Signal4d ago

We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.

To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.

Show threadSignal4d ago
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
Show threadSignal4d ago

To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.

We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.

Show threadKevin Karhan 

@signalapp THERE IS NO LEGITIMATE REASON FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. "#KYC")…

Kevin Karhan :verified: (@kkarhan@infosec.space)

@signalapp@mastodon.world those attacks.would've not.been successful if you weren't a #proprietary, #centralized, #SingleVendor / #SingleProvider *"solution"* that doesn't do #SelfCustoy of all the.keys nor allows for #SelfHosting nor demands #PII like #PhoneNumbers that can be leveraged for that. - You know what I need to use @monocles@monocles.social / #monoclesChat or @gajim@fosstodon.org / #XMPP+#OMEMO? - Internet connection and an account on any server. Can't #phish if one doesn't have credentials for #phishing attacks ffs! - Can't get #phished if noone demands, stores, process or even demands such details in the first place! Also which #Government is that incompetent to not be able to setup their own comms?

Infosec.Space
Mar 9 at 6:21pmWeb
Show threadxenia  4d ago

@kkarhan since i’ve started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.

let’s make it clear to everyone: phone numbers should only be shared to people you trust and nobody else

Show threadAlex@rtnVFRmedia Suffolk UK4d ago

@gettie @kkarhan there's an obvious problem worldwide for using a telephone number as an identifier for any comms the national govt might not approve of.

Telephone numbers are *not* property owned by the enduser or even the telephone company - they are considered public resources administered by the Communications Ministry of each nation, which does make sense as there's a limited amount of them for each country!

So the govt will *always* feel entitled to investigate what they are used for, the same way there are speed limits, road signs and CCTV on the public street and often more restrictions on what you can do in public places as opposed to a private gathering...

Show threadKevin Karhan 4d ago

@vfrmedia @gettie Point is that #Telco regulations stems from #Telegraphy and #Postal operations, and whilst there are legitimate reasons for #regulators to disconnect phone lines (otherwise #robocalling and #SMS-#Spam would be even more rampant than #eMail-#Spamming!)

  • Which OFC also intertwines with "#LawfulInterception" and the means of Governments to exercise control.
    • So anything claiming #security must inherently acknowledge the unfixable #insecurity of the #PSTN and completely cease using it and it's per-design compromised Infrastructure as a matter of principle.

That's why any "#secure communications" treats it as a hostile network and not to be trusted!

  • And that's not even scratching the surface that countries try to outlaw #anonymity - starting with #Prepaid - #SIM - Cards.
    • Because those traditionally had no reason for "#KYC" as there was no means for a customer to incur #debt or commit #fraud against the telco that provided said services, so there was [and IMHO still is] no "legitimate interest" in demanding any #ID for those, as any crime committed would be investigated with the existing #Govware inside the networks and thus found out.
Show threadAlex@rtnVFRmedia Suffolk UK4d ago

@kkarhan @gettie

UK still sells prepaid SIMs but all providers either nudge you to have them delivered to a physical address and only allow cashless topups, or if you buy them from the shop it has CCTV (authorities have used this to catch those using PAYG SIMs for drug dealing lines and/or gang activity)

I'm slightly surprised I haven't been pulled over as I've been driving around with as many as 6-7 active mobile devices in my car (driving solo in a relatively small hatchback), but I suspect authorities already know from ANPR and my movements (plus the nature of these SIMS and devices) they are for frontline health and social care workers and not anything sinister..

Show threadKevin Karhan 4d ago

@vfrmedia @gettie In fact, many places will literally note that down in their #LawfulInterception system (i.e. in Germany).

  • I.e. not only are providers banned from listing designated crisis helplines`(that are 0800 numbers) but if police try to query call records from someone with *"confidentiality privilegues" like lawyer, psychologist, doctor, psychatrist, notary, rehab clinic, addiction help center, etc. they get a BIG ASS RED WARNING BOX when they check for that number that said line is subject to said privilegues and that they cannot monitor it without warrant and have to file that with the request.
    • So even if they ever looked up why half a dozen devices are there, they'd quickly came to the conclusion that you are a known bona fide user and the other devices are too.

Tho for most stochastic surveillance the number of SIMs and devices isn't that high that you'd cause suspicion, given a lot of #IoT garbage has at least a #4G or #5G - modem in it to send telemetry and that 7 devices can also be assumed 1 fro the #eCall of the car and 3 people with 1 #DualSIM phone or a regular phone + laptop with WWAN modem each.

Show threadAlex@rtnVFRmedia Suffolk UK4d ago

@kkarhan

my car is just a few months before ecall was implemented (and it doesn't even work on some cars as 3G got ceased here), and some of the more modern cameras around these days would show I'm obviously driving solo and often at unusual hours of the night.

Although any tracking would also show I take the same route every day between either my home and workplace, or sometimes the coastal town where some of our staff are.

There is /some/ monitoring of social care workers as during Covid there were a few drugdealers pretending to be them (even getting uniforms etc), as well as healthcare workers themselves going rogue (I've noticed our staff are getting more attention from the Police recently, checking their cars are 100% legal)

Show threadKevin Karhan 4d ago

@vfrmedia I mean in any juristictions it's legal for police to randomly pull over cars, check license & registration and ask for mandatory safety equient like Warning Triangle, First Aid Kit and Retroflective Vest to be presented.

  • And that is being used by the police to both gather intelligence as well as annoy individuals (i.e. motorists joyriding) out of an area.
    • I mean, police do it all the time whenever they feel like it, and whilst theybdon't admit to it, I'm pretty shure they check way more plates than they pull over because they prefer to skip all the uninteresting ones…
    • Cuz lets face it: It'll only waste time if they pull over some retirement-aged women who's only negative data on file - a parking ticket in the 1990s - is long expunged from records vs. someone with a decent record driving suspiciously orderly
Show threadAlex@rtnVFRmedia Suffolk UK4d ago

@kkarhan here they tend to use ANPR hits and sometimes "public concerns" (there's a lot of nosey white folk reporting all the social carers for perceived bad driving simply because the carers are Black and brown)

UK just needs valid inspection record, tax and insurance (which cops can often check via mobile data terminals without going near the car), we aren't required to have the triangle, first aid kit and hi vis (although I carry these things anyway simply as it makes sense to have them)

Show threadLeo Schuldiner🤘🏼4d ago
@gettie @kkarhan totally agree. Your phone number is like your ID number nowadays.
Show thread👊🇺🇸🔥3d ago
@leoschuldiner23 @gettie @kkarhan It depends. I have 5 phone numbers all used for different purposes.
Show threadKevin Karhan 3d ago

@Avitus @leoschuldiner23 @gettie then you have enough money to top them all up and potentially pay bribes to get them anonymously.

  • Which in and of itself is very much a privilegued position.

Try that in Russia, Cuba, Iran or the "P.R." China, and tell me with a straight face that's feasible for #TechIlliterate #WageWorkers there!

Show thread👊🇺🇸🔥3d ago
@gettie @kkarhan Or hide your phone number, and create and share a username. Signal's had usernames for a couple years: https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames
Phone Number Privacy and Usernames

Here are features to make your phone number more private on Signal. As a new default, your phone number will no longer be visible to everyone in Signal. You can opt to display your phone number. H...

Signal Support
Show threadKevin Karhan 3d ago

@Avitus @gettie That is not a valid solution as they still demand a #PhoneNumber which in more and more juristictions you cannot obtain legally without self-doxxing to the providers if not government!

  • Demanding #PhoneNumbers IS the illixit activity and big red flag!