SMS termination fees in some countries are on the order of a couple of cents per minute. Normal personal use involves sending as many messages as you receive, on average, so it balances out for the provider.
Sending 150 a month and receiving zero can easily make you an unprofitable customer. That's why T&Cs usually exclude such usage.
A much smarter (since it's both more secure and poses less of a risk to users doing the forwarding) way to solve the same problem is to use missed calls (the last n digits of the caller ID are the OTP code).
WhatsApp does that in some countries on Android (where there's an API to read caller IDs of incoming calls).
This is also supported by Telegram, as well as sending codes via email (in select countries), see https://core.telegram.org/api/auth#code-types for the full list of authentication methods (which are chosen by the server, depending on the country of the user and some other heuristics).
If a 2FA password is configured, it is still required in order to login with a future auth token; however, even if it isn't set up, the fact that you have a future auth token means you have already logged in and then logged out on this specific device, so it's not a real issue (i.e. it's as if when logging out, you didn't actually log out but rather just hid the account in the UI, the future auth token is stored safely, in the same place as normal auth keys are + re-entering the 2FA password is still required).
It's absolutely bonkers to grant any app permission to this kind of information, even if the claimed use is legitimate. Just the normalization of that kind of access is causing damage to the overall security of the ecosystem.
We really, really need to come up with a better "proof-of-stake" mechanism standard for spam prevention and authentication, than abusing the legacy peering complexity of SMS/WWAN access.
>Telegram allows users to hide their phone numbers from strangers, but using your number as a relay could allow them to look up your Telegram account
You can disable discovery by phone number as well
>Then there is a massive issue of privacy, which allows strangers to look up your number and use it for spam and fraud.
They have info that this phone number exists and nothing else. Ok, also that the user uses telegram. Not much. This info can be reasonably used for spam with lots of numbers, not 150/month
Also I already trust sms to the centralized greedy third party usually acting against my interests called mobile phone operator. Now this also includes some random person and it suddenly becomes "privacy nightmare"
I don't think they can. User's contact list is such a sweet low hanging fruit.
I tried searching for anonymous chat app few years ago and the only thing I found was GG. Semi modern reincarnation of Polish chat app from times of ICQ.
So you didn’t find Tox, Briar, Jami, Session (just the first four off the top of my head that have been around since “a few years ago”. Not to mention anything XMPP)
Yup. I haven't found single one of those. And the last time I heard about XMPP was when google killed it in its communicator. And before that just Jabber on PC.
Out of the ones you mentioned Jami seems well done and full featured.
XMPP is alive and well and thriving, just not in the mass's consciousness. Google and Facