Signal and Twilio: How to Avoid a Hack with Two-Step SMS Verification

hacked twilio verifycodeRecently, Signal and Twilio suffered a hack to almost 2,000 of their users, so they bring recommendations not to fall for this type of scam.

Signal, the popular encrypted messaging app, reported that the phone numbers and text verification codes of 1,900 users could be in the hands of hackers after Twilio, a company that provides online verification verification services. the aforementioned platform, was the target of a security breach in early August.

While Signal confirms that message history, profile information, and contact details are safe, hacking is just another example of why SMS verification isn’t a good idea.

Context of the Twilio and Signal hack

The security breach in Twilio occurred on August 4, when some of the company’s employees were victims of phishing attacks and, swindled, provided the attackers with their data and passwords.

The company, in a statement, explained that hackers used employee accounts to access various internal systems and steal data from some of its customers.

The attackers, verified by the messaging platform itself, allegedly obtained the phone numbers and codes associated with them, of almost 2,000 of its users. Signal says “a very small percentage”, but that has a very significant drawback, as it allows access to other users’ accounts.

“For some 1,900 users, an attacker could have tried to re-register her number on another device or learned that her number was registered with Signal,” Signal’s statement read.

Access to the Signal account could allow hackers to send and receive messages. They do not have access, yes, to previous chats. No profile information or contact addresses. All of this is protected by a PIN that must be entered manually by the account owner and is not held by Twilio.

Signal Attack Proves SMS Verification Is Dangerous

SMS verification is a simple method to verify a user, who does not need to remember a password to access his account. Platforms like Lime, Signal or WhatsApp use it.

It is also used as additional protection on platforms that support two-step verification. In these cases, the user, in addition to defining his username and password, must enter a unique PIN code sent by SMS, which also expires after use.

However, sending these codes via SMS is not the most ideal way, as it is relatively easy to access. Especially if it is the primary verification method (i.e. not used as a secondary method in a two-step verification system).

In the case of Signal, the attackers were able to steal phone numbers and their associated codes through a phishing attack against the company that provides the code delivery service for the messaging platform.

But accessing internal platforms by stealing employee credentials is not the only way to steal verification codes.

How to identify these SMS scams and what to do

SMS verifycodeSome hackers trick victims into inadvertently forwarding calls to another (attackers) phone number so they can access their WhatsApp, Telegram, or Signal account.

They then register an account on a new device. After sending the verification code via SMS, they ask to receive this key with a call.

Something similar happens with two-step verification codes (2FA). Some of them are also sent by SMS and can be displayed in a similar way. Therefore, it is best to use platforms that generate these random keys, such as Authy, iCloud or Google Authenticator.

However, recently WhatsApp and Signal, as well as many other platforms that continue to send codes via SMS, also allow additional access measures.

Among them, personal code. Thus, in addition to entering the code received via SMS, they must also enter the access code to be able to complete the registration and use the application.