We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
While we build robust technical safeguards, user vigilance is ultimately the best defense against phishing. We will continue to work on mitigating these risks via interface design and signposting throughout the app. In the meantime, please stay alert, and never share your SMS verification code or Signal PIN with anyone.
Thank you for pointing this out
@signalapp@mastodon.world THERE IS *NO LEGITIMATE REASON* FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. *"#KYC"*)… - so yes I [do blame Signal](https://infosec.space/@kkarhan/116200585213177913) because this attack vector is unique to #Signal's shittyness and would not exist with @monocles@monocles.social / #monoclesChat or even [`cock.li`](https://cock.li) of all places…
@kkarhan
This has always struck me as the strangest complaint about Signal.
You don't need to distribute your phone number to actually communicate with other signal users.
Presumably you want some form of 2fa, because losing your account would be bad.
And you don't want to be tied to some cloud based email provider.
And it's literally a phone app so every single user has the dependency.
@lackthereof it's not a "strange complaint", but a massive problem, because it creates dependency on a proven insecure network that is more often than not controlled if not run by hostile actors…
@signalapp mandating #PhoneNumners is a huge red flag because at best any #PhoneNumber is pseudonymous like a #Shitcoin-Wallet and that any #privacy is broken the moment it has any (even remotely circumstantial) connection to someone.
Not to mention #Signal's #App is a huge shitshow…
@kkarhan@infosec.space This has always struck me as the strangest complaint about Signal. You don't need to distribute your phone number to actually communicate with other signal users. Presumably you want some form of 2fa, because losing your account would be bad. And you don't want to be tied to some cloud based email provider. And it's literally a phone app so every single user has the dependency.
@kkarhan
Email is, in practice, a privacy shit show equal to or greater than phone numbers. Either you self-host, which means you have an isp and a DNS provider at minimum who can reveal your identity on their whims, even if you lie on a whois record. Or you use one of the mega free providers with all their conflicts of interest and data mining. Or you use a paid provider which opens up all the payment chain to trace back to you on top of everything else
To get a phone number I can walk to the corner convenience store and, with cash payment and no ID, purchase a prepaid SIM card. I can pay cash to refill it every month.
@lackthereof no, it's not because unlike #Phones and #PhoneNumbers, #eMail is not necessarily traceable by circumstances.
Whereas with eMail (and any #asynchronous #communication) you don't have that requirement.
Jur
Signal
ExcelAnalytics
Jakob Nitschke
Kevin Karhan 
The Lack Thereof 
cock.li which natively supports @torproject / #Tor useage with an #OnionService, unless said provider explicitly prevents you from doing so, you can use not just Tor but also other techniques to make it extremely hard (not necessarily impossible, but at least unfeasible at scale!) to get tracked down.Or to put it simple:
So either way a phone number is just a horrible means of doing that.
OnionService which can only be shutdown effectively by sabotage aka. (more or less figurately) "unplugging" it.I mean, it's not as if I didn't gave @signalapp a fair chance.
So any #Messenger service that requires a #Phone Number for signup and/or useage is truly not a real replacement and inherently makes PROVEN WRONG assumptions [i.e. that it is legal and possible to obtain a phone number anonymously at someone's juristiction] about it's customers' ability to shield their privacy…
THIS is why I am going fucking ballistic on #TechPopulism aiming at #TechIlliterates because it's spreading a "false sense of #security" whilst completely disregarding absolute fundamentals when it comes to the underlying systems.
@kkarhan@infosec.space Email is, in practice, a privacy shit show equal to or greater than phone numbers. Either you self-host, which means you have an isp and a DNS provider at minimum who can reveal your identity on their whims, even if you lie on a whois record. Or you use one of the mega free providers with all their conflicts of interest and data mining. Or you use a paid provider which opens up all the payment chain to trace back to you on top of everything else To get a phone number I can walk to the corner convenience store and, with cash payment and no ID, purchase a prepaid SIM card. I can pay cash to refill it every month.
Your threat model is totally incoherent here and you talk like a cheap LLM
@lackthereof no it's not (because things are in fact intertwined) and I expect you to apologize for that!
@signalapp as careful as this message is, I think it could be improved. If someone goes to a web page and get phished by being asked to type it into the page, the message will not dter them because it's not someone "asking for the code".
I think the message should say something about where it's intended to be used.
