Tech News

Signal and Twilio: How to Avoid a Hack with Two-Step SMS Verification

SMS hacking. (photo: Masterhacks Blog)

Signalthe popular encrypted messaging app, reported that lPhone numbers and text verification codes of 1,900 users could be in the hands of hackers after twilioa company that provides verification verification services on the aforementioned platform, was the target of a security breach in early August.

While Signal confirms that message history, profile information, and contact details are secure, hacking is just another example of why SMS verification is not a good idea.

Context of the Twilio and Signal hack

The security breach in Twilio occurred on August 4, when some of the company’s employees were victims of attacks by phishing and, swindled, they provided the attackers with their data and access codes.

The company, in a statement, explained that the hackers they used employee accounts to access various internal systems and steal data from some of their customers. Among them is Signal, for those who provide SMS verification services.

hacker.  (photo: REUTERS/Dado Ruvic)
hacker. (photo: REUTERS/Dado Ruvic)

The attackers, verified by the messaging platform itself, allegedly obtained the phone numbers and codes associated with them, of almost 2,000 of its users. Signal says “a very small percentage”, but that has a very significant drawback, as it allows access to other users’ accounts.

“For some 1,900 users, an attacker could have tried to re-register their number on another device or learned that their number was registered with Signal,” Signal’s statement read.

Signal account access may allow hackers to send and receive messages. They do not have access, yes, to previous chats. No profile information or contact addresses. All of this is protected by a PIN that must be entered manually by the account owner and is not held by Twilio.

SMS on Android.  (photo: The Spanish)
SMS on Android. (photo: The Spanish)

Signal Attack Proves SMS Verification Is Dangerous

SMS verification is a simple method to verify a user, who does not need to remember a password to access his account. Platforms like Lime, Signal or WhatsApp They use it.

It is also used as additional protection on platforms that support two-step verification. In these cases, the user, in addition to defining his username and password, must enter a unique PIN code sent by SMS, which also expires after use.

However, sending these codes via SMS it is not the most ideal way, since it is relatively easy to access. Especially if it is the primary verification method (i.e. not used as a secondary method in a two-step verification system).

In the case of Signal, the attackers were able to steal phone numbers and their associated codes through a phishing attack against the company that provides the code delivery service for the messaging platform.

But accessing internal platforms by stealing employee credentials it’s not the only way to steal verification codes.

Two-step verification by SMS.  (photo: Gramanet)
Two-step verification by SMS. (photo: Gramanet)

How to identify these SMS scams and what to do

Some hackers convince victims to inadvertently forward calls to another phone number (of the attackers) so they can access your WhatsApp account, Telegram or Signal.

They then register an account on a new device. After sending the verification code via SMS, request to receive this key with a call.

Google Authenticator for iOS.  (photo: Google)
Google Authenticator for iOS. (photo: Google)

Something similar happens with two-step verification codes (2FA). Some of them are also sent by SMS and can be displayed similarly. Therefore, It is best to use platforms that generate these random keys, such as Authy, iCloud either Google Authenticator.

However, recently WhatsApp and Signal, as well as many other platforms that continue to send codes via SMS, also allow additional access measures.

Among them, personal code. Thus, in addition to entering the code received via SMS, they must also enter the access code to be able to complete the registration and use the application.

Related Articles

Back to top button