A response to recent reporting in Germany, in service of clarity and accountability:
-
@MFennVT@mastodon.world @signalapp@mastodon.world The Signal app does have a legitimate prompt with wording like this. But it shows up at the bottom of your screen in the main interface. See the attached screenshot.
If you received such a message as a Signal message, then it is indeed bogus and you should block the contact that sent it. Signal Support will never ask you for your PIN. It should only be entered if the app itself prompts you directly, never in a chat.@sodiboo @MFennVT @signalapp This is a very fine distinction for many users. I understand why Signal has the question, and I also understand that it is difficult for Signal to present it in a way that makes the distinction obvious to all users. But even though it is a difficult problem, it is still a very important one to solve.
-
@olliausstuhr @signalapp @Chantology
"most people" do not have the power to frame what was technically their own fault as a "hack". They also can't call for "consequences" via the media. -
In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks. 3/
@signalapp if you start asking for email, you know you will get A LOT of deltachat fans to make jokes about it, right?
(not saying that email is a solution for this, but whatsapp started asking for an email for "security reasons", so delta fans mocked them)
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp Signal, we love you and always suspect reporters confuse users lack of security with service and app security. I push Signal whenever I can.
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
"blame the victim" mentality is a big help (/s)
scammers thank you for redirecting blame
-
@signalapp you can't secure stupid.
yes but you can work hard to make things as secure as possible, and communicate clearly and broadly, which is what signal is doing
because we're all stupid, in some way or another, and we get conned when we believe we're not stupid
the greatest aid to security is humility
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp not the app sw needs only to be made safe for normal people. We need another app for politiicians in special. Because they are not used to the thought they are controlled. Instead they believe they only controll other people.
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb @davep @signalapp
Not necessarily daft. A little ignorance is enough to get someone in trouble with social engineering. -
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@MFennVT @signalapp uncheck pin reminder in setting accounts.
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp that's not the pop up for checking your code?
-
In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks. 3/
@signalapp is pishing possible with passkey?
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp could you hinder people to pose as Signal support?
-
We understand the trust that people put in Signal, and how devastating this kind of social engineering can be. While it’s true that all messaging platforms are susceptible to scammers and phishing that betrays people’s trust and convinces them to “unlock the front door” where no backdoor exists, we are looking to do everything we can to help people avoid and detect such scams. 7/
@signalapp Looool.
Did you quote the Europol guy on purpose: "access communication via a front door"?
🥰 -
@signalapp I wonder what the motivation behind this attack is. There's no money to be made from stealing Signal accounts, except maybe by extortion.
@jackemled @signalapp Not money, but power, is often a bigger motive, and gaining this sort of information can tip an election etc. Look at the UK's Cambridge analytica data scandal
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp You're expecting those ass clowns to assume any responsibility themselves? No, from their point of view you'll be the scapegoat and you'll enjoy it.
-
As a result, many didn't notice the takeover. The compromised accounts were then weaponized to target the victims' contact lists by posing as the owners of the account. 6/
@signalapp
I was under the assumption that there is a one-to-one relationship between any Signal account and a phone number, in difference to e.g. Matrix and Threema. And I somehow believed altering a phone number would not restore user data (unless I restore it from backup, on my device). I'd much appreciate some more information on when/how data and keys are transferred where. -
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
First question that pops up:
Why the hell is anyone allowed to pose as something similar as „Signal support“?Second: How is such an organisation allowed to use a system
Like Signal? How does Signal apply to the legal needs of such Orgs? It seems that there are some serious issues here because the told features of Signal stand in contrast to legal needs (audits?), but Im no expert in this topic. -
@signalapp in "Settings" -> "Account": "PIN reminders"
@dujmovivo @bohwaz @signalapp omg ty
-
@davep @jtb @signalapp Also, everyone who thinks they can't be fooled by social engineering is very susceptible to social engineering. Which is why it is very important for a cryptographic system to try to guard against these types of attack as much as they can.
@ahltorp @davep @jtb @signalapp People have been trying to scam me since the 90s and I've always seen through it or taken a moment to check. Even so, I got had a couple of months ago by a very obvious piece of social engineering. All it takes is being tired, or stressed, or distracted, or all three, and you just go into automatic when asked to do something. I had to change all my passwords, update all my 2FA, change email addresses used for logins, etc.
It can happen to anyone.
Edit: typo
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb Watch what you call the President of the German Parliament! /s
