Telegram is so insecure a random convicted brazilian felon without any qualifications whatsoever can have access to...

Literally every single service that ever uses a phone for 2fa is vulnerable to this attack.I guess every single service all just have shit security consultants? Perhaps people should use a non-default voicemail password? Perhaps providers should have better voicemail security systems? Off yourself you giant faggot

>Literally every single service that ever uses a phone for 2fa is vulnerable to this attack.I guess every single service all just have shit security consultants?
If they use the same method then yes they are just as vulnerable.

Fixing this is as easy as deactivating the code if the call is not answered, why are you even replying angrily if the fix doesn't even have a bad side effect?

You do realise the exact same flaw exists for getting an sms card, regardless of if you use it. Literally anyone can spoof your sim card and intercept all texts without you noticing. So the solution for telegram or any service would be to disable all SMS and voicemail integration, and get you to use email I suppose. Even email is not without its flaws, so what is your proposed solution?

hahaha carriers use old ass technology because the common sense says no one cares or bother messing with other's stuff

get rek'd

This attack in particular relied on the telegram call being sent to the voicemail by calling the victim just while the code is being sent, thus making them not answer the telegram call.
You are talking about something different for no reason, the solution is very simple and you simply don't know what actually happened.
The guy also apparently hacked 1000 other people using the same method so it's clearly a vulnerability that needs fixing no matter how much you think it's someone else's fault.

>So the solution for telegram or any service would be to disable all SMS and voicemail integration
There's no "voicemail integration" going on here, telegram uses a call but doesn't cancel the code if the call isn't answered and sent to voicemail which is the crucial vulnerability in the fraud and wouldn't be possible if they simply deactivated the code.

>So the solution for telegram or any service would be to disable all SMS and voicemail integration
yeah that would be a great solution, these things have no purpose and are only attack vectors

>just deactivate an intended feature because people are too stupid to change their voicemail passwords
Bruh, this is why you'll never be hired.

Did you even read the post at all or are you really this slow?
It's not deactivating any feature, you simply make it so that the code is invalid if the call is not answered, it's the simplest solution even a pajeet could understand and if your "security" feature is easily bypassed by a monkey then it's not secure, end of story.

>people are stupid to change something they never use in their whole lives

dude you are under rating the power of the default setting
simple statistics

What are you talking about?

You sound like the kind of guy that uses ancient Windows servers and when it inevitably gets hacked you blame Windows instead of the idiot that used it to begin with, if your security feature relies on an inherently insecure platform then it's simply not secure.

Wtf do I use now? None of these apps are secure

>who uses it
Furries and pedophiles

No one uses Telegram for security. Signal is where it's at.

It was a spoofing attack you retarded

this is nonsense. please do some kind of beginner security course before posting here

You niggers are missing the point. This isn't the first time some shit like this has happened. The problem isn't Telegram per say, but ANYTHING that uses SMS or a phone call for any security purposes EVER. The phone system is not a valid second factor or identity verification method. Everything that goes over the phone system should be treated like it's being posted publicly. Telegram uses phone numbers as their entire security model, so they've always been fucked and they will continue to be fucked.

No shit, that gay CIA jewish spook "Moxie Marlinspike" (real name: Matthew Rosenfeld) is behind it.

>>Literally every single service that ever uses a phone for 2fa is vulnerable to this attack.
Only if those services are willing to leave voicemails. If the system detects and evades voicemail, then it won't be vulnerable.

Not really. This isn't the only known attack vector for phone 2fa. Social engineering the phone company into giving you access to things is shockingly easy with just a little information.

If I earn your trust, pretend to be your friend, and get you to spill your darkest secrets to me, is that really a flaw in Telegram?

Don't be retarded. There are other ways to do 2fa which are not subject to this attack, so yes, it's a valid criticism of Telegram. If you can social engineer an uncaring party for access to my account then it's a valid attack.

Nobody wants to carry around a dozen hardware TOTP/HOTP tokens on their keychain, so SMS 2FA it where it's at.

Except this attack didn't use SMS or even SIM spoofing, only caller ID spoofing calling the voicemail.

Which is why I said that systems which don't leave 2FA messages in voicemail boxes wouldn't be vulnerable in the way this system is.

Literally one yubikey will do everything a person needs. Or you can just use google authenticator. SMS 2fa is literally security theater with how bad it is.

This is just one symptom of the larger problem: You cannot assume your sim card, your sms, your regular phone calls, or you voicemail box is secure. They are services run by companies with a shit track record of security, and the cell network itself is nit secure.

