Using Whatsapp and Telegram Safely and Avoiding Chat Intrusion or Leakage

In a nutshell, attackers can access their victims' conversations through 4 main methods:

• Physical device theft: Well, this case here I do not even need to comment right .. Once your device has been physically stolen and is in possession of criminals, all your data and files can be accessed by them.

  To make this difficult to access your data, it is very important to use a password to unlock the device, encrypt memory cards (if using) and lock the SIM card with the operator as soon as possible, since most applications and services use SMS to allow access if you have forgotten your password.

  A good tip is to use blocking applications like AppLock, which will ask you for a password every time you access an application that contains personal data, such as Email, social networks, banking apps, Whatsapp, etc. This way, even if your phone is stolen, it will be harder for criminals access your important applications

• Malware installed on victim's mobile phone: This method is very old and well-known, and consists of using a security hole in devices that have been infected by malicious software, such as a utility application, but while doing so, it may make changes to the device or capture and send personal information to some other device, such as Whatsapp chat history files, for example.

  In order not to fall for this scam, you should only use applications that you are sure of the origin and authenticity. Apps available from official stores generally offer greater security than those you download from external websites, but even apps from the official store can offer security risks for your device (especially from Google Play - Apple is much more strict about this) , so avoid downloading any application you find on the internet.

• Loophole in signaling network: Operators still use a signaling network with an old protocol (SS7 - Signalling System No. 7), and this is known to have multiple vulnerabilities. Using small carriers, you can steal a phone number that is on the 2G or 3G networks, mimicking an international roaming call request. Using this technique, an attacker can receive phone calls and text messages.

  To protect against such attacks, always try to use the 4G and 5G networks (you may need to purchase a new SIM Card if yours is very old). In addition, with LGPD implementation, Telecom operators should stop using the SS7 protocol and switch to Diameter.

• YES Swap: In this attack, a malicious person impersonates the victim using false documents and / or personal data obtained through social engineering or access to some victim's record. With this information, the fraudster can generate a new SIMCard from the number stolen from the operator. Also known as “subscription fraud”, this scam has been widely used to access banking applications to carry out transactions and transfers, as they use SMS to authenticate the user and allow access to the account.

  Messaging applications such as Whatsapp and Telegram also use SMS to allow a fresh installation. If the fraudster has access to the victim's SMS messages, they can easily use these apps on their device, as pointed out by this article.

  It is possible to counter this scam by capturing biometric data with the telephone operator, so that this type of operation needs to be validated through its biometrics, preventing the action of criminals.

• Distance Mailbox: Method that was pointed as having been used in the case of data leaks among Lava Jato ministers, this method consists of using a technique called "spoofing", which makes several calls to a certain number, so that congestion and new calls fall into the victim's mailbox.

  Telegram, which was the application in question, uses as one of the authentication methods (in addition to the code sent in the application itself and SMS), a link with the access code. Once the number is jammed with these calls, thanks to "spoofing", that call goes to the victim's mailbox. From there, attackers can try to access this answering machine and get the number that will allow them to open the application.

  Although remote access to your phone's answering machine requires a password, some carriers set a default password, which many users do not change. Although this service is little used in Brazil, because operators charge for access, you can protect yourself against this attack. disabling the voicemail service or by changing your password if you use the service.

A Russian open source application, Telegram is regarded as one of the safest messengers in existence, having been one of the first to implement end-to-end encryption. Although your security in traditional chat is questionable, it has a feature called Secret Chat, which allows you to create secure, encrypted conversations stored on your device only, preventing messages from being stored on application servers. Additionally, you set a timer where messages are automatically deleted after a certain time.

However, when using traditional chat, conversations are stored on Telegram's servers, so whenever you sign in to your account via a new phone or Telegram Web, you can view the entire history of previous conversations without having to keep creating and restoring backups of conversations, like in Whatsapp (which in normal situations, this is a plus for practicality).

In addition, Telegram allows multiple connected devices at the same time, meaning you can use your Telegram account on multiple phones at the same time, which can be a nice feature, but also a security breach. I will comment on this in the next topic.

Telegram implements end-to-end security, which prevents messages from being intercepted during transmission and all your messages, media and files are stored on Telegram encrypted servers, ie the images you receive. , are stored on your phone (you can download the files if you wish).

This way, even if an attacker has access to your phone, they will not be able to access your conversations because they are in the cloud, not in files recorded on your device. To increase your security, you can use the other protections I've already commented on in this article, which is the device lock password and also the use of apps like AppLock, to block social networks, messaging apps, banks, and even apps. OS itself, such as gallery and SMS. This will make it very difficult for people to be able to access your information, even in possession of their mobile phone.

That done, now let's activate a very simple security feature that doesn't take 1 minute to set up, and that would surely have prevented this whole episode of information leakage from the ministers, prosecutors and authorities of the Brazilian government. This feature is called 2-Step Verification.

To start the configuration and activate the XNUMX-step verification, open the Telegram menu and select the “Settings” option

After that, access the option “Privacy and Security”

Access the “Two-Step Verification” option

Select the option “Set additional password”

Enter the password you want to use to protect your Telegram. This password can contain letters and numbers.