@signalapp@mastodon.world THERE IS *NO LEGITIMATE REASON* FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. *"#KYC"*)… - so yes I [do blame Signal](https://infosec.space/@kkarhan/116200585213177913) because this attack vector is unique to #Signal's shittyness and would not exist with @monocles@monocles.social / #monoclesChat or even [`cock.li`](https://cock.li) of all places…
😂
"in a stunning development today, a random mastodon user showed they were able to take over Signal's Signal account. details of the hack remain unclear"
@benroyce @FQQD I know the details:
@signalapp are criminally incompetent like #EncroChat at best if not a #HoneyPot like #ANØM aka. #OperationIronside aka. #OperationTrøjanShield...
@signalapp@mastodon.world THERE IS *NO LEGITIMATE REASON* FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. *"#KYC"*)… - so yes I [do blame Signal](https://infosec.space/@kkarhan/116200585213177913) because this attack vector is unique to #Signal's shittyness and would not exist with @monocles@monocles.social / #monoclesChat or even [`cock.li`](https://cock.li) of all places…
@signalapp@mastodon.world THERE IS *NO LEGITIMATE REASON* FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. *"#KYC"*)… - so yes I [do blame Signal](https://infosec.space/@kkarhan/116200585213177913) because this attack vector is unique to #Signal's shittyness and would not exist with @monocles@monocles.social / #monoclesChat or even [`cock.li`](https://cock.li) of all places…
Hmmm, and what about the monthly reminder to enter the personal smartphone code? How to differentiate this from the other?
@unaegeli @signalapp My guess: the reminder is a pop-up dialog. It's not a signal message, email, or text.
I, too, would like to hear Signal's answer to this question.
@unaegeli @signalapp I was just thinking of this.
It sounds like Signal is fairly unique in this setup. We're constantly being bombarded with verification requests, and it can be easy to forget one app works differently.
@solitha
I mean it's hard for some non technical users to make them understand what is the "trusted context" and what is not I suppose?
I mean we had that with mail for years, people should know to check the senders mail, yet still Phishing attacks are often successful.
@unaegeli @signalapp
@PupWrafie Even a legitimate sender's email is not enough. Wasn't all that long ago that someone managed to send out emails *from* company addresses via a third-party vulnerability.
Scammers will always find a way. It's up to the company to take all reasonable steps to alert customers.
@unaegeli
-That's a different code
-It's very clearly a popup, and not in a chat
-To abuse it, one would already need access to the account, i.e. through having completed the other attack
I feel like that reminder is distinct enough as it is
@signalapp
I see the difference now, thanks.
You should add the ability to sign up with email. I'm not sure that Russian users can log in with a code from SMS.
OK. What about WhatsApp or Telegram?
@izby @signalapp I don't really care what happens to them since I rarely use them. It would be better for everyone if the 3B people on WhatsApp and billion on Telegram also used Signal, but that's not currently the case.
WhatsApp has been Zucked since 2016. Constantly screaming about how private and secure it is while not being open-source means it's probably not secure or private, and even more so when it's a Facebook product.
Everything you do on Telegram is stored in plaintext by default on Telegram's servers, it has a long history of sketchy security, was created by a Russian billionaire, and has been banned, unbanned, and could be banned again in Russia. There was a report in October last year that Telegram is very likely an FSB Honeypot: https://rys.io/en/179.html#:~:text=The%20assumption%20seems%20to%20have%20always%20been,this%20is%20much%20less%20of%20a%20consideration.
I have WhatsApp and Telegram, but I don't do much on either but lurk in sports channels.
This is why I stick to Signal for all my communication. They don't have data to hand over because they don't collect it: https://signal.org/bigbrother/
What are you talking about and which of my arguments are you trying to argue with?
My position: registration by phone number is too dangerous and is not available in some regions where Signal is really needed.
Your position: registration by phone number saves you from tons of spam.
So I asked the question: did registering by phone number save you from spam on WhatsApp and TG?
What matters is how my counterargument influences your counterargument. That's how discussion works.