Neither are systems that don't rely on phone communication at all. You're saying that this particular flaw can be pretty easily fixed, and that's true, but next week there will be another one. While with things like physical tokens, that problem does not exist at all.
>oh but I don't want to carry around
Yeah, tell me more about the burden of a 2g USB-C drive.

>>Literally one yubikey will do everything a person needs.
Try getting an IT department to accept users using their own hardware tokens. Won't work.

>but it's no worse than if people use the same smartphone for anything
Welcome to the real world, where rationality takes a back seat.

IT departments are using DUO mostly now due to extreme heavy marketing of the product. It's not terrible. You use the DUO app or, drumroll please... your own hardware token. My workplace lets me use my yubikey for VPN access. I think SMS is also an option for use with the system, but we must have it turned off (for obvious reasons) since it wasn't even an option when I was enrolling.

If everyone is using hardware tokens as you claim, then the state of affairs is not one that warrants you complaining about it.

Probably a brainlet question, but isn't it somewhat irrelevant if the voicemail or SMS is intercepted? After all, with 2FA the entire point is that you need both the base password and the 2nd authentification.

Attached: 1457305796912.jpg (500x375, 39K)

so its not a telegram weakness, just the telco.
that default voicemail password trick is old btw, not sure why its still this way.

That's for corporate environments where they're smart enough to disable the SMS option. Almost every platform with 2fa has SMS as an option, and guess what normies pick? This has lead a ton of platforms to ONLY support SMS 2fa, like Telegram. Most people don't know that second factor is useless, and fewer know that completely secure hardware solutions exist. The somewhat enlightened will use a totp app, which is legitimately secure as a second factor since it eliminates a class of vulnerability without introducing another one.

Yes it is irrelevant. The problem in general is the cell system is unsafe, and cannot be relied on for 2fa. Think of everything you do on your SMS and normal phone as being done over open radio anybody can sniff. It's almost that dire.

It's a telegram weakness since they rely on the telco for security. Imagine if you ran a website that offloaded authentication to a service which stored passwords in plaintext. When they get hacked, you point and say "it wasn't my problem!".
Yes it was. You picked a shit authentication scheme. What the fuck were you thinking? That's Telegram. What the fuck are they thinking?

>That's for corporate environments where they're smart enough to disable the SMS option. Almost every platform with 2fa has SMS as an option, and guess what normies pick?

Of course they only pick 2FA. When I mentioned a dozen hardware tokens on their keychain, did you think I only meant to cover the 2FA people use at work? That has always been covered by a single token at any sane company. When I mentioned a dozen tokens on their keychain, I am talking about the 2FA users have set up for all of the various companies they are customers of, not employees of.

With so many different companies using so many mutually incompatible systems, it's no wonder that users throw up their hands and ask for a text message instead.

>it's not the service's fault that they used an easily crackable encryption, it's the encryption's fault so they don't need to change it!

Attached: 1505930746620.png (645x729, 59K)

>>Of course they only pick SMS 2FA
is what that obviously meant to say.

I have a theory that telegram is only alive today because of horny furries and south americans, there is no way they could be relevant otherwise.

I can't tell if Jow Forums is really this fucking bad at security or if it's just telegram fanboys defending their master.

And because people don't trust Moxie/Signal.

You're such a retard. There are two well known and widely used solutions which doesn't require more than a SINGLE hardware token even if you use both of them: TOTP and U2F.
My yubikey has 18 totp entries and three u2f entries. It works on any phone, even if I don't have service, the key is extremely durable, and if someone steals my key they won't be able to generate codes without the pin. I also store my private keys for signing mail and git commits on it. One key, that's it.
And the standard is dead easy to implement server side. There is no fucking excuse for not offering it, yet most banks and shit platforms like Telegram use SMS. Fucking why? It's more expensive and far less secure.

Wow buddy, there is no reason to get upset.

The simple truth of the matter is that most people are using SMS 2FA because literally everybody supports it and they don't want the hassle of using a solution that doesn't have universal industry support. That's no reason to be slinging insults at me. I've not insulted you, have I?

