We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists.
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
@signalapp Why not change the message to "To setup Signal on your new phone, please enter code ..." to make it absolutely clear what the code is for and create additional friction for scammers as they'll have to come up with an excuse as to why it says new phone.
-
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
@signalapp LOL! The day Signal puts a bot in the app would be the day I stop using it…
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp Can you guys look into better methods to authenticate users other than simple SMS/PIN codes (security keys, passkeys, etc.)? Unfortunately even adding a little warning to not to share the code in the text message may not be enough to prevent these sorts of phishing attacks from happening.
-
@kkarhan@infosec.space since i’ve started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.
let’s make it clear to everyone: phone numbers should only be shared to people you trust and nobody else
@gettie @kkarhan there's an obvious problem worldwide for using a telephone number as an identifier for any comms the national govt might not approve of.
Telephone numbers are *not* property owned by the enduser or even the telephone company - they are considered public resources administered by the Communications Ministry of each nation, which does make sense as there's a limited amount of them for each country!
So the govt will *always* feel entitled to investigate what they are used for, the same way there are speed limits, road signs and CCTV on the public street and often more restrictions on what you can do in public places as opposed to a private gathering...
-
@kkarhan@infosec.space since i’ve started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.
let’s make it clear to everyone: phone numbers should only be shared to people you trust and nobody else
-
@signalapp@mastodon.world @kkarhan@infosec.space I then hereby register myself as incompetent.
First I will just block "Signal Support".
Then I will block all with "Signal" in it, and be hated by "Rescue Signal Inc.", "Weak Signal Detector" and "Signal Noise Ratio". But people will get over it.
Then I will also block Signаl, which looks the same but is encoded differently. Damn russian hackers with their alphabet.
Next Turkish hackers will succeed with their phishing campaign using the name Sıgnal, so I will block those.
And after all this I will sadly witness that people even fall for Signa|, S!gnal, Singal, Sagnil and Signel, so I will block all those too.
In the end the journalist "Jesse Singal" will sue me to death because I blocked them.
I really know no good way to avoid this. Best I can think of is having a special icon only the real Signal support can use - but then people who do not know about it will keep falling for it.@divVerent The problem is that @signalapp mandates #PII like #PhoneNumbers, which is critical for said #phishing...
- If they actually did their infrastrutre setup correctly, this would not have been possible in the first place - ffs!
- That's why I've never even seen nor heard of any #PhishingAttacks on #XMPP+#OMEMO because you don't have to self-d0x to a #centralized, proprietary, #SingleVendor & #SingleProvider messenger which can't even be assed to get their garbage off #aws!
#Signal can spout all their "#Metadata" - #FUD all day but in the end they fall under #CloudAct and will snitch on users because if they didn't it would've been a statistical inevitability that @Mer__edith and #Moxie would've been in jail and Signal shutdown like #EncroChat was.
- Make of that what you will, but demanding a #PhoneNumber [which is either directly ("#KYC!") or indirectly / circumstantially linked to a person should be seen as *THE BIGGEST RED FLAG for any service.
- If they actually did their infrastrutre setup correctly, this would not have been possible in the first place - ffs!
-
@gettie @kkarhan there's an obvious problem worldwide for using a telephone number as an identifier for any comms the national govt might not approve of.
Telephone numbers are *not* property owned by the enduser or even the telephone company - they are considered public resources administered by the Communications Ministry of each nation, which does make sense as there's a limited amount of them for each country!
So the govt will *always* feel entitled to investigate what they are used for, the same way there are speed limits, road signs and CCTV on the public street and often more restrictions on what you can do in public places as opposed to a private gathering...
@vfrmedia @gettie Point is that #Telco regulations stems from #Telegraphy and #Postal operations, and whilst there are legitimate reasons for #regulators to disconnect phone lines (otherwise #robocalling and #SMS-#Spam would be even more rampant than #eMail-#Spamming!)
- Which OFC also intertwines with "#LawfulInterception" and the means of Governments to exercise control.
- So anything claiming #security must inherently acknowledge the unfixable #insecurity of the #PSTN and completely cease using it and it's per-design compromised Infrastructure as a matter of principle.
That's why any "#secure communications" treats it as a hostile network and not to be trusted!
- And that's not even scratching the surface that countries try to outlaw #anonymity - starting with #Prepaid - #SIM - Cards.
