A response to recent reporting in Germany, in service of clarity and accountability:
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp As you allude to, there has been a lot of misleading reporting about Signal being “hacked.” However, one substantial issue is worth mentioning: Signal asks users to enter their PIN from time to time. This can be switched off in the settings, but most users probably leave it enabled.
So while this is not Signal *Support* asking for your PIN, it is the Signal *App* asking. Less technically minded users may not clearly understand the difference.
-
@signalapp it's hilarious how it gets framed as a hack when it's just the incompetence of a politician who was warned REPEATEDLY that this specific phishing attack is targeting high profile politicians and STILL fell for it
️
And those are the same people who decide about the deployment of shit like Palantir into our infrastructure.
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
-
S simonjust@mstdn.dk shared this topic
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp thanks for sharing this. This could have been a blog
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp appreciate the effort to combat scams!
social engineering will unfortunately always exist in some capacity but that reporting is particularly sloppy, framing a phishing campaign as compromised encryption
-
@signalapp What credentials? not just a phone number presumably.
@jtb Read the thread
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@signalapp in "Settings" -> "Account": "PIN reminders"
-
@jtb Read the thread
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp das Internet ist für uns alle Neuland…
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb It's how phishing / social engineering works. Not everyone is as clever as you.
-
@signalapp German politicians are not that much used to technology ^^
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@MFennVT @signalapp
if it was a signal message coming from another signal account in a *chat*, it is not real.
But it was probably not a message but a banner in the list of your chats, which is real, doesn't look like a chat and exists to make sure users don't forget their pin, as they cannot reset it without data loss when it is needed.
You can deactivate pin reminders, see here
https://support.signal.org/hc/de/articles/360007059792-Signal-PIN#pin_reminders -
And those are the same people who decide about the deployment of shit like Palantir into our infrastructure.
@Brynawel don't we all feel safe now
@signalapp -
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp clicking “Account” leaves only one choice: “delete all data.” Is Signal on IOS different from the version you are using?
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@MFennVT@mastodon.world @signalapp@mastodon.world The Signal app does have a legitimate prompt with wording like this. But it shows up at the bottom of your screen in the main interface. See the attached screenshot.
If you received such a message as a Signal message, then it is indeed bogus and you should block the contact that sent it. Signal Support will never ask you for your PIN. It should only be entered if the app itself prompts you directly, never in a chat. -
@jtb It's how phishing / social engineering works. Not everyone is as clever as you.
@davep @jtb @signalapp Also, everyone who thinks they can't be fooled by social engineering is very susceptible to social engineering. Which is why it is very important for a cryptographic system to try to guard against these types of attack as much as they can.
-
However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us. 2/
@signalapp you can't secure stupid.
-
@davep @jtb @signalapp Also, everyone who thinks they can't be fooled by social engineering is very susceptible to social engineering. Which is why it is very important for a cryptographic system to try to guard against these types of attack as much as they can.
@ahltorp @jtb @signalapp Indeed
-
@signalapp German politicians are not that much used to technology ^^
@Chantology @signalapp immer no Neuland
-
@signalapp das Internet ist für uns alle Neuland…
Sorry, Signal, no offense, but especially when it comes to politicians, one would think they’d use their own nationwide messaging app that has nothing to do with the general user base. Back in the day, they even had their own dedicated work devices.
