Can the victim prevent stealing his account using SMS by built-in devices?
WhatsApp: no, he/she can’t. A verification is provided only by means of a received SMS. Accordingly, who has access to SMS, will have the account access.
Signal: no, he/she can’t. A verification is also provided only by means of a received SMS (or a phone call).
Telegram: no, he/she can’t. Even two factor authentication will not prevent the attacker from stealing your account. More details you can read in next chapter.
Why doesn’t two factor authentication work, that is, it doesn’t prevent stealing your account?
You can turn on two factor authentication in the settings. There you will need to enter a password, and if you wish, you can submit your e-mail to restore it, in case you forget your password.
If the victim has his two factor authentication on, the attacker will experience the following:
- The attacker enters a phone number on his app and tries to enter an account. In such case, he will see a notification that a code was sent not using SMS, but directly to the app, connected with this number on other device:
- At this moment the victim receives a system notification on his app (or apps) Telegram:
- The attacker presses «Didn’t get the code?» and Telegram sends it by SMS:
- Then the attacker enters a code from SMS and discovers that this account has two factor authentication and he needs to enter a password (in this case «10» is a hint for the password, chosen by turning on two factor authentication):
- Next, the attacker pretends that he has forgotten a password: «Forgot password?». The attackers gets to know that the restore code is sent to his e-mail (if the victim mentioned it while turning on two factor authentication). The attacker does not see the e-mail address, he only can see symbols after “@”:
- At that moment the victim receives a code for restoring his password to his e-mail (if he mentioned it while turning on two factor authentication):
- The attacker clicks “ok” and sees a window for entering a code from the victim’s email. In his turn, can pretend having problems with his email: «Having trouble accessing your e-mail?». Then Telegram will offer him to «reset your account»:
- The attacker clicks «ok» and sees two options: enter a code or click «RESET MY ACCOUNT». Telegram explains that if the user decides to reset his account, the correspondence and files from all chats will not be saved:
- The attacker clicks «RESET MY ACCOUNT» and sees a warning that this action can not be cancelled and all messages and chats will be deleted:
- The attacker clicks «RESET» and Telegram asks to enter a name for a “reset account”:
- That’s all, in fact the attacker has stolen the account: he logged in using victim’s phone number and he can writes messages on his/her behalf:
- The victim sees the app the same as it was immediately after the downloading. A welcome screen presents Telegram and offers to register or log in your account:
- When the attacker writes on the behalf of a victim to one of his/her contacts, the active contact will see that the victim has just joined (which is suspiciously), and he/she will read a new message (or messages) in a new victim’s chat. In 12-16 hours the contact will also see a notification «Deleted Account» that in the previous chats:
If the victim has the opportunity to get SMS to his/her phone number, he/she can log in Telegram on his/her device. If the attacker hasn’t turned on two-factor authentication in the stolen account, the victim can tap Settings => Privacy and Security => Active Sessions and finish all sessions (that is the attacker’s sessions):
If the attacker has turned on two-factor authentication, the victim can “steal” his/her own account using the same scheme.
[contact-form-7 id=”530″ title=”Survivor’s Guide To Mobile App Testing”]
As you can see the only benefit of two-factor Telegram authentication is that the attacker will not get access to normal (not private) chats. So Telegram with two-factor authentication on will provide the same level of security as Signal and WhatsApp without it.
Pavel Durov, the creater of the messenger Telegram, said:
There is two-factor authentication (a password and an account), the account is connected with a SIM card of a normal jurisdiction, the most intimate affairs are discussed in private chats. In fact, any of these measures can secure important information…
Of course, two-factor authentication allows to protect important information (your correspondence and files from normal chats), but it can’t prevent stealing your account, it can’t stop the attacker logging in using the victim’s number and writing messages on the victim’s behalf.
Tips for users
- Be sure that you tapped Settings => Account => Security => Show security notifications. In this case, you will get system notifications and if your interlocutor writes you from other device, you will be able to notice that something is wrong and check if you really chat with a person you are supposed to or maybe it is an attacker writing on his behalf. For this purpose, you need to tap notifications about security code change:
Then you need to click «VERIFY»:
Next verify the secutity code of your interlocutor. For this purpose, ask your interlocutor to open a window of security code verification (he needs to tap Menu settings – View contact – Encryption). Here you can either scan each other QR code or compare 60-place number (for example, simply calling each other and reading the numbers in turn):
- Ask your interlocutors to do the same: turn on security notifications. Also they should always verify security codes, when they get such a message.
- If you receive a notification that it is “impossible to verify this phone”, as somebody has already registered with the same phone number on other device and an offer to verify, agree to “verify” as soon as possible (it will deactivate the attacker’s account). And also inform all necessary contacts about the incident, ask them if nobody wrote them on your behalf, while your account was deactivated.
- Write the WhatsApp developers to make two factor authentication (firstname.lastname@example.org).
- If in a chat you see a notification about receiving a message with an unknown identity key and Signal offers you to verify it – do it for sure. Using other means of communication get in touch with your interlocutor (for example, you can call him), ask him if he has reset Signal and if possible compare fingerprints of keys (in your current chat you should tap Menu=> Conversation settings => Verify identity).
- Ask your interlocutors to do the same: if they get a message on your behalf with an unknown identity key, they should get in touch with you and find evething out.
- If trying to send a message, you see an error, someone may have registered Signal, using your phone number and your current app went offline (Signal doesn’t inform you about it). If the button «RESEND» does not work again and again, you don’t have any Internet connection problems (you can use other messengers, mail and open different sites), the easiest way is to reset Signal (delete the app and set it again) and register again. If after reset and registration it works again, ask your contacts if they received some messages on your behalf while you were offline.
- Write Signal developers to make two factor authentication.
- Write Signal developers to create a clear notification that your current app went offline due to somebody else’s registration using your phone number. Let they inform you that you need to register again to use the app.
- Turn on two-factor authentication: Settings => Privacy and Security => Two-Step Verification. If does not prevent your account from being stolen, but it will secure your correspondence from normal chats.
- If you see a notification with a password and you didn’t enter the app, that means that somebody is trying to enter your account. If the attacker is able to get the information from SMS, sent to your phone, anyway you will not be able to stop him. But you can inform the contacts and ask them to pay special attention to your new chats and get in touch with you if they receive some messages on your behalf to make sure that you really wrote them.
- If you see a notification about the entrance on other device, follow the notification instructions. Inform all necessary contacts about the incident; ask them if nobody wrote them on your behalf, while active session on other device is actve.
- If you have two factor authentication on and you receive an email message with a password, it means that somebody successfully got a code by SMS, sent to your phone number and now he is trying to tick two factor authentication. Inform your contacts and write Telegram support service.
- If you see one more private chat of your interlocutor, you had better get in touch with him by any other means and check if he did write you. In fact, you always can verify the interlocutor of a certain chat (in your current private chat you should tap the interlocutor name => Encryption Key). You can follow the same instructions if you see that your interlocutor “joined Telegram”.
- Ask your interlocutors to do the same: if they see your new private chat or a notification that you “joined Telegram”, let they get in touch with you and find out everything.
- Write Telegram developers to make a notification that the interlocutor uses the app on a new device.
- Write Telegram developers to make efficient two factor authentication: the one that works and will protect your account from attacker trying to steal it.