@signalapp THERE IS NO LEGITIMATE REASON FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. "#KYC")…
Sherri W (SyntaxSeed)
DLink
Kaito
Mieszko Ślusarczyk
Elias Mårtenson
FQQD :3 
Ben Royce 🇺🇦 🇸🇩
zrb
Urs Naegeli 🇨🇭🇺🇦
Joel VanderWerf
Solitha
PupWrafie
DistroWatch
gunstick
kainisenni
Dec [{(
)}]
El Duvelle
Sam Izby
👊🇺🇸🔥cock.li of all places…@signalapp@mastodon.world those attacks.would've not.been successful if you weren't a #proprietary, #centralized, #SingleVendor / #SingleProvider *"solution"* that doesn't do #SelfCustoy of all the.keys nor allows for #SelfHosting nor demands #PII like #PhoneNumbers that can be leveraged for that. - You know what I need to use @monocles@monocles.social / #monoclesChat or @gajim@fosstodon.org / #XMPP+#OMEMO? - Internet connection and an account on any server. Can't #phish if one doesn't have credentials for #phishing attacks ffs! - Can't get #phished if noone demands, stores, process or even demands such details in the first place! Also which #Government is that incompetent to not be able to setup their own comms?
@kkarhan since i’ve started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.
let’s make it clear to everyone: phone numbers should only be shared to people you trust and nobody else
@gettie @kkarhan there's an obvious problem worldwide for using a telephone number as an identifier for any comms the national govt might not approve of.
Telephone numbers are *not* property owned by the enduser or even the telephone company - they are considered public resources administered by the Communications Ministry of each nation, which does make sense as there's a limited amount of them for each country!
So the govt will *always* feel entitled to investigate what they are used for, the same way there are speed limits, road signs and CCTV on the public street and often more restrictions on what you can do in public places as opposed to a private gathering...
@vfrmedia @gettie Point is that #Telco regulations stems from #Telegraphy and #Postal operations, and whilst there are legitimate reasons for #regulators to disconnect phone lines (otherwise #robocalling and #SMS-#Spam would be even more rampant than #eMail-#Spamming!)
That's why any "#secure communications" treats it as a hostile network and not to be trusted!
UK still sells prepaid SIMs but all providers either nudge you to have them delivered to a physical address and only allow cashless topups, or if you buy them from the shop it has CCTV (authorities have used this to catch those using PAYG SIMs for drug dealing lines and/or gang activity)
I'm slightly surprised I haven't been pulled over as I've been driving around with as many as 6-7 active mobile devices in my car (driving solo in a relatively small hatchback), but I suspect authorities already know from ANPR and my movements (plus the nature of these SIMS and devices) they are for frontline health and social care workers and not anything sinister..
@vfrmedia @gettie In fact, many places will literally note that down in their #LawfulInterception system (i.e. in Germany).
Tho for most stochastic surveillance the number of SIMs and devices isn't that high that you'd cause suspicion, given a lot of #IoT garbage has at least a #4G or #5G - modem in it to send telemetry and that 7 devices can also be assumed 1 fro the #eCall of the car and 3 people with 1 #DualSIM phone or a regular phone + laptop with WWAN modem each.
my car is just a few months before ecall was implemented (and it doesn't even work on some cars as 3G got ceased here), and some of the more modern cameras around these days would show I'm obviously driving solo and often at unusual hours of the night.
Although any tracking would also show I take the same route every day between either my home and workplace, or sometimes the coastal town where some of our staff are.
There is /some/ monitoring of social care workers as during Covid there were a few drugdealers pretending to be them (even getting uniforms etc), as well as healthcare workers themselves going rogue (I've noticed our staff are getting more attention from the Police recently, checking their cars are 100% legal)
@vfrmedia I mean in any juristictions it's legal for police to randomly pull over cars, check license & registration and ask for mandatory safety equient like Warning Triangle, First Aid Kit and Retroflective Vest to be presented.
@kkarhan here they tend to use ANPR hits and sometimes "public concerns" (there's a lot of nosey white folk reporting all the social carers for perceived bad driving simply because the carers are Black and brown)
UK just needs valid inspection record, tax and insurance (which cops can often check via mobile data terminals without going near the car), we aren't required to have the triangle, first aid kit and hi vis (although I carry these things anyway simply as it makes sense to have them)
@Avitus @leoschuldiner23 @gettie then you have enough money to top them all up and potentially pay bribes to get them anonymously.
Try that in Russia, Cuba, Iran or the "P.R." China, and tell me with a straight face that's feasible for #TechIlliterate #WageWorkers there!
@Avitus @gettie That is not a valid solution as they still demand a #PhoneNumber which in more and more juristictions you cannot obtain legally without self-doxxing to the providers if not government!
Here an actually precise image ALT text would be crucial.
xenia 
Alex@rtnVFRmedia Suffolk UK
Leo Schuldiner🤘🏼
always tired
Richard Bairwell