SignalMar 9

We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.

To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.

Show threadSignalMar 9
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
Show threadSignalMar 9

To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.

We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.

Show threadKevin Karhan Mar 9

@signalapp THERE IS NO LEGITIMATE REASON FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. "#KYC")…

Kevin Karhan :verified: (@[email protected])

@[email protected] those attacks.would've not.been successful if you weren't a #proprietary, #centralized, #SingleVendor / #SingleProvider *"solution"* that doesn't do #SelfCustoy of all the.keys nor allows for #SelfHosting nor demands #PII like #PhoneNumbers that can be leveraged for that. - You know what I need to use @[email protected] / #monoclesChat or @[email protected] / #XMPP+#OMEMO? - Internet connection and an account on any server. Can't #phish if one doesn't have credentials for #phishing attacks ffs! - Can't get #phished if noone demands, stores, process or even demands such details in the first place! Also which #Government is that incompetent to not be able to setup their own comms?

Infosec.Space
Show threadxenia  Mar 9

@kkarhan since i’ve started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.

let’s make it clear to everyone: phone numbers should only be shared to people you trust and nobody else

Show threadLeo Schuldiner🤘🏼
@gettie @kkarhan totally agree. Your phone number is like your ID number nowadays.
Mar 9 at 7:41pmWeb
Show thread👊🇺🇸🔥Mar 10
@leoschuldiner23 @gettie @kkarhan It depends. I have 5 phone numbers all used for different purposes.
Show threadKevin Karhan Mar 10

@Avitus @leoschuldiner23 @gettie then you have enough money to top them all up and potentially pay bribes to get them anonymously.

  • Which in and of itself is very much a privilegued position.

Try that in Russia, Cuba, Iran or the "P.R." China, and tell me with a straight face that's feasible for #TechIlliterate #WageWorkers there!