Retype your password to confirm it.

Enter a password hint to help you remember if you forget

If you wish, enter an email address that can be used to retrieve your access code. For security reasons, I do not recommend enabling this option as a person who has access to your email could reset your access code and use your Telegram.

If you have set up an email for code retrieval, an email with a number will arrive to validate if your email is actually valid.

Ready! Two-step verification enabled!

Note: If you have set up an email to retrieve your access code, the only way to remove that email is to disable two-step verification, activate again, and on the email's typing screen, you click in the option “Skip”.

If you use Telegram Web to view and send messages through your Telegram account and follow up on how the attacks on the Brazilian government were carried out, you may have been a little worried that they were performed using Telegram Web.

As I mentioned earlier in this article, Telegram allows you to use multiple sessions on the same account, meaning you can have multiple different phones and browsers using the same account, which is very practical because you can use Telegram Web. at the office, at home and on the phone, without having to disconnect several times.

However, this can end up being dangerous, as you could lose control of where your account is logged in and make it easier for others to access your conversations. To control this we can use the Active Sessions option in the Telegram menu:

And if you notice a session that you have not recognized or have not logged in for a long time, always choose to disconnect that session:

If you are concerned about Telegram Web security, you can rest easy. As long as you enable 2-step verification, as I demonstrated in the previous topic, you will be protected against these attacks that occur with Brazilian government officials. Proof of this is when you have 2-Step Verification enabled and try to re-access Telegram Web.

By default, Telegram sends a code through the app itself so that you receive it on your mobile phone and use that code to log in to Telegram Web.

That is, if you have not tried to access your Telegram and you have received this message, it is because someone is trying to break into you. Be aware of this.

If you do not have the Telegram application installed, you can request that the code be sent by SMS after 2 minutes. That is where the danger lies. If someone has been able to access your SMS messages, either using the SIM Swap method or another method, the fraudster may be able to log in to your Telegram account.

2 minutes after requesting the sending of the SMS code, you can request the sending by code by telephone call. This was the method used to invade the Telegram of the Brazilian authorities, through the technique of "Spoofing". Once the attackers managed to jam the victims' line, they requested that the code be sent as a phone call, which, because it was congested, fell into voicemail. This was probably using a standard password and the fraudsters were able to access the mailbox to hear the code sent and with that, they were able to log into Telegram.

In the 2 methods above, either by SMS or by phone call, if anyone can access your SMS messages or calls, they can log in to your Telegram account normally, even without having access to their mobile phone where the app is installed.

But when 2-Step Verification is enabled, here comes a further validation screen that will prevent this attack from being performed (or at least quite difficult):

In this new screen, in addition to confirmation by code sent in the App or SMS or call, you will have to enter your password to access Telegram. This password, which you chose and registered when you enabled 2-step verification.

If you have not set up a recovery email, an attacker will only be able to access your account if he can guess your password, even if he has access to your SMS's, calls and even your email, he will not be able to log in in your Telegram account.

Very simple right? And how such a simple solution could have prevented a real political scandal in our country.

Whatsapp, like Telegram, implements end-to-end security, which prevents messages from being intercepted during transmission. Unlike Telegram, Whatsapp saves conversations on your device, so you won't be able to view your previous conversations when installing the app on a new device, unless you back up your conversations, store them on remote storage. like Google Drive and restore conversations on your new device.

This creates a new kind of security breach as an attacker can access your conversation history if you have physical access to your phone (theft, for example) or access to your Google Drive, as your conversation history is stored in the phone itself.

Unlike Telegram, Whatsapp allows only 1 session using the app, that is, if you want to install Whatsapp on 2 phones, you will not be able to, because when you open the app on one phone, the other will "log off" automatically.

One of the best ways to protect Whatsapp from intrusion, whether by someone trying to access your mailbox or who has access to your SMS messages, is to enable Whatsapp 2-Step Verification, as well as Telegram and many other applications. That way, the app will require you to authenticate in one of these 2 forms and, in addition, you enter a password of 6 numbers entered by you.

This will make it very difficult for an attacker to be able to access your Whatsapp even though they have access to your messages or calls.

Please note that the conversation backup option is very useful and practical as you can recover your conversations if you lose or change your phone, but at the same time this can be a security risk to your privacy as a person who has access From your mobile phone, you can access your files and copy your messages as they are stored inside the device, not on a protected server.

In the prints below, I will demonstrate step by step how to enable 2-step verification in Whatsapp.

Click on the 3 dots of Whatsapp and select the option “Settings”:

Access the "Account" menu

Now, select the option “XNUMX-step verification”

Click the “Activate” button

Enter your access code, which will be used to set up the app on a new phone and will also be asked from time to time to enter this number to continue using Whatsapp

If you wish, enter an email address that can be used to retrieve your access code. For security reasons, I do not recommend enabling this option as a person who has access to your email could reset your access code and use your Whatsapp.

Two-step verification enabled!

Two-step verification setup screen:

Whatsapp screen when it prompts you to enter your passcode

Note: If you have set up an email to retrieve your access code, the only way to remove that email is to disable two-step verification, activate again, and on the email's typing screen, you click in the option “Skip”.