A response to recent reporting in Germany, in service of clarity and accountability:
-
In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks. 3/
@signalapp is pishing possible with passkey?
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp could you hinder people to pose as Signal support?
-
We understand the trust that people put in Signal, and how devastating this kind of social engineering can be. While it’s true that all messaging platforms are susceptible to scammers and phishing that betrays people’s trust and convinces them to “unlock the front door” where no backdoor exists, we are looking to do everything we can to help people avoid and detect such scams. 7/
@signalapp Looool.
Did you quote the Europol guy on purpose: "access communication via a front door"?
🥰
Andre Meister (@andre_meister@chaos.social)
Attached: 1 video Die Polizei will keine Hintertür zu verschlüsselter Kommunikation. Sie wollen eine Vordertür. Sagte Europol-Vizechef Jürgen Ebner gestern im EU-Parlament.
chaos.social (chaos.social)
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp You're expecting those ass clowns to assume any responsibility themselves? No, from their point of view you'll be the scapegoat and you'll enjoy it.
-
As a result, many didn't notice the takeover. The compromised accounts were then weaponized to target the victims' contact lists by posing as the owners of the account. 6/
@signalapp
I was under the assumption that there is a one-to-one relationship between any Signal account and a phone number, in difference to e.g. Matrix and Threema. And I somehow believed altering a phone number would not restore user data (unless I restore it from backup, on my device). I'd much appreciate some more information on when/how data and keys are transferred where. -
@olliausstuhr @signalapp @Chantology
"most people" do not have the power to frame what was technically their own fault as a "hack". They also can't call for "consequences" via the media.@ax11 @Chantology @signalapp
I think they have the opportunity, but it won't be noticed by such a large audience. -
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
First question that pops up:
Why the hell is anyone allowed to pose as something similar as „Signal support“?Second: How is such an organisation allowed to use a system
Like Signal? How does Signal apply to the legal needs of such Orgs? It seems that there are some serious issues here because the told features of Signal stand in contrast to legal needs (audits?), but Im no expert in this topic. -
@signalapp in "Settings" -> "Account": "PIN reminders"
@dujmovivo @bohwaz @signalapp omg ty
-
@davep @jtb @signalapp Also, everyone who thinks they can't be fooled by social engineering is very susceptible to social engineering. Which is why it is very important for a cryptographic system to try to guard against these types of attack as much as they can.
@ahltorp @davep @jtb @signalapp People have been trying to scam me since the 90s and I've always seen through it or taken a moment to check. Even so, I got had a couple of months ago by a very obvious piece of social engineering. All it takes is being tired, or stressed, or distracted, or all three, and you just go into automatic when asked to do something. I had to change all my passwords, update all my 2FA, change email addresses used for logins, etc.
It can happen to anyone.
Edit: typo
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb Watch what you call the President of the German Parliament! /s
-
Sorry, Signal, no offense, but especially when it comes to politicians, one would think they’d use their own nationwide messaging app that has nothing to do with the general user base. Back in the day, they even had their own dedicated work devices.
-
First question that pops up:
Why the hell is anyone allowed to pose as something similar as „Signal support“?Second: How is such an organisation allowed to use a system
Like Signal? How does Signal apply to the legal needs of such Orgs? It seems that there are some serious issues here because the told features of Signal stand in contrast to legal needs (audits?), but Im no expert in this topic.@expertenkommision_cyberunfall @signalapp To the first question: signal does not have access to your profile name or profile picture.
-
@signalapp
I was under the assumption that there is a one-to-one relationship between any Signal account and a phone number, in difference to e.g. Matrix and Threema. And I somehow believed altering a phone number would not restore user data (unless I restore it from backup, on my device). I'd much appreciate some more information on when/how data and keys are transferred where.@derfopps @signalapp you can transfer your account to a new number, in case you change your phone number and want to retain your chat history and contacts.
-
@expertenkommision_cyberunfall @signalapp To the first question: signal does not have access to your profile name or profile picture.
But ut can prevent typical names and combinations without access to the setting
-
@signalapp "Sophisticated"...
This is just catastrophic negligence from our arrogant, conservative German government. It really isn't that hard to phish them... Let's hope someone like the FSB won't try. Otherwise, we're so fucking cooked.Thank you @signalapp for making sure that phishing even those people with tech-support fakes will be harder in the future.
@rogue_cells @signalapp For what it's worth, European intelligence agencies already blamed Russia for this current phishing attack
-
@ahltorp @davep @jtb @signalapp People have been trying to scam me since the 90s and I've always seen through it or taken a moment to check. Even so, I got had a couple of months ago by a very obvious piece of social engineering. All it takes is being tired, or stressed, or distracted, or all three, and you just go into automatic when asked to do something. I had to change all my passwords, update all my 2FA, change email addresses used for logins, etc.
It can happen to anyone.
Edit: typo
@stagerabbit @ahltorp @davep @signalapp ok maybe, but banks are saying all the time not to give out pin even to bank staff.
-
@nuk3 @signalapp I wonder what issue they have with Matrix?! They could just spin up their own sever.
-
@ax11 @Chantology @signalapp
I think they have the opportunity, but it won't be noticed by such a large audience.@olliausstuhr @ax11 @signalapp @Chantology Being "used" to technology doesn't always help. Here are two examples of people who should know their stuff getting scammed:
A Sneaky Phish Just Grabbed my Mailchimp Mailing List
You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
Troy Hunt (www.troyhunt.com)
If you think you can't be scammed, think again.
-
@stagerabbit @ahltorp @davep @signalapp ok maybe, but banks are saying all the time not to give out pin even to bank staff.
@jtb @ahltorp @davep @signalapp And they are saying that because people do. Because it's easy for a con artist to convince some people who may just be vulnerable at that moment to give it to them.
