We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists.
-
@unaegeli
-That's a different code
-It's very clearly a popup, and not in a chat
-To abuse it, one would already need access to the account, i.e. through having completed the other attackI feel like that reminder is distinct enough as it is
@signalappI see the difference now, thanks.
-
@vfrmedia @gettie In fact, many places will literally note that down in their #LawfulInterception system (i.e. in Germany).
- I.e. not only are providers banned from listing designated crisis helplines`(that are 0800 numbers) but if police try to query call records from someone with *"confidentiality privilegues" like lawyer, psychologist, doctor, psychatrist, notary, rehab clinic, addiction help center, etc. they get a BIG ASS RED WARNING BOX when they check for that number that said line is subject to said privilegues and that they cannot monitor it without warrant and have to file that with the request.
- So even if they ever looked up why half a dozen devices are there, they'd quickly came to the conclusion that you are a known bona fide user and the other devices are too.
Tho for most stochastic surveillance the number of SIMs and devices isn't that high that you'd cause suspicion, given a lot of #IoT garbage has at least a #4G or #5G - modem in it to send telemetry and that 7 devices can also be assumed 1 fro the #eCall of the car and 3 people with 1 #DualSIM phone or a regular phone + laptop with WWAN modem each.
my car is just a few months before ecall was implemented (and it doesn't even work on some cars as 3G got ceased here), and some of the more modern cameras around these days would show I'm obviously driving solo and often at unusual hours of the night.
Although any tracking would also show I take the same route every day between either my home and workplace, or sometimes the coastal town where some of our staff are.
There is /some/ monitoring of social care workers as during Covid there were a few drugdealers pretending to be them (even getting uniforms etc), as well as healthcare workers themselves going rogue (I've noticed our staff are getting more attention from the Police recently, checking their cars are 100% legal)
- I.e. not only are providers banned from listing designated crisis helplines`(that are 0800 numbers) but if police try to query call records from someone with *"confidentiality privilegues" like lawyer, psychologist, doctor, psychatrist, notary, rehab clinic, addiction help center, etc. they get a BIG ASS RED WARNING BOX when they check for that number that said line is subject to said privilegues and that they cannot monitor it without warrant and have to file that with the request.
-
Hmmm, and what about the monthly reminder to enter the personal smartphone code? How to differentiate this from the other?
@unaegeli @signalapp i know right??
-
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
@signalapp probably doesn't help that your app suggests that I verify my PIN - which apparently I will ever need? - every time I'm in it.
-
my car is just a few months before ecall was implemented (and it doesn't even work on some cars as 3G got ceased here), and some of the more modern cameras around these days would show I'm obviously driving solo and often at unusual hours of the night.
Although any tracking would also show I take the same route every day between either my home and workplace, or sometimes the coastal town where some of our staff are.
There is /some/ monitoring of social care workers as during Covid there were a few drugdealers pretending to be them (even getting uniforms etc), as well as healthcare workers themselves going rogue (I've noticed our staff are getting more attention from the Police recently, checking their cars are 100% legal)
@vfrmedia I mean in any juristictions it's legal for police to randomly pull over cars, check license & registration and ask for mandatory safety equient like Warning Triangle, First Aid Kit and Retroflective Vest to be presented.
- And that is being used by the police to both gather intelligence as well as annoy individuals (i.e. motorists joyriding) out of an area.
- I mean, police do it all the time whenever they feel like it, and whilst theybdon't admit to it, I'm pretty shure they check way more plates than they pull over because they prefer to skip all the uninteresting ones…
- Cuz lets face it: It'll only waste time if they pull over some retirement-aged women who's only negative data on file - a parking ticket in the 1990s - is long expunged from records vs. someone with a decent record driving suspiciously orderly…
- And that is being used by the police to both gather intelligence as well as annoy individuals (i.e. motorists joyriding) out of an area.
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
@signalapp@mastodon.world #Alt4You Better alt-text
A SMS message from Signal, reads:
SIGNAL code: 751912. Do not share this code with anyone. If anyone asks it's a SCAM. Our reps will NEVER ask for it. -
@vfrmedia I mean in any juristictions it's legal for police to randomly pull over cars, check license & registration and ask for mandatory safety equient like Warning Triangle, First Aid Kit and Retroflective Vest to be presented.
