Threema does not rely on SMS for login, the identities are not phone number based and trust can be ensured by manually scanning the public key QR of the peer, leading to a clear visual trust level indicator.
Applications should not rely on SMS for authentication or login, or on the phone number for identity.
I have a couple SIM cards since I live on the US/Canada border. WhatsApp and Telegram won't let me send messages when I switch SIMs and there is no other way to verify my identity.
Yes. Duh. If you don't offer users a way to confirm key fingerprints directly with each other (or at least require signatures from a verification service that does actual verification), you don't offer an encryption system.
Signal notifies you on key changes. Whatsapp has an option (I think) to do so.
Anyways the simple fix that might work somewhat is "alert the user". Telegram could tell the old user they have added a device. Or even require some time period where they wait for a response from the existing device, perhaps calibrated to their usage.
After registering a new device, a warning can be displayed to contacts for the first few messages. Maybe old messages are not accessible or something.
There are ways to limit the impact of an SMS hijack.
When you add a device, you do get notified a new device was added, and if you have an existing telegram device, all future devices won't use SMS as the authorisation channel. I think the problem here is that the attackers added a device before the "original" person did.
However, allowing for a reverse-lookup of a phone numbers through its API is a privacy—and security—problem Telegram is directly responsible for, IMHO.
Yeah didn't Signal spend a bit of work trying to avoid exposing users?
If you have an existing Telegram device (registered before target registered), then how do they register? And wouldn't both devices get notified? Also how would they know which numbers to register?
Just fundamentally seems like the software can notify you of how many devices have access, and make that visible on any change and when installing on a device. Perhaps even offering to kill existing devices.
I know that some people here are suspicious of Telegram because they use their own encryption mechanism, but it's like there's an active campaign against it by the media. In my country the media has been calling it the "ISIS chatting app".
Nothing to do with that. Authentication is an essential pillar of a security app, and the ability to effectively authenticate is an important component of opsec. If SMS is compromised (and it is not hard to imagine given how protective govt is about SMS exploits/sigint) then the authentication aspect of any app that relies on SMS is also potentially compromised. Weakest link and all that...
It's just media doing the thing it always does. Inducing outrage in any way possible. It's too late to call Facebook Messenger an "ISIS chatting app", but consider that e.g. whenever Facebook adds any kind of even remotely useful feature to their service, they're immediately portrayed as stalker paradise by the media.
IMO you're unjustifiably downvoted. As a previous reply already said, other services rely on sms auth as well. So why is only Telegram critizised? You can see from previous HN top stories that the mistrust in this service seems especially high.
Ah, yes. Then let's add the cardiovascular system since humans rely on it to press screens or keys to use telegram. What else has been potentially hacked ? The moon ?
They didn't break SMS wholesale; they got access to one telco's network. Saying they were hacked is like saying Slack/Netflix/etc were hacked whenever a single email provider is hacked.
That said, SMS isn't a very secure channel for one-time passwords. Enable 2 factor auth.