- Because those traditionally had no reason for "#KYC" as there was no means for a customer to incur #debt or commit #fraud against the telco that provided said services, so there was [and IMHO still is] no "legitimate interest" in demanding any #ID for those, as any crime committed would be investigated with the existing #Govware inside the networks and thus found out.
- Which OFC also intertwines with "#LawfulInterception" and the means of Governments to exercise control.
-
Hmmm, and what about the monthly reminder to enter the personal smartphone code? How to differentiate this from the other?
@unaegeli @signalapp
Those reminders can be ignored. -
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp phone number required! fine.
but can't you add an option at the bottom of the screen to skip that and use a randomized ID like @session does
Also, to migrate to a new phone one needs to enable every sensor on their phone (including GPS), can't we just generate and scan a QR code and use our secret PIN as a 2FA?!!
-
@signalapp These attacks wouldn't be possible if you stopped requiring phone numbers
@scathach this
️ x1000 -
@divVerent The problem is that @signalapp mandates #PII like #PhoneNumbers, which is critical for said #phishing...
- If they actually did their infrastrutre setup correctly, this would not have been possible in the first place - ffs!
- That's why I've never even seen nor heard of any #PhishingAttacks on #XMPP+#OMEMO because you don't have to self-d0x to a #centralized, proprietary, #SingleVendor & #SingleProvider messenger which can't even be assed to get their garbage off #aws!
#Signal can spout all their "#Metadata" - #FUD all day but in the end they fall under #CloudAct and will snitch on users because if they didn't it would've been a statistical inevitability that @Mer__edith and #Moxie would've been in jail and Signal shutdown like #EncroChat was.
- Make of that what you will, but demanding a #PhoneNumber [which is either directly ("#KYC!") or indirectly / circumstantially linked to a person should be seen as *THE BIGGEST RED FLAG for any service.
@kkarhan@infosec.space @signalapp@mastodon.world @Mer__edith@mastodon.world I do boycott Signal for the same reason - I will not use a messenger that requires a phone number.
Also because my phone number already changed like 5 to 10 times in my life. It simply sucks as an identifier.
But this has nothing to do with the attack in question, and nothing at all with control over usernames as you alluded to in your previous post. You can literally attack every service that does SMS 2FA with that (also a good reason to not do SMS 2FA, neither any other phone number identified 2FA - as it means that all you need for a good phish is the the phone number, which both allows you to attempt account recovery and is also a communication channel from you to your victim. I can list a bunch of services that are very likely vulnerable to the exact same attack:
- Telegram
- WhatsApp
- Gmail
- Your bank account (in particular basically all US banks)
- GitHub
Personally I am still using #Matrix, but I don't quite like it either. The protocol is overengineered and all clients suck (and there aren't even many clients to begin with that actually work, which is specifically the case because the protocol is so messy).
I actually had used XMPP before, but for me it kinda died when mobile devices came along and XMPP didn't learn a good way for push notifications without keeping a TCP connection to the service open at all times . Really sucks when e.g. being on a train. Seems XEP-0357 from 2020 fixes that (not sure if it by now has a good story for multi device + offline messages, so you can connect sometimes with this device, sometimes with that one, and see full message history from both, and can also receive messages when none is online), but that shows the other problem of XMPP: everything is an extension and you can never know which feature set your server supports, and then you also need to know which feature set works with the people you talk to... IMHO they should collect a good set of XEPs and name it Jabber 2.0 or whatever, then servers and clients at least know what to align to. With that XMPP would actually have good chances at replacing Matrix. - If they actually did their infrastrutre setup correctly, this would not have been possible in the first place - ffs!
-
@kkarhan@infosec.space @signalapp@mastodon.world @Mer__edith@mastodon.world I do boycott Signal for the same reason - I will not use a messenger that requires a phone number.
Also because my phone number already changed like 5 to 10 times in my life. It simply sucks as an identifier.
But this has nothing to do with the attack in question, and nothing at all with control over usernames as you alluded to in your previous post. You can literally attack every service that does SMS 2FA with that (also a good reason to not do SMS 2FA, neither any other phone number identified 2FA - as it means that all you need for a good phish is the the phone number, which both allows you to attempt account recovery and is also a communication channel from you to your victim. I can list a bunch of services that are very likely vulnerable to the exact same attack:
- Telegram
- WhatsApp
- Gmail
- Your bank account (in particular basically all US banks)
- GitHub
Personally I am still using #Matrix, but I don't quite like it either. The protocol is overengineered and all clients suck (and there aren't even many clients to begin with that actually work, which is specifically the case because the protocol is so messy).
