this post was submitted on 17 Jul 2024
71 points (88.2% liked)

Privacy

31859 readers
313 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Yes, you can use Signal without sharing your personal phone number. Here’s how I did it.

top 44 comments
sorted by: hot top controversial new old
[–] [email protected] 58 points 3 months ago* (last edited 3 months ago) (3 children)

tl;dr the sms verification falls back to voice and they just used a payphone.

I guess if you count the airport full of cameras they went to to do this as "anonymous", then sure :)

Also this article from 2017 suggests not using this method:

It’s important to maintain control of this phone number. For example, you could use a disposable SMS service to register with Signal — there are many such services if you search for them — but those phone numbers can be used by anyone. Similarly, you should avoid using a public payphone’s number, or a SIM card on which you do not intend to renew service. If someone else can receive SMS messages or phone calls to this phone number, they can take your Signal account away from you.

[–] [email protected] 34 points 3 months ago (1 children)

That risk is not just theoretical. I made a test account (on another service; not Signal) using a free anonymous SMS number. A few months later, the account had been hijacked.

Of course, if it's a disposable account, then having it hijacked after you're done with it might be a good thing.

[–] [email protected] 11 points 3 months ago (1 children)

Signal has account pins now so I don't think the attack vector is as large as it used to be

[–] [email protected] 18 points 3 months ago (1 children)

They can't "take over" your account, but they can "override" it and delete yours.

[–] [email protected] 1 points 3 months ago (1 children)
[–] [email protected] 8 points 3 months ago (1 children)

Register a new account over that phone number. They can't get into any previous accounts register with that phone number. They could potentially manage to find the pin if the previous user really used a guessable one, but then again, they won't be able to check the previous messages and the linked owner of that account will be warned of that new connection.

[–] [email protected] 8 points 3 months ago

I don't think that's possible with a registration lock unless you are inactive for longer than 7 days.

Enabling a registration lock triggers a 7-day inactivity timer if your number is registered on another device.

[–] [email protected] 3 points 3 months ago

Just wear a face mask and sunglasses and hoodie when using the pay phone. That way you'll blend-in and be anonymous

[–] [email protected] 0 points 3 months ago (1 children)

”It’s important to maintain control of this phone number."

I strongly feel that this is false.

[–] [email protected] 5 points 3 months ago (1 children)
[–] [email protected] 0 points 3 months ago* (last edited 3 months ago) (1 children)

~~If someone trys to register with an existing number then it wont work if its already being used.~~
Im not sure on this^
Better to enable a security pin if you are concerned.
The traditional phone system involvement is annoying.

[–] [email protected] 2 points 3 months ago (1 children)

Got a source for that? There have already been multiple contradicting sources posted saying this isn't true.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago)

I cant find any information that discusses the security risk. But it would seem that this transfering all content to the owner of the phone number is a standard feature.
So, maybe its not discussed because it doesn't frequently happen.
It doesnt seem like a trustworthy way to ensure users' content remains secure.
Update:
https://old.reddit.com/r/signal/comments/8r7tbc/someone_impersonating_me_using_my_old_number_what/
https://support.signal.org/hc/en-us/articles/360007062012-Change-Number
https://support.signal.org/hc/en-us/articles/360007062452-What-do-I-do-if-my-phone-is-lost-or-stolen
https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-Messages

[–] [email protected] 56 points 3 months ago* (last edited 3 months ago) (3 children)

How I Got a Truly Anonymous XMPP Account:

  • Open my client (e.g. Conversations, Monal, Dino)
  • Pick a random server, username and password
  • Click register

Sorry, it's a cheap joke, but it still baffles me that Signal requires a phone number, so I felt I had to post it :)

Of course, this is not XMPP-specific either, just my protocol of choice, there are many other open alternatives that also offer such functionality.

[–] [email protected] 31 points 3 months ago* (last edited 3 months ago) (1 children)

and then you can anonymously chat with yourself because no one else will bother installing that favorite app of yours!

I've been trying to get people off WhatsApp for who knows how many years now. With Signal, i have a chance of convincing people. When you start talking about matrix or session or SimpleX or ???, people stay on WhatsApp

[–] [email protected] 13 points 3 months ago

Different strokes for different folks! I've been fortunate enough that many of my family and friends have been happy enough to follow me.

But I don't disagree with you, Signal has a much more recognisable brand and better user experience. These are things that we need to improve if we're going to get anywhere near the level of adoption Signal has.

[–] [email protected] 9 points 3 months ago (1 children)

It's there for a reason. You can't easily create a spam waves if you need a phone number to create an account. And they added usernames now, so you don't need to share your phone number with people you want to talk to. It's just there to create an account and can be hidden after that.

There is Session, that uses UUIDs for names with no phone number requirement, which is basically a fork of Signal with decentralized Loki on top of it.

[–] [email protected] 4 points 3 months ago* (last edited 3 months ago) (1 children)

Isn't spoofing a phone number easy for scammers? If so, I don't understand why there is (admittedly) so little spam on Signal.

Does Signal require 2FA upon registration? (I cannot recall)

[–] [email protected] 3 points 3 months ago (1 children)

Spoofing just changes the displayed called/sender ID, not the actual number. They would still need real numbers for each account. And they block a lot of VoIP numbers, like most services these days. And getting carrier SIMs or e-SIMs is a not that easy.

