signalThe popular encrypted messaging app reports that L1,900 users’ phone numbers and text verification codes could be in the hands of hackers then twilioThe company, which provides verification verification services on the said platform, was the target of a security breach in early August.

While Signal confirms that message history, profile information, and contact information are protected, Hacking is another example of why SMS verification is not a good idea.

Context of the Twilio and Signal hack

A security breach at Twilio occurred on August 4 when Some of the company’s employees became victims of the attack Phishing And, fraudulently, they provided the attackers with their data and access codes.

The company’s statement explained that Hackers They used employee accounts to access various internal systems and steal data from some of their users. Among them is a signal, For those who provide SMS verification services.

The attackers, verified by the messaging platform itself, allegedly obtained phone numbers and codes associated with them, Of its nearly 2,000 users. Signal says “a very small percentage”, but this has a very significant drawback, as it allows access to other users’ accounts.

“For approximately 1,900 customers, an attacker could have attempted to re-register their number on another device or learned that their number had been registered with Signal,” Signal said in a statement.

Account can be accessed Allow hackers to send and receive messages. They don’t have access, yes, to previous chats. No profile information or contact addresses. All of this is protected by a PIN that must be manually entered by the account holder and is not owned by Twilio.

Signal attack proves that SMS verification is dangerous

SMS verification is a simple method to verify a user who does not need to remember a password to access their account. Platforms like Lime, Signal or WhatsApp They use it.

It is also used as an additional protection on platforms that support two-step verification. In this case, the user, in addition to defining a username and password, must enter a unique PIN code sent by SMS, which also expires after use.

However, sending these codes via SMS This is not the most ideal way, since it is relatively easy to access. Especially if it is the primary verification method (ie not used as a secondary method in a two-step verification system).

In the case of Signal, attackers were able to steal phone numbers and associated codes through a phishing attack against the company, which provides a code delivery service for the messaging platform.

But access to internal platforms by stealing employee credentials This is not the only way to steal verification codes.

How to recognize these SMS scammers and what to do

Some hackers convince the victim unwittingly Sending calls to another phone number (from attackers) so that they can access your WhatsApp account, Telegram or signal.

They will then register an account on the new device. After sending the verification code via SMS, Request this key by calling.

A similar thing happens with two-factor authentication (2FA). Some of them are also sent by SMS and can appear similarly. therefore It is best to use platforms that generate these random keys, such as Authy, iCloud or Google Authenticator.

However, recently WhatsApp and Signal, as well as many other platforms that continue to send codes via SMS, also provide additional access measures.

Between them, Personal code. So, in addition to entering the code received via SMS, they must also enter the access code to complete registration and use the app.

Continue reading