A response to recent reporting in Germany, in service of clarity and accountability:
-
@EarthOrgUK @jtb @ahltorp @davep @signalapp Both my life insurance company and my overseas bank want me to send copies of my passport and proof of address over unencrypted email. When I complain, they say I should password protect the file and send the password in a separate unencrypted email to the same address.
Even if I find a way to send it securely, based on this, I doubt they store it securely.
@stagerabbit @EarthOrgUK @jtb @ahltorp @signalapp
That is awful practice. -
@stagerabbit @EarthOrgUK @jtb @ahltorp @signalapp
That is awful practice.@davep @EarthOrgUK @jtb @ahltorp @signalapp We're talking about the sector that holds our life savings and limits passwords to 8-12 alpha numeric characters and until recently no form of 2FA. Not sure why this surprises you. (If this isn't the case elsewhere, it's still the case in Japan, where I live. Not super impressed by my Canadian banks either, tbh.)
-
@davep @EarthOrgUK @jtb @ahltorp @signalapp We're talking about the sector that holds our life savings and limits passwords to 8-12 alpha numeric characters and until recently no form of 2FA. Not sure why this surprises you. (If this isn't the case elsewhere, it's still the case in Japan, where I live. Not super impressed by my Canadian banks either, tbh.)
@stagerabbit @EarthOrgUK @jtb @ahltorp @signalapp
At least I had to physically go to my local post office to activate my digital identity here in France. -
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
Is there any OFFICIAL statement in GERMAN?
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp
If you want to do everything you can to help people avoid and detect Signal Support scams, then please stop disguising your Signal communication and advertisment among my Signal Chats, like in my screenshot I attach here.
-
@skaphle @olliausstuhr @signalapp @Chantology
Nice strawman, but I did not claim any immunity against scams. I explicitely said, I just don't had the influence to frame it as a hack, if it happened.@ax11 @signalapp My comment was more directed towards @Chantology and @olliausstuhr who joked about the technical incompetence of the government, somewhat smugly, or so I read it.
-
Is there any OFFICIAL statement in GERMAN?
@L⌐ "SpätzleGrab
",8,1 WHY SHOULD THERE BE?
-
@L⌐ "SpätzleGrab",8,1 WHY SHOULD THERE BE?
Weil es genügend Leute gibt, die nicht (so gut) englisch sprechen/lesen und man denen mit einer deutschen, offiziellen Mitteilung die Sachlage eher nahebringen kann.
-
@skaphle
The server doesn't but the app does. Is there any reason to not want to make the app hide messages from accounts with such names?
@expertenkommision_cyberunfall @signalapp@tnhd @expertenkommision_cyberunfall @signalapp "such names" is quite complicated. Is it a list? A regular expression pattern? Machine-learning? I have a whack-a-mole image in my mind when I think about it. It's a bit like spam filters in general. And in the end the scammers can just try different profile names and pictures until the filter lets it pass and it still has a reasonable air of legitimity. I'm quite skeptical that it's worth the effort.
-
@davep @EarthOrgUK @jtb @ahltorp @signalapp We're talking about the sector that holds our life savings and limits passwords to 8-12 alpha numeric characters and until recently no form of 2FA. Not sure why this surprises you. (If this isn't the case elsewhere, it's still the case in Japan, where I live. Not super impressed by my Canadian banks either, tbh.)
@stagerabbit @davep I think most of the banks in Sweden are at least ok in this regard. I’ve had online banking for 30 years (pre internet), and it has always been two-factor. In the beginning only pin and single-use codes, but very quickly it became smartcard-based challenge-response with pin unlock of the smartcard, so theoretically very secure.
I’ve only done hanko based banking in Japan, so I’ve never seen online banking in Japan, but that seems horrible.
-
@stagerabbit @davep I think most of the banks in Sweden are at least ok in this regard. I’ve had online banking for 30 years (pre internet), and it has always been two-factor. In the beginning only pin and single-use codes, but very quickly it became smartcard-based challenge-response with pin unlock of the smartcard, so theoretically very secure.
I’ve only done hanko based banking in Japan, so I’ve never seen online banking in Japan, but that seems horrible.
-
@EarthOrgUK @jtb @ahltorp @davep @signalapp Both my life insurance company and my overseas bank want me to send copies of my passport and proof of address over unencrypted email. When I complain, they say I should password protect the file and send the password in a separate unencrypted email to the same address.
