App ID once you create an app in iTunes Connect. That means you get the ID before you publish the app and it doesn't change when the app goes trough review or publishing process. I'm not able to make a screenshot right now, but it's easily found in top left corner when you click on manage apps > your app.
Some ISPs and independent providers offer domain name services that would help here, possibly.
I use EasyDNS, but there are other options.
The idea is that you register a domain name with them and purchase a plan that includes web forwarding. Web forwarding lets you send any web traffic for your domain to a specific URL.
You temporarily forward to any URL you like (presumably a page on your regular site, maybe a "Coming soon" page). Then, when you receive the real URL, change the forwarding to point there.
It might take a day or so for the change to percolate across the while interweb, but generally you can see and test results fairly quickly yourself, or at least that's been my experience.
I have been given a webtrends DCSID number that is liked with my clients webtrends account.
However I have not been given access to the clients account, so I have no way of verifying if the reporting is working.
Is there a way to verify if it is working, e.g. setting up a trial account to test on?
The target is an iPhone app
You can also download an HTTP monitoring tool that will show you everything that is sent to Webtrends when the tag fires. It won't show you what the reports will look like, but testing the tag should really be the first step in any tagging implementation. If the tagging doesn't work as expected, the reports won't work either. :)
Standalone tools: Fiddler (free) or HttpWatch (basic or paid). Firefox Add-on: HTTPfox (free).
To test how the tag fires from an iPhone, you will need to either use a User Agent switcher/spoofer in your desktop browser, or use an actual iPhone and monitor the traffic using Fiddler—here are instructions. Once you install one of these, look for the hits to http(s)://statse.webtrendslive.com/[the client's DCSID]/dcs.gif?etcetera
You can go to https://tagbuilder.webtrends.com and generate the needed files for tracking, e.g. an empty html page and the javascript. If possible, upload both to a test webspace and access the page. Type into the addressbar
javascript:dcsDebug();
and a small popup will appear. You will now see all informations collected by the javascript and what would be send to the SDC server.
If needed, ask your customer to send you the logfiles of the SDC and compare the logs with your activity.