No, you're just not getting it through your head that SMS 2fa is literally worse than nothing. Total fucking idiots like you are why companies choose to use SMS at all, since you say shit like "everyone is using it" and being a tech person people trust your opinion. I'd expect anyone on Jow Forums to understand the absolute bare basics of why using the phone system for security it a terrible idea, but you don't, which means you're part of the problem: People who know enough to be dangerous by giving bad advice to others. If you're going to offer any 2fa, do not offer insecure options! Why would you do that? You make people feel safer when really they're now potentially less safe. Normies don't get it. They hear "2fa is safer!" so they sign up thinking SMS is safe. Instead you should offer to use totp or u2f. They ARE industry standards. TOTP is listed as RFC 6238, and U2F is supported by the FIDO Alliance. U2F is actually easier than SMS, because all you need to do is scan your token or plug it in and press a button.

>>No, you're just not getting it through your head that SMS 2fa is literally worse than nothing.
It's not worse than nothing if it's actually 2FA and not anything else. If they're using the SMS system for password resets or something moronic like that, then it's worse.

Also, please relax for your own sake. Stressing yourself out like this will shorten your life.

>who the fuck uses this russian meme and why

ISIS apparently.

If it's secure enough for terrorists it's secure enough for me and I like the desktop application.

ISIS got their asses handed to them, what makes you think their comms weren't penetrated?

Wire

ISIS are kike plants and their social media is run by mossad

This sounds like amerifat propaganda because they cant get their hands on the based russians

>local news is paid by (((zuckerberg))) to spread """news"""
calaboca macaco

>The problem in general is the cell system is unsafe, and cannot be relied on for 2fa.

What alternative is there?
Snail mail?

Even if both are relatively insecure it is still extremely hard to intercept both someone's internet traffic and their SMS simultaneously.
My bank used SMS for two factor authentication for decades and AFAIK it never caused a security breach despite being a prime target.

>If they're using the SMS system for password resets
This is surprisingly common and is exactly why I said "potentially less secure".

You seem to think that I'm whipped up simply because I'm calling you a fucking idiot. I'm not. Hammering out even a full 2k character post takes a few minutes of my time. You're just getting a stream of consciousness from someone who has worked in this area and knows a thing or two.

Did you even read my post? The alternative is TOTP or U2F, which are both very simple to implement server side and client side. A user can even use software totp with the Google Authenticator app or a similar one, with somewhat degraded security, but still better than SMS by a mile.
The risk isn't interception of both factors at once. If your password is compromised and you're using SMS for two factor, and hacking you is worth calling your telco for some social engineering, you're done. If a company is using your SMS as a form of identity verification, you're done. The first attack works because as a second factor, SMS is useless. The second attack works because using SMS for identify verification is worse than just doing a normal email reset.
>My bank used SMS
The security of banks is mostly in the fact that they can reverse transactions if fraud is discovered within a day or two. They're slow, paper driven organizations, which makes them harder to attack. Still they're breached all the time, but they don't advertise the fact. People get their account drained with no explanation given to them all the time. Bank fraud is an enormous criminal industry, and its in the banking system's best interest to hide how vulnerable it is.

>They're slow, paper driven organizations

Not in developed countries.
Money transfers are handled automatically and within seconds.

You're also acting as if SMS is the primary authentication method.
It's only a secondary check to avoid having a single point of failure.

Don't lecture me about how money transfers happen. Even if you see the money go, that doesn't mean it really did. Instant transfers based on SWIFT (international) and ACH (US) seem to be instant, but it's an illusion. Actual settlement happens slowly, and with many checks involved. The instant layer is simply communication of intent, which is reflected immediately for convenience.
>It's only a secondary check to avoid having a single point of failure.
It can be assumed the SMS part of authentication is already compromised, leaving you with a single factor (your password), unless the service lets you do SMS password resets too, in which case it's truly just single factor, and the single factor is broken SMS.
You're simply not grasping how broken SMS or any other phone system is. It's extremely broken.

> tfw WhatsApp is unironically more secure than Telegranm
oh no no no no

Tonight on Jow Forums: it's ok to use "security" features with a billion known holes and exploits used in the wild as long you didn't program it yourself

You can enable 2fa on your telegram account so you have to enter a password after the phone verification, it completely patches this

It doesn't stop a spoofer from creating an account using your phone number, it's an inherently broken system.

What is better between wire and riot, and why?

Anyone else suspicious at the sheer amount of russian-coded "privacy tools" like telegram, cryptomator, and others? Seems to be they're playing at western paranoia of their (the west's) own intelligence agencies to trick people into handing over data to the kremlin.

>What is better between wire and riot, and why?
wire is less buggy and consumes less battery

Doesn't it keep a list of your contacts in it's server or something?

doesn't whatsapp do the same?

american's are retarded enough to fall for it