I actually had used XMPP before, but for me it kinda died when mobile devices came along and XMPP didn't learn a good way for push notifications without keeping a TCP connection to the service open at all times . Really sucks when e.g. being on a train. Seems XEP-0357 from 2020 fixes that (not sure if it by now has a good story for multi device + offline messages, so you can connect sometimes with this device, sometimes with that one, and see full message history from both, and can also receive messages when none is online), but that shows the other problem of XMPP: everything is an extension and you can never know which feature set your server supports, and then you also need to know which feature set works with the people you talk to... IMHO they should collect a good set of XEPs and name it Jabber 2.0 or whatever, then servers and clients at least know what to align to. With that XMPP would actually have good chances at replacing Matrix.@divVerent @signalapp @Mer__edith Yeah, I know folks that have changed phone numbers more frequent than addresses, license plates, employers and cars in the same time...
- Some places even treat #PhnoneNumbers as "immuteable"...
- See r / #SoftwareGore!
- Some places even treat #PhnoneNumbers as "immuteable"...
-
@vfrmedia @gettie Point is that #Telco regulations stems from #Telegraphy and #Postal operations, and whilst there are legitimate reasons for #regulators to disconnect phone lines (otherwise #robocalling and #SMS-#Spam would be even more rampant than #eMail-#Spamming!)
- Which OFC also intertwines with "#LawfulInterception" and the means of Governments to exercise control.
- So anything claiming #security must inherently acknowledge the unfixable #insecurity of the #PSTN and completely cease using it and it's per-design compromised Infrastructure as a matter of principle.
That's why any "#secure communications" treats it as a hostile network and not to be trusted!
- And that's not even scratching the surface that countries try to outlaw #anonymity - starting with #Prepaid - #SIM - Cards.
- Because those traditionally had no reason for "#KYC" as there was no means for a customer to incur #debt or commit #fraud against the telco that provided said services, so there was [and IMHO still is] no "legitimate interest" in demanding any #ID for those, as any crime committed would be investigated with the existing #Govware inside the networks and thus found out.
UK still sells prepaid SIMs but all providers either nudge you to have them delivered to a physical address and only allow cashless topups, or if you buy them from the shop it has CCTV (authorities have used this to catch those using PAYG SIMs for drug dealing lines and/or gang activity)
I'm slightly surprised I haven't been pulled over as I've been driving around with as many as 6-7 active mobile devices in my car (driving solo in a relatively small hatchback), but I suspect authorities already know from ANPR and my movements (plus the nature of these SIMS and devices) they are for frontline health and social care workers and not anything sinister..
- Which OFC also intertwines with "#LawfulInterception" and the means of Governments to exercise control.
-
UK still sells prepaid SIMs but all providers either nudge you to have them delivered to a physical address and only allow cashless topups, or if you buy them from the shop it has CCTV (authorities have used this to catch those using PAYG SIMs for drug dealing lines and/or gang activity)
I'm slightly surprised I haven't been pulled over as I've been driving around with as many as 6-7 active mobile devices in my car (driving solo in a relatively small hatchback), but I suspect authorities already know from ANPR and my movements (plus the nature of these SIMS and devices) they are for frontline health and social care workers and not anything sinister..
@vfrmedia @gettie In fact, many places will literally note that down in their #LawfulInterception system (i.e. in Germany).
- I.e. not only are providers banned from listing designated crisis helplines`(that are 0800 numbers) but if police try to query call records from someone with *"confidentiality privilegues" like lawyer, psychologist, doctor, psychatrist, notary, rehab clinic, addiction help center, etc. they get a BIG ASS RED WARNING BOX when they check for that number that said line is subject to said privilegues and that they cannot monitor it without warrant and have to file that with the request.
- So even if they ever looked up why half a dozen devices are there, they'd quickly came to the conclusion that you are a known bona fide user and the other devices are too.
Tho for most stochastic surveillance the number of SIMs and devices isn't that high that you'd cause suspicion, given a lot of #IoT garbage has at least a #4G or #5G - modem in it to send telemetry and that 7 devices can also be assumed 1 fro the #eCall of the car and 3 people with 1 #DualSIM phone or a regular phone + laptop with WWAN modem each.