No mandatory 2FA as far as I know.

[–] [email protected] 4 points 3 months ago

No mandatory 2FA as far as I know.

Then how is the authenticity of a number tested by Signal?

[–] [email protected] 7 points 3 months ago

And - gasp! - you can do it from your computer directly! No Android emulators, no inconvenient command-line client!

[–] [email protected] 11 points 3 months ago (3 children)

What about buying the cheapest SIM card in a convenience store and activate the service with it using a dumb phone?

[–] [email protected] 20 points 3 months ago (2 children)

That might work in most places, but there are countries that only sell pre-paid cards with ID registration.

[–] [email protected] 4 points 3 months ago (1 children)

Protip: in those countries, go to the tourist hot spots and walk into a SIM selling shop. Use a thick foreign accent.

There's always an industry for anon SIM cards for tourists.

[–] [email protected] 1 points 3 months ago (1 children)

That won't work in Australia. You can buy the SIM anywhere of course, you just can't activate it. You'll need proof of ID on line to do that.. There are only three operators (the rest are resellers). I am sure there are ways around it but not the one you suggest.

When I was last in NZ you didn't need ID must buy a SIM and good to go, not sjre thats still the case though?

[–] [email protected] 2 points 3 months ago

The way you work around it is the shop keeper probably uses their own ID. There's always a market for tourists

[–] [email protected] 0 points 3 months ago (1 children)

What about a virtual phone number?

[–] [email protected] 7 points 3 months ago

Not all of them work, and most require some details to create.

[–] [email protected] 13 points 3 months ago (1 children)

Usually those numbers fall back into the provider's pool after a time of not regular usage and get sold again, at least here in Europe.

[–] [email protected] 9 points 3 months ago (1 children)

The twist they've introduced in this article is they're using the registration lock feature, which means you have a signal pin enabled, so as long as the account doesn't go idle for 7 days even somebody who gets the phone number can't use signal.

[–] [email protected] 2 points 3 months ago (1 children)

7 days?!? Jesus can we get at least a few years?? Thats worse than WhatsApp's 2 weeks.

[–] [email protected] 5 points 3 months ago

The fundamental problem is the signal foundation sees the phone number as the identity. If you don't have control of the phone number, you don't really have control of the identity.

The good news is, they let you change your phone number and maintain your contacts. But if the phone number the account is currently registered to get assigned to somebody else and you don't change it, then you're playing the 7-day roulette

[–] [email protected] 4 points 3 months ago

It's fine for a temporary signal account, but if you let the number expire, then someone else gets assigned that number, and that new person wants to use Signal, they'll get your account.

They can't see your old messages, but they'll get any new ones instead of you.

[–] [email protected] 10 points 3 months ago (2 children)

Privacy ≠ Anonymity

Signal = Privacy

Signal ≠ Anonymity

Signal was made for privacy, not Anonymity.

If you need anonymity, don't use signal. It was never designed for this. There are tools specially made for anonymity. Look at simplex.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago)

I think anonymity is heavily coupled with privacy, if someone knows my account is linked to my phone number, that's a very strong form of fingerprinting. Even if E2E encryption is perfect, it takes one bad actor on the the reciever end of my message to both identify who I am through my phone number and leak my message. If just my message is leaked and there's no fingerprint leading to me, I am still safe. Real example: It took Proton leaking the IP address of a climate activist to the state to get them arrested, not a hole in their E2E mail encryption. A phone number is potentially an even stronger identifier.

[–] [email protected] 2 points 3 months ago (1 children)

If I asked 10 people to give me their home address, they're not going to care whether someone defines that as privacy or anonymity. But signal's reliance on phone number's (which are easily linked to your identity and home address in most countries) as the primary identifier means giving away just that.

Why do people feel the need to split hairs with these terms?

[–] [email protected] 1 points 3 months ago

Why do people feel the need to split hairs with these terms?

He's not splitting hairs. It's just a different value proposition. I don't like the phone number requirement either but it makes sense to your average normie who realizes SMS is exposed plaintext. Something like an anonymous seed phrase as the key to your account would confuse most people. Email would be an improvement but it's at best pseudonymous.

[–] [email protected] 3 points 3 months ago (1 children)

Why not just pay for a sim card in cash? Even if your phone number gets exposed it shouldn't be tied to your identity

[–] [email protected] 1 points 3 months ago

In some countries, you need an ID to buy a sim card, so it's linked to your identity, even if you pay cash.

[–] [email protected] 1 points 3 months ago

Wouldn't just using a temporary phone number service work? From what I remember, you just need to recieve a text message and put it into Signal during registration. From skimming through the post, there's no mention of this option.

[–] [email protected] 0 points 3 months ago (2 children)

And sometimes they don’t work at all (that was my experience when I tried using a Google Voice number to sign up for Signal).

I've been using a GV number with no problem all this time. 🤷🏻‍♂🤨

[–] [email protected] 4 points 3 months ago (1 children)

So what you're saying is that you don't have an anonymous signal account..

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

Sure. The point still stands that Signal does take GV numbers, so the article writer is wrong.

[–] [email protected] 0 points 3 months ago