- And that is being used by the police to both gather intelligence as well as annoy individuals (i.e. motorists joyriding) out of an area.
- I mean, police do it all the time whenever they feel like it, and whilst theybdon't admit to it, I'm pretty shure they check way more plates than they pull over because they prefer to skip all the uninteresting ones…
- Cuz lets face it: It'll only waste time if they pull over some retirement-aged women who's only negative data on file - a parking ticket in the 1990s - is long expunged from records vs. someone with a decent record driving suspiciously orderly…
@kkarhan here they tend to use ANPR hits and sometimes "public concerns" (there's a lot of nosey white folk reporting all the social carers for perceived bad driving simply because the carers are Black and brown)
UK just needs valid inspection record, tax and insurance (which cops can often check via mobile data terminals without going near the car), we aren't required to have the triangle, first aid kit and hi vis (although I carry these things anyway simply as it makes sense to have them)
- And that is being used by the police to both gather intelligence as well as annoy individuals (i.e. motorists joyriding) out of an area.
-
While we build robust technical safeguards, user vigilance is ultimately the best defense against phishing. We will continue to work on mitigating these risks via interface design and signposting throughout the app. In the meantime, please stay alert, and never share your SMS verification code or Signal PIN with anyone.
@signalapp SMS!?
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp it is perfectly clear. RUP to the people who got duped's accounts
-
While we build robust technical safeguards, user vigilance is ultimately the best defense against phishing. We will continue to work on mitigating these risks via interface design and signposting throughout the app. In the meantime, please stay alert, and never share your SMS verification code or Signal PIN with anyone.
@signalapp implementing authentication using more secure methods (passkeys, physical security keys) could eliminate that risk.
-
@ExcelAnalytics @signalapp not only that, the entire concept of demaning a #PhoneNumber to use #Signal is inherently and irredeemably wrong to begin with!
@kkarhan
This has always struck me as the strangest complaint about Signal.You don't need to distribute your phone number to actually communicate with other signal users.
Presumably you want some form of 2fa, because losing your account would be bad.
And you don't want to be tied to some cloud based email provider.
And it's literally a phone app so every single user has the dependency.
-
@kkarhan
This has always struck me as the strangest complaint about Signal.You don't need to distribute your phone number to actually communicate with other signal users.
Presumably you want some form of 2fa, because losing your account would be bad.
And you don't want to be tied to some cloud based email provider.
And it's literally a phone app so every single user has the dependency.
@lackthereof it's not a "strange complaint", but a massive problem, because it creates dependency on a proven insecure network that is more often than not controlled if not run by hostile actors…
- Also #eMail, like #XMPP+#OMEMO, is based around #OpenStandards so you ain't forced to use any provider that is subject to #CloudAct nor known to snitch on customers without a valid domestic warrant…
- And if you trust noone, you can just host your eMail Server on a Rasberry Pi at home. It'll certainly be less convenient and more expensive but the you also get all the benefits of it being not possible to seize it without breaking into your home.
@signalapp mandating #PhoneNumners is a huge red flag because at best any #PhoneNumber is pseudonymous like a #Shitcoin-Wallet and that any #privacy is broken the moment it has any (even remotely circumstantial) connection to someone.
- Because even if you ain't forced into #SelfDoxxing to obtain a #Prepaid - #SIM (aka. "#KYC") and/or Phone Number it is still a bad design.
Not to mention #Signal's #App is a huge shitshow…
- Also #eMail, like #XMPP+#OMEMO, is based around #OpenStandards so you ain't forced to use any provider that is subject to #CloudAct nor known to snitch on customers without a valid domestic warrant…
-
@lackthereof it's not a "strange complaint", but a massive problem, because it creates dependency on a proven insecure network that is more often than not controlled if not run by hostile actors…
- Also #eMail, like #XMPP+#OMEMO, is based around #OpenStandards so you ain't forced to use any provider that is subject to #CloudAct nor known to snitch on customers without a valid domestic warrant…
- And if you trust noone, you can just host your eMail Server on a Rasberry Pi at home. It'll certainly be less convenient and more expensive but the you also get all the benefits of it being not possible to seize it without breaking into your home.
