A response to recent reporting in Germany, in service of clarity and accountability:
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp das Internet ist für uns alle Neuland…
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb It's how phishing / social engineering works. Not everyone is as clever as you.
-
@signalapp German politicians are not that much used to technology ^^
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@MFennVT @signalapp
if it was a signal message coming from another signal account in a *chat*, it is not real.
But it was probably not a message but a banner in the list of your chats, which is real, doesn't look like a chat and exists to make sure users don't forget their pin, as they cannot reset it without data loss when it is needed.
You can deactivate pin reminders, see here
https://support.signal.org/hc/de/articles/360007059792-Signal-PIN#pin_reminders -
And those are the same people who decide about the deployment of shit like Palantir into our infrastructure.
@Brynawel don't we all feel safe now
@signalapp -
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp clicking “Account” leaves only one choice: “delete all data.” Is Signal on IOS different from the version you are using?
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@MFennVT@mastodon.world @signalapp@mastodon.world The Signal app does have a legitimate prompt with wording like this. But it shows up at the bottom of your screen in the main interface. See the attached screenshot.
If you received such a message as a Signal message, then it is indeed bogus and you should block the contact that sent it. Signal Support will never ask you for your PIN. It should only be entered if the app itself prompts you directly, never in a chat. -
@jtb It's how phishing / social engineering works. Not everyone is as clever as you.
@davep @jtb @signalapp Also, everyone who thinks they can't be fooled by social engineering is very susceptible to social engineering. Which is why it is very important for a cryptographic system to try to guard against these types of attack as much as they can.
-
However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us. 2/
@signalapp you can't secure stupid.
-
@davep @jtb @signalapp Also, everyone who thinks they can't be fooled by social engineering is very susceptible to social engineering. Which is why it is very important for a cryptographic system to try to guard against these types of attack as much as they can.
@ahltorp @jtb @signalapp Indeed
-
@signalapp German politicians are not that much used to technology ^^
@Chantology @signalapp immer no Neuland
-
@signalapp das Internet ist für uns alle Neuland…
Sorry, Signal, no offense, but especially when it comes to politicians, one would think they’d use their own nationwide messaging app that has nothing to do with the general user base. Back in the day, they even had their own dedicated work devices.
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp Thanks for the transparency folks!
-
@MFennVT@mastodon.world @signalapp@mastodon.world The Signal app does have a legitimate prompt with wording like this. But it shows up at the bottom of your screen in the main interface. See the attached screenshot.
If you received such a message as a Signal message, then it is indeed bogus and you should block the contact that sent it. Signal Support will never ask you for your PIN. It should only be entered if the app itself prompts you directly, never in a chat.@sodiboo @farshidhakimy @signalapp That is what it looks like! Thank you, both! I guess I need to remember my pin.
-
However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us. 2/
@signalapp "Sophisticated"...
This is just catastrophic negligence from our arrogant, conservative German government. It really isn't that hard to phish them... Let's hope someone like the FSB won't try. Otherwise, we're so fucking cooked.Thank you @signalapp for making sure that phishing even those people with tech-support fakes will be harder in the future.
-
In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks. 3/
@signalapp Another "we're clean on opsec" moment, after which the "high-quality media" just assumes it's Signals fault.
Luckily, our German govt. hasn't reached the orange fascist-clown level of stupid yet... but who knows who the people are gonna vote for in the next elections... 🫠
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@MFennVT @signalapp The one you see on the bottom of the home screen as a dialogue in the app itself is genuine & it's all processed locally. It's just to help you remember your PIN by repetition so you're less at risk of losing your account by forgetting your PIN. If you received a message asking that (not a dialogue on the app's home screen), it's fake.
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp I wonder what the motivation behind this attack is. There's no money to be made from stealing Signal accounts, except maybe by extortion.
-
@MFennVT @signalapp The one you see on the bottom of the home screen as a dialogue in the app itself is genuine & it's all processed locally. It's just to help you remember your PIN by repetition so you're less at risk of losing your account by forgetting your PIN. If you received a message asking that (not a dialogue on the app's home screen), it's fake.
@jackemled Thank you! @signalapp
-
@MFennVT@mastodon.world @signalapp@mastodon.world The Signal app does have a legitimate prompt with wording like this. But it shows up at the bottom of your screen in the main interface. See the attached screenshot.
If you received such a message as a Signal message, then it is indeed bogus and you should block the contact that sent it. Signal Support will never ask you for your PIN. It should only be entered if the app itself prompts you directly, never in a chat.@sodiboo @MFennVT @signalapp This is a very fine distinction for many users. I understand why Signal has the question, and I also understand that it is difficult for Signal to present it in a way that makes the distinction obvious to all users. But even though it is a difficult problem, it is still a very important one to solve.
