49 comments

[ 2.9 ms ] story [ 107 ms ] thread
Even if you have free SMS this probably also runs in the face of any "reasonable personal use" terms with your provider.
Do carriers not require a different plan for commercial use?
oh my god you are right. It's the perfect way to get your subscription suspended.
I’m not sure an additional ~5 texts a day (150/month) is likely to be considered excessive, but YMMV
In some countries, it would absolutely be.

SMS termination fees in some countries are on the order of a couple of cents per minute. Normal personal use involves sending as many messages as you receive, on average, so it balances out for the provider.

Sending 150 a month and receiving zero can easily make you an unprofitable customer. That's why T&Cs usually exclude such usage.

It's as ingenious as its reckless imo.
Avoiding both Telecom regulations across countries and avoiding SMS costs (this is one of Signal’s large expense-head as reference) is genius.
A much smarter (since it's both more secure and poses less of a risk to users doing the forwarding) way to solve the same problem is to use missed calls (the last n digits of the caller ID are the OTP code).

WhatsApp does that in some countries on Android (where there's an API to read caller IDs of incoming calls).

This is also supported by Telegram, as well as sending codes via email (in select countries), see https://core.telegram.org/api/auth#code-types for the full list of authentication methods (which are chosen by the server, depending on the country of the user and some other heuristics).
Very interesting, thank you!

"Future auth token" sounds scary: So clients just allow users to log back into the app without any authentication on devices they've used previously!?

If a 2FA password is configured, it is still required in order to login with a future auth token; however, even if it isn't set up, the fact that you have a future auth token means you have already logged in and then logged out on this specific device, so it's not a real issue (i.e. it's as if when logging out, you didn't actually log out but rather just hid the account in the UI, the future auth token is stored safely, in the same place as normal auth keys are + re-entering the 2FA password is still required).
But if no 2FA password is configured, does this mean that there is no way to truly log out of a given client?
It's absolutely bonkers to grant any app permission to this kind of information, even if the claimed use is legitimate. Just the normalization of that kind of access is causing damage to the overall security of the ecosystem.

We really, really need to come up with a better "proof-of-stake" mechanism standard for spam prevention and authentication, than abusing the legacy peering complexity of SMS/WWAN access.

>Telegram allows users to hide their phone numbers from strangers, but using your number as a relay could allow them to look up your Telegram account

You can disable discovery by phone number as well

>Then there is a massive issue of privacy, which allows strangers to look up your number and use it for spam and fraud.

They have info that this phone number exists and nothing else. Ok, also that the user uses telegram. Not much. This info can be reasonably used for spam with lots of numbers, not 150/month

Also I already trust sms to the centralized greedy third party usually acting against my interests called mobile phone operator. Now this also includes some random person and it suddenly becomes "privacy nightmare"

It's genius.

And finally my $1/month 50.000 free worldwide texts burner phone is earning some $$$. Well $$$$$ to be exact.

And that's why it won't be $1 in a few months. But you earned your buck, good job. Tragedy of the commons courtesy of telegram + not_me_ever
which provider are you using, out of curiosity?
In other words you're violating the provider's terms and conditions. I fully expect either you to get kicked out by them or the product to change.
I hope mobile apps can ditch phone number logins altogether.
this would solve so many problems! emails are perfect for that.
I don't think they can. User's contact list is such a sweet low hanging fruit.

I tried searching for anonymous chat app few years ago and the only thing I found was GG. Semi modern reincarnation of Polish chat app from times of ICQ.

It uses random numbers as your identifier.

So you didn’t find Tox, Briar, Jami, Session (just the first four off the top of my head that have been around since “a few years ago”. Not to mention anything XMPP)
Yup. I haven't found single one of those. And the last time I heard about XMPP was when google killed it in its communicator. And before that just Jabber on PC.

Out of the ones you mentioned Jami seems well done and full featured.