@signalapp mandating #PhoneNumners is a huge red flag because at best any #PhoneNumber is pseudonymous like a #Shitcoin-Wallet and that any #privacy is broken the moment it has any (even remotely circumstantial) connection to someone.
- Because even if you ain't forced into #SelfDoxxing to obtain a #Prepaid - #SIM (aka. "#KYC") and/or Phone Number it is still a bad design.
Not to mention #Signal's #App is a huge shitshow…
@kkarhan
Email is, in practice, a privacy shit show equal to or greater than phone numbers. Either you self-host, which means you have an isp and a DNS provider at minimum who can reveal your identity on their whims, even if you lie on a whois record. Or you use one of the mega free providers with all their conflicts of interest and data mining. Or you use a paid provider which opens up all the payment chain to trace back to you on top of everything elseTo get a phone number I can walk to the corner convenience store and, with cash payment and no ID, purchase a prepaid SIM card. I can pay cash to refill it every month.
- Also #eMail, like #XMPP+#OMEMO, is based around #OpenStandards so you ain't forced to use any provider that is subject to #CloudAct nor known to snitch on customers without a valid domestic warrant…
-
@kkarhan
Email is, in practice, a privacy shit show equal to or greater than phone numbers. Either you self-host, which means you have an isp and a DNS provider at minimum who can reveal your identity on their whims, even if you lie on a whois record. Or you use one of the mega free providers with all their conflicts of interest and data mining. Or you use a paid provider which opens up all the payment chain to trace back to you on top of everything elseTo get a phone number I can walk to the corner convenience store and, with cash payment and no ID, purchase a prepaid SIM card. I can pay cash to refill it every month.
@lackthereof no, it's not because unlike #Phones and #PhoneNumbers, #eMail is not necessarily traceable by circumstances.
- Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
- Even if it's just some App/PBX/… to connect to the provider and constantly state "I am on the network and able to recieve calls!" (with PSTN networks, there a physical line that gets assumed to have a phone connected)…
Whereas with eMail (and any #asynchronous #communication) you don't have that requirement.
- So unless the provider is being taken over or otherwise "cooperative" there's no means for a sender to know where, when and how a message was retrieved unless the recipient wants the sender to know of it!
- Besides, even if you don't have an eMail provider like
cock.liwhich natively supports @torproject / #Tor useage with an #OnionService, unless said provider explicitly prevents you from doing so, you can use not just Tor but also other techniques to make it extremely hard (not necessarily impossible, but at least unfeasible at scale!) to get tracked down. - In fact, you could even use #Sneakernet - Style distribution through "#MeatProxies" and #DeadDrops (aka. #dr0p) to further twart tracing attempts.
- Besides, even if you don't have an eMail provider like
Or to put it simple:
- You can ring up someone and thus circumstantially verify the chain of #PhoneNumber -> #IMSI -> #ICCID -> #SIM -> #IMEI -> Device -> Location -> Owner quite quickly.
So either way a phone number is just a horrible means of doing that.
- And don't even get me started on the fact that legally speaking noone truly owns their number.
- Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an
OnionServicewhich can only be shutdown effectively by sabotage aka. (more or less figurately) "unplugging" it.
- Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an
I mean, it's not as if I didn't gave @signalapp a fair chance.
- I wanted #Signal to be good - honestly...
- But I'm old enough that things rarely are that simple as #TechPopulism & #Propaganda claim it to be.
- Just like 5th grade #SexEd is not a substitute for Endocrinology, Gynecology and Andrology and actually licensed, medical professionals.
So any #Messenger service that requires a #Phone Number for signup and/or useage is truly not a real replacement and inherently makes PROVEN WRONG assumptions [i.e. that it is legal and possible to obtain a phone number anonymously at someone's juristiction] about it's customers' ability to shield their privacy…
- Cuz all the "#Metadata" claims of Signal are complete #MarketingLies by virtue of them storing a Phone Number and not just being (as per admission by @Mer__edith) 'hard locked-in' with #aws but also subject to #CloudAct.
- They certainly are not deploying real #E2EE cuz you neither get #SelfCustody nor #SelfHosting and have to blindly trust them (aka. "#TrustMeBro!") that what they release as #SourceCode is actually what they deploy.
- It's like all those "#VPN" shillings which one cannot verify to be true or false!
THIS is why I am going fucking ballistic on #TechPopulism aiming at #TechIlliterates because it's spreading a "false sense of #security" whilst completely disregarding absolute fundamentals when it comes to the underlying systems.
- And I don't mean shit like #Govware of the #SS7 kind, but absolute basics in #ITsec, #InfoSec, #OpSec & #ComSec that every @cryptoparty@chaos.social / @cryptoparty@mastodon.earth / #CryptoParty worth it's name touches on.
- Signal can't and won't save peoples' asses and the sooner we realize that "complex problems are hard to fix" the less we waste Resources on #HoneyPots that stench like #CrytpoAG & #ANØM!
- Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
-
@lackthereof no, it's not because unlike #Phones and #PhoneNumbers, #eMail is not necessarily traceable by circumstances.
- Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
- Even if it's just some App/PBX/… to connect to the provider and constantly state "I am on the network and able to recieve calls!" (with PSTN networks, there a physical line that gets assumed to have a phone connected)…
Whereas with eMail (and any #asynchronous #communication) you don't have that requirement.
- So unless the provider is being taken over or otherwise "cooperative" there's no means for a sender to know where, when and how a message was retrieved unless the recipient wants the sender to know of it!
- Besides, even if you don't have an eMail provider like
cock.liwhich natively supports @torproject / #Tor useage with an #OnionService, unless said provider explicitly prevents you from doing so, you can use not just Tor but also other techniques to make it extremely hard (not necessarily impossible, but at least unfeasible at scale!) to get tracked down. - In fact, you could even use #Sneakernet - Style distribution through "#MeatProxies" and #DeadDrops (aka. #dr0p) to further twart tracing attempts.
- Besides, even if you don't have an eMail provider like
Or to put it simple:
- You can ring up someone and thus circumstantially verify the chain of #PhoneNumber -> #IMSI -> #ICCID -> #SIM -> #IMEI -> Device -> Location -> Owner quite quickly.
So either way a phone number is just a horrible means of doing that.
- And don't even get me started on the fact that legally speaking noone truly owns their number.
- Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an
OnionServicewhich can only be shutdown effectively by sabotage aka. (more or less figurately) "unplugging" it.
- Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an
I mean, it's not as if I didn't gave @signalapp a fair chance.
- I wanted #Signal to be good - honestly...
- But I'm old enough that things rarely are that simple as #TechPopulism & #Propaganda claim it to be.
- Just like 5th grade #SexEd is not a substitute for Endocrinology, Gynecology and Andrology and actually licensed, medical professionals.
So any #Messenger service that requires a #Phone Number for signup and/or useage is truly not a real replacement and inherently makes PROVEN WRONG assumptions [i.e. that it is legal and possible to obtain a phone number anonymously at someone's juristiction] about it's customers' ability to shield their privacy…
- Cuz all the "#Metadata" claims of Signal are complete #MarketingLies by virtue of them storing a Phone Number and not just being (as per admission by @Mer__edith) 'hard locked-in' with #aws but also subject to #CloudAct.
- They certainly are not deploying real #E2EE cuz you neither get #SelfCustody nor #SelfHosting and have to blindly trust them (aka. "#TrustMeBro!") that what they release as #SourceCode is actually what they deploy.
- It's like all those "#VPN" shillings which one cannot verify to be true or false!
THIS is why I am going fucking ballistic on #TechPopulism aiming at #TechIlliterates because it's spreading a "false sense of #security" whilst completely disregarding absolute fundamentals when it comes to the underlying systems.
- And I don't mean shit like #Govware of the #SS7 kind, but absolute basics in #ITsec, #InfoSec, #OpSec & #ComSec that every @cryptoparty@chaos.social / @cryptoparty@mastodon.earth / #CryptoParty worth it's name touches on.
- Signal can't and won't save peoples' asses and the sooner we realize that "complex problems are hard to fix" the less we waste Resources on #HoneyPots that stench like #CrytpoAG & #ANØM!
- Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
-
@lackthereof no, it's not because unlike #Phones and #PhoneNumbers, #eMail is not necessarily traceable by circumstances.
- Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
- Even if it's just some App/PBX/… to connect to the provider and constantly state "I am on the network and able to recieve calls!" (with PSTN networks, there a physical line that gets assumed to have a phone connected)…
Whereas with eMail (and any #asynchronous #communication) you don't have that requirement.
- So unless the provider is being taken over or otherwise "cooperative" there's no means for a sender to know where, when and how a message was retrieved unless the recipient wants the sender to know of it!
- Besides, even if you don't have an eMail provider like
cock.liwhich natively supports @torproject / #Tor useage with an #OnionService, unless said provider explicitly prevents you from doing so, you can use not just Tor but also other techniques to make it extremely hard (not necessarily impossible, but at least unfeasible at scale!) to get tracked down. - In fact, you could even use #Sneakernet - Style distribution through "#MeatProxies" and #DeadDrops (aka. #dr0p) to further twart tracing attempts.
- Besides, even if you don't have an eMail provider like
Or to put it simple:
- You can ring up someone and thus circumstantially verify the chain of #PhoneNumber -> #IMSI -> #ICCID -> #SIM -> #IMEI -> Device -> Location -> Owner quite quickly.
So either way a phone number is just a horrible means of doing that.
- And don't even get me started on the fact that legally speaking noone truly owns their number.
- Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an
OnionServicewhich can only be shutdown effectively by sabotage aka. (more or less figurately) "unplugging" it.
- Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an
I mean, it's not as if I didn't gave @signalapp a fair chance.
- I wanted #Signal to be good - honestly...
- But I'm old enough that things rarely are that simple as #TechPopulism & #Propaganda claim it to be.
- Just like 5th grade #SexEd is not a substitute for Endocrinology, Gynecology and Andrology and actually licensed, medical professionals.
So any #Messenger service that requires a #Phone Number for signup and/or useage is truly not a real replacement and inherently makes PROVEN WRONG assumptions [i.e. that it is legal and possible to obtain a phone number anonymously at someone's juristiction] about it's customers' ability to shield their privacy…
- Cuz all the "#Metadata" claims of Signal are complete #MarketingLies by virtue of them storing a Phone Number and not just being (as per admission by @Mer__edith) 'hard locked-in' with #aws but also subject to #CloudAct.
- They certainly are not deploying real #E2EE cuz you neither get #SelfCustody nor #SelfHosting and have to blindly trust them (aka. "#TrustMeBro!") that what they release as #SourceCode is actually what they deploy.
- It's like all those "#VPN" shillings which one cannot verify to be true or false!
THIS is why I am going fucking ballistic on #TechPopulism aiming at #TechIlliterates because it's spreading a "false sense of #security" whilst completely disregarding absolute fundamentals when it comes to the underlying systems.
- And I don't mean shit like #Govware of the #SS7 kind, but absolute basics in #ITsec, #InfoSec, #OpSec & #ComSec that every @cryptoparty@chaos.social / @cryptoparty@mastodon.earth / #CryptoParty worth it's name touches on.
- Signal can't and won't save peoples' asses and the sooner we realize that "complex problems are hard to fix" the less we waste Resources on #HoneyPots that stench like #CrytpoAG & #ANØM!
Your threat model is totally incoherent here and you talk like a cheap LLM
- Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
-
Your threat model is totally incoherent here and you talk like a cheap LLM
@lackthereof no it's not (because things are in fact intertwined) and I expect you to apologize for that!
- Go outside, #TouchGrass and in a week you can come back…
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
@signalapp maybe write:
"If you are currently installing signal, use this code. If some chat website or phonecall asks for it, it is an attack trying to steal your account." -
@unaegeli @signalapp One is an in-app prompt. The other is a message, text or email. They don't look anything alike.
@distrowatch @unaegeli @signalapp
It's a prompt on the phone.
They "are the same".
People don't make the difference. -
@distrowatch @unaegeli @signalapp
It's a prompt on the phone.
They "are the same".
People don't make the difference.@gunstick @unaegeli @signalapp Messages that come in are not a prompt and don't look or act like any popup or prompt.