Even if I find a way to send it securely, based on this, I doubt they store it securely.
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp If i go to a store and get repeatedly scammed, i don't go there again. If a bank does not handle security in a proper way, I'd leave that bank(I've done that in the past). I don't get how you can stick to your bank, if you believe their security is weak. It's their core competence after all...
-
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp If i go to a store and get repeatedly scammed, i don't go there again. If a bank does not handle security in a proper way, I'd leave that bank(I've done that in the past). I don't get how you can stick to your bank, if you believe their security is weak. It's their core competence after all...
@gsc You are privileged to have choices to switch to. I feel like I've already chosen the least bad options in my situation. I don't know where you live, but in many countries most banks have terrible security practices. @EarthOrgUK @jtb @ahltorp @davep @signalapp
-
@yetzt rather automatically Block any accountname with Signal & Support in it?
@signalappI *think* Signal's privacy guarantee implies Signal LLC not knowing users' display names, so they'd have no way of filtering them.
-
@tnhd @expertenkommision_cyberunfall @signalapp "such names" is quite complicated. Is it a list? A regular expression pattern? Machine-learning? I have a whack-a-mole image in my mind when I think about it. It's a bit like spam filters in general. And in the end the scammers can just try different profile names and pictures until the filter lets it pass and it still has a reasonable air of legitimity. I'm quite skeptical that it's worth the effort.
@skaphle
'Reasonable air of legitimity' is still going to be worse than 'Signal Support' and that would mean less people would be susceptible to these phishing attacks. I imagine it doesn't have to work perfectly to have less people be susceptible.
@expertenkommision_cyberunfall @signalapp -
First question that pops up:
Why the hell is anyone allowed to pose as something similar as „Signal support“?Second: How is such an organisation allowed to use a system
Like Signal? How does Signal apply to the legal needs of such Orgs? It seems that there are some serious issues here because the told features of Signal stand in contrast to legal needs (audits?), but Im no expert in this topic.@expertenkommision_cyberunfall @signalapp
You can make stuff auditable by having the conversations in a group chat that includes an "audit department" account. I think the US govt even has a forked version of the Signal client app that does something like this automatically.
-
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp If i go to a store and get repeatedly scammed, i don't go there again. If a bank does not handle security in a proper way, I'd leave that bank(I've done that in the past). I don't get how you can stick to your bank, if you believe their security is weak. It's their core competence after all...
@gsc @stagerabbit @jtb @ahltorp @davep @signalapp I have left one* of the banks in question and filed complaints every single day it took to leave with all my savings. I didn't have the spoons at the time to take it up with the regulators (financial and data), but I have been director/CTO of a regulated fintech, so I am fairly confident that I could get my complaint heard if I could devote 6 months of my time...
*It's complicated.
-
@gsc You are privileged to have choices to switch to. I feel like I've already chosen the least bad options in my situation. I don't know where you live, but in many countries most banks have terrible security practices. @EarthOrgUK @jtb @ahltorp @davep @signalapp
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp let me put it this way: if i don't trust them to handle passwords properly, i would not go there and hand them all my money, alternatives or not...
-
@gsc @stagerabbit @jtb @ahltorp @davep @signalapp I have left one* of the banks in question and filed complaints every single day it took to leave with all my savings. I didn't have the spoons at the time to take it up with the regulators (financial and data), but I have been director/CTO of a regulated fintech, so I am fairly confident that I could get my complaint heard if I could devote 6 months of my time...
*It's complicated.
@EarthOrgUK @stagerabbit @jtb @ahltorp @davep @signalapp well, that is the next (and correct) step. But i see people give up much earlier, like others wronging them, and then there are no consequences at all. Did it suck to have to switch the bank? Of course. Did i complain in written form? Multiple times. Did i loose a lot of time, which would be unnecessary, if they had done their job well? Yes, totally. But i don't regret, and more so, bad shit also happens because we let them. I'm not here to blame anyone who decides to do it differently, but stepping up is always uncomfortable, yet is worth it most of the times.
-
@stagerabbit @EarthOrgUK @jtb @ahltorp @davep @signalapp let me put it this way: if i don't trust them to handle passwords properly, i would not go there and hand them all my money, alternatives or not...
@gsc Really? You'd go without a bank? I don't think you've considered the implications of not being banked In a society that expects you to be banked.
This is really "well, if he'd said that to *my* mother, I would have punched him out" territory.
@EarthOrgUK @jtb @ahltorp @davep @signalapp