XMPP is alive and well and thriving, just not in the mass's consciousness. Google and Facebook dropping support for it, oh well. It works without them. It will work after the current round of commercial chat apps die off.
In telegram instead of using real mobile phone number you can buy pseudo-number on blockchain https://fragment.com/numbers. If you use tor and ton-wallet, that's not linked to your identity, this number will be fully anonymous

I guess they are not letting to use email because they will instantly be overrun by bots

What's the point of buying it from fragment (which is basically Telegram's way of using their scam currency) and spend at least €50 when you can just buy one for a few cents on websites such as smspva?
If only there was a way to use user identifiers other than phone numbers, and to accept payment for account creation without using the blockchain.
I thought that decentralized identity is one of the legit uses of blockchain. Why not? With that, you can potentially use same identity on different platform and don't worry about your identity being banned by your provider or just closing the whole platform (looking at you, google)
One of the purported use cases. I’m not aware of any successful implementation.
Seems like a security issue too. User could be phished from another user's number, or the user relaying messages can intercept OTP codes?
> Seems like a security issue too. User could be phished from another user's number

While this is an issue in theory, it's probably not that big of an issue in practice because you need to get lucky (ie. all of out of all the relays your phone has to be chosen). Depending how much telegram cares about security they can also implement countermeasures to frustrate this (eg. sending the codes in two parts from multiple numbers, so you need to get lucky twice rather than once; or switching to sending it themselves if too many codes are being requested and/or the login is otherwise high risk).

> or the user relaying messages can intercept OTP codes?

It definitely can be intercepted, especially if you have a rooted phone. Even barring that, at the very least you can intercept it at the cellular network level. This isn't as hard to pull off as you think, you don't need to set up a full blown MNVO, there are many IOT/M2M connectivity providers that allow you to set up a private network and arbitrarily route IP/SMS/voice.

SMS auth fraud, where malicious users aim to receive auth codes to premium rate numbers, is a huge problem. This pushes that problem on to users.
Numbers used for toll fraud are concentrated in certain countries/prefixes. Without knowing exactly what measures telegram is using to avoid toll fraud, it's impossible to know whether they're actually "pushing that problem onto users" and to what extent. The charitable interpretation is that they're doing only routing known low risk numbers to be sent by users (eg. +1 numbers corresponding to Canada/US is probably safe), or are sending the codes indiscriminately.
This is true, but their terms of service do say explicitly that they are not responsible for charges. Are they going to get it right in every region, in every number range? Is it even possible to distinguish between premium rate and regular rate in all parts of the world? It's really quite high risk for users.
> eg. +1 numbers corresponding to Canada/US is probably safe

Probably, until you consider that the NANP also includes some smaller countries, often served by a single incumbent telco, whose area codes have been involved in call pumping schemes before.

Are you absolutely sure your provider blocks these automatically and doesn't charge you horrendous sums per message there? If so, are you sure Telegram knows about the problem and has taken all the necessary precautions?

>Probably, until you consider that the NANP also includes some smaller countries, often served by a single incumbent telco, whose area codes have been involved in call pumping schemes before.

It doesn't seem too hard to have a whitelist of 3 digit area codes known to be a "safe" jurisdiction. You can just reference https://en.wikipedia.org/wiki/List_of_North_American_Numberi... and be done within an hour.

it's a really creative solution to sms delivery issues and high costs, but I think it's pretty clear that the issues here outweigh the benefits

glad it's opt-in, at least

Even its opt-in, you can still get exposed to it. Imagine receiving a otp from a user who has opt-in for this. Your number will be exposeed to that user.
In the wide open. I'm blown away. Normally it's so quiet the average person wouldn't know about it or how it "works".

I've once placed a call from a dodgy VoIP service and my call terminated into a MetroPCS "your account has been suspended for nonpayment" recording instead of actually routing anywhere. I suspect that call was routed in similar way...

The main risk here is not to the sender but to the receiver. Receiver gets an OTP code from some number, it works, then they associate this number with telegram. So if sender, sends some secondary SMS like "we detected an intrusion attempt, please secure your account by following [some scam link]" they can have high degree of success.
SMS sender IDs can be spoofed quite easily as far as I know, just like caller ID, so they were never a trusted channel – but of course most people don't know that, and it's definitely a worrying extra threat.
I remember reading an article (that I unfortunately can't find right now, maybe somebody here remembers it?) about this being provided as a service to third parties, and it ended up getting used by banks and other high-risk businesses.

The scheme was something like

- "Provide us SMS access in exchange for free in-game coins" (with or without disclosing that the goal was to send outgoing SMS)

- Resell that outbound SMS gateway for much cheaper than Twilio to various third parties

- Third-party buys the cheapest message route available and doesn't care how it can actually be that cheap

- Random people's mobile games end up serving SMS-OTPs for banks

Telegram is fantastic. Amazing new breakthroughs and business IQ. No other social media company comes close.
Definitely, also in terms of playing it fast and loose with bold security claims that the product falls very short of.

It is a noteworthy lesson on branding, marketing, and UX being valued much more highly than actual security by most users, though.

Their security has never been broken and has held up again foreign govts.
That we know of. Due to the security architecture, we have to take their word on it.