- I.e. not only are providers banned from listing designated crisis helplines`(that are 0800 numbers) but if police try to query call records from someone with *"confidentiality privilegues" like lawyer, psychologist, doctor, psychatrist, notary, rehab clinic, addiction help center, etc. they get a BIG ASS RED WARNING BOX when they check for that number that said line is subject to said privilegues and that they cannot monitor it without warrant and have to file that with the request.
-
@unaegeli
-That's a different code
-It's very clearly a popup, and not in a chat
-To abuse it, one would already need access to the account, i.e. through having completed the other attackI feel like that reminder is distinct enough as it is
@signalappI see the difference now, thanks.
-
@vfrmedia @gettie In fact, many places will literally note that down in their #LawfulInterception system (i.e. in Germany).
- I.e. not only are providers banned from listing designated crisis helplines`(that are 0800 numbers) but if police try to query call records from someone with *"confidentiality privilegues" like lawyer, psychologist, doctor, psychatrist, notary, rehab clinic, addiction help center, etc. they get a BIG ASS RED WARNING BOX when they check for that number that said line is subject to said privilegues and that they cannot monitor it without warrant and have to file that with the request.
- So even if they ever looked up why half a dozen devices are there, they'd quickly came to the conclusion that you are a known bona fide user and the other devices are too.
Tho for most stochastic surveillance the number of SIMs and devices isn't that high that you'd cause suspicion, given a lot of #IoT garbage has at least a #4G or #5G - modem in it to send telemetry and that 7 devices can also be assumed 1 fro the #eCall of the car and 3 people with 1 #DualSIM phone or a regular phone + laptop with WWAN modem each.
my car is just a few months before ecall was implemented (and it doesn't even work on some cars as 3G got ceased here), and some of the more modern cameras around these days would show I'm obviously driving solo and often at unusual hours of the night.
Although any tracking would also show I take the same route every day between either my home and workplace, or sometimes the coastal town where some of our staff are.
There is /some/ monitoring of social care workers as during Covid there were a few drugdealers pretending to be them (even getting uniforms etc), as well as healthcare workers themselves going rogue (I've noticed our staff are getting more attention from the Police recently, checking their cars are 100% legal)
- I.e. not only are providers banned from listing designated crisis helplines`(that are 0800 numbers) but if police try to query call records from someone with *"confidentiality privilegues" like lawyer, psychologist, doctor, psychatrist, notary, rehab clinic, addiction help center, etc. they get a BIG ASS RED WARNING BOX when they check for that number that said line is subject to said privilegues and that they cannot monitor it without warrant and have to file that with the request.
-
Hmmm, and what about the monthly reminder to enter the personal smartphone code? How to differentiate this from the other?
@unaegeli @signalapp i know right??
-
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
@signalapp probably doesn't help that your app suggests that I verify my PIN - which apparently I will ever need? - every time I'm in it.
-
my car is just a few months before ecall was implemented (and it doesn't even work on some cars as 3G got ceased here), and some of the more modern cameras around these days would show I'm obviously driving solo and often at unusual hours of the night.
Although any tracking would also show I take the same route every day between either my home and workplace, or sometimes the coastal town where some of our staff are.
There is /some/ monitoring of social care workers as during Covid there were a few drugdealers pretending to be them (even getting uniforms etc), as well as healthcare workers themselves going rogue (I've noticed our staff are getting more attention from the Police recently, checking their cars are 100% legal)
@vfrmedia I mean in any juristictions it's legal for police to randomly pull over cars, check license & registration and ask for mandatory safety equient like Warning Triangle, First Aid Kit and Retroflective Vest to be presented.
- And that is being used by the police to both gather intelligence as well as annoy individuals (i.e. motorists joyriding) out of an area.
- I mean, police do it all the time whenever they feel like it, and whilst theybdon't admit to it, I'm pretty shure they check way more plates than they pull over because they prefer to skip all the uninteresting ones…
- Cuz lets face it: It'll only waste time if they pull over some retirement-aged women who's only negative data on file - a parking ticket in the 1990s - is long expunged from records vs. someone with a decent record driving suspiciously orderly…
- And that is being used by the police to both gather intelligence as well as annoy individuals (i.e. motorists joyriding) out of an area.
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
@signalapp@mastodon.world #Alt4You Better alt-text
A SMS message from Signal, reads:
SIGNAL code: 751912. Do not share this code with anyone. If anyone asks it's a SCAM. Our reps will NEVER ask for it.
