A response to recent reporting in Germany, in service of clarity and accountability:
-
@ahltorp @davep @jtb @signalapp People have been trying to scam me since the 90s and I've always seen through it or taken a moment to check. Even so, I got had a couple of months ago by a very obvious piece of social engineering. All it takes is being tired, or stressed, or distracted, or all three, and you just go into automatic when asked to do something. I had to change all my passwords, update all my 2FA, change email addresses used for logins, etc.
It can happen to anyone.
Edit: typo
@stagerabbit @ahltorp @davep @signalapp ok maybe, but banks are saying all the time not to give out pin even to bank staff.
-
@nuk3 @signalapp I wonder what issue they have with Matrix?! They could just spin up their own sever.
-
@ax11 @Chantology @signalapp
I think they have the opportunity, but it won't be noticed by such a large audience.@olliausstuhr @ax11 @signalapp @Chantology Being "used" to technology doesn't always help. Here are two examples of people who should know their stuff getting scammed:
A Sneaky Phish Just Grabbed my Mailchimp Mailing List
You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
Troy Hunt (www.troyhunt.com)
If you think you can't be scammed, think again.
-
@stagerabbit @ahltorp @davep @signalapp ok maybe, but banks are saying all the time not to give out pin even to bank staff.
@jtb @ahltorp @davep @signalapp And they are saying that because people do. Because it's easy for a con artist to convince some people who may just be vulnerable at that moment to give it to them.
-
@rogue_cells @signalapp For what it's worth, European intelligence agencies already blamed Russia for this current phishing attack
@skaphle @signalapp oh wow
-
@jtb @ahltorp @davep @signalapp And they are saying that because people do. Because it's easy for a con artist to convince some people who may just be vulnerable at that moment to give it to them.
@stagerabbit @ahltorp @davep @signalapp ok i withdraw my remark as I didn't see the dialog. If it said "verify pin" someone might have done that without thinking
-
@stagerabbit @ahltorp @davep @signalapp ok i withdraw my remark as I didn't see the dialog. If it said "verify pin" someone might have done that without thinking
@jtb @stagerabbit @ahltorp @signalapp
Fair enough. Social engineers and phishing scams are by definition very good at this.
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp
Dear Signal,
just want to let you know. Those who use Signal, at least those who are not ...naive (not to say stupid/digitalincompetent) are well aware that at least the whole media coverage was rather a campaign against Signal (as a save/independent Messenger).
Here in Germany the government seem to have a certain ...procedure when it comes to digital infrastructure. And yes, it is based on digital incompetence and always following certain lobbyinterests.
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp Very well handled! Much appreciated.
-
@signalapp could you hinder people to pose as Signal support?
@energisch_ @signalapp with e2ee?
-
@olliausstuhr @ax11 @signalapp @Chantology Being "used" to technology doesn't always help. Here are two examples of people who should know their stuff getting scammed:
A Sneaky Phish Just Grabbed my Mailchimp Mailing List
You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
Troy Hunt (www.troyhunt.com)
If you think you can't be scammed, think again.
@skaphle @olliausstuhr @signalapp @Chantology
Nice strawman, but I did not claim any immunity against scams. I explicitely said, I just don't had the influence to frame it as a hack, if it happened. -
@ax11 @Chantology @signalapp
I think they have the opportunity, but it won't be noticed by such a large audience.@olliausstuhr @signalapp @Chantology
That's pretty much the same. You can't publically frame something if noone hears you. -
@expertenkommision_cyberunfall @signalapp To the first question: signal does not have access to your profile name or profile picture.
@skaphle
The server doesn't but the app does. Is there any reason to not want to make the app hide messages from accounts with such names?
@expertenkommision_cyberunfall @signalapp -
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb
*Anyone* can be tricked. If your'e caught at a bad time, distracted, stressed, you *will* fall for it.
@davep @signalapp -
@signalapp I wonder what the motivation behind this attack is. There's no money to be made from stealing Signal accounts, except maybe by extortion.
@jackemled @signalapp Gaining access to classified information from highest government officials, and being able to pose as these officials when contacting their colleagues, feels like something worth your time if you're interested in that sort of information.
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb @davep @signalapp we are talking about german politicians here, being daft is a job requirement
-
@stagerabbit @ahltorp @davep @signalapp ok maybe, but banks are saying all the time not to give out pin even to bank staff.
@jtb @stagerabbit @ahltorp @davep @signalapp Banks and others regularly call me up and ask me to identify myself to them, ie give the unknown caller my credentials. And cannot see the problem in training their customers to comply.
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb @davep @signalapp Well well. We speak of the president of the german parliament. No one would ever suspect her to be seriously daft.
-
@jtb Watch what you call the President of the German Parliament! /s
@guenther @jtb @davep @signalapp she is, actually, and has long been known to be
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp I am trying to work out why Registration Lock is not on by default. In particular, why would you be able to set a PIN and not set Registration Lock? I can imagine a use case where someone didn't want a PIN at all, though that shouldn't be the default in a secure messaging app. But why PIN and no lock?
