A response to recent reporting in Germany, in service of clarity and accountability:
-
@jtb It's how phishing / social engineering works. Not everyone is as clever as you.
@davep @jtb @signalapp Also, everyone who thinks they can't be fooled by social engineering is very susceptible to social engineering. Which is why it is very important for a cryptographic system to try to guard against these types of attack as much as they can.
-
However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us. 2/
@signalapp you can't secure stupid.
-
@davep @jtb @signalapp Also, everyone who thinks they can't be fooled by social engineering is very susceptible to social engineering. Which is why it is very important for a cryptographic system to try to guard against these types of attack as much as they can.
@ahltorp @jtb @signalapp Indeed
-
@signalapp German politicians are not that much used to technology ^^
@Chantology @signalapp immer no Neuland
-
@signalapp das Internet ist für uns alle Neuland…
Sorry, Signal, no offense, but especially when it comes to politicians, one would think they’d use their own nationwide messaging app that has nothing to do with the general user base. Back in the day, they even had their own dedicated work devices.
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp Thanks for the transparency folks!
-
@MFennVT@mastodon.world @signalapp@mastodon.world The Signal app does have a legitimate prompt with wording like this. But it shows up at the bottom of your screen in the main interface. See the attached screenshot.
If you received such a message as a Signal message, then it is indeed bogus and you should block the contact that sent it. Signal Support will never ask you for your PIN. It should only be entered if the app itself prompts you directly, never in a chat.
@sodiboo @farshidhakimy @signalapp That is what it looks like! Thank you, both! I guess I need to remember my pin.
-
However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us. 2/
@signalapp "Sophisticated"...
This is just catastrophic negligence from our arrogant, conservative German government. It really isn't that hard to phish them... Let's hope someone like the FSB won't try. Otherwise, we're so fucking cooked.Thank you @signalapp for making sure that phishing even those people with tech-support fakes will be harder in the future.
-
In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks. 3/
@signalapp Another "we're clean on opsec" moment, after which the "high-quality media" just assumes it's Signals fault.
Luckily, our German govt. hasn't reached the orange fascist-clown level of stupid yet... but who knows who the people are gonna vote for in the next elections... 🫠
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@MFennVT @signalapp The one you see on the bottom of the home screen as a dialogue in the app itself is genuine & it's all processed locally. It's just to help you remember your PIN by repetition so you're less at risk of losing your account by forgetting your PIN. If you received a message asking that (not a dialogue on the app's home screen), it's fake.
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp I wonder what the motivation behind this attack is. There's no money to be made from stealing Signal accounts, except maybe by extortion.
-
@MFennVT @signalapp The one you see on the bottom of the home screen as a dialogue in the app itself is genuine & it's all processed locally. It's just to help you remember your PIN by repetition so you're less at risk of losing your account by forgetting your PIN. If you received a message asking that (not a dialogue on the app's home screen), it's fake.
@jackemled Thank you! @signalapp
-
@MFennVT@mastodon.world @signalapp@mastodon.world The Signal app does have a legitimate prompt with wording like this. But it shows up at the bottom of your screen in the main interface. See the attached screenshot.
If you received such a message as a Signal message, then it is indeed bogus and you should block the contact that sent it. Signal Support will never ask you for your PIN. It should only be entered if the app itself prompts you directly, never in a chat.@sodiboo @MFennVT @signalapp This is a very fine distinction for many users. I understand why Signal has the question, and I also understand that it is difficult for Signal to present it in a way that makes the distinction obvious to all users. But even though it is a difficult problem, it is still a very important one to solve.
-
@olliausstuhr @signalapp @Chantology
"most people" do not have the power to frame what was technically their own fault as a "hack". They also can't call for "consequences" via the media. -
In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks. 3/
@signalapp if you start asking for email, you know you will get A LOT of deltachat fans to make jokes about it, right?
(not saying that email is a solution for this, but whatsapp started asking for an email for "security reasons", so delta fans mocked them)
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp Signal, we love you and always suspect reporters confuse users lack of security with service and app security. I push Signal whenever I can.
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
"blame the victim" mentality is a big help (/s)
scammers thank you for redirecting blame
-
@signalapp you can't secure stupid.
yes but you can work hard to make things as secure as possible, and communicate clearly and broadly, which is what signal is doing
because we're all stupid, in some way or another, and we get conned when we believe we're not stupid
the greatest aid to security is humility
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp not the app sw needs only to be made safe for normal people. We need another app for politiicians in special. Because they are not used to the thought they are controlled. Instead they believe they only controll other people.
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb @davep @signalapp
Not necessarily daft. A little ignorance is enough to get someone in trouble with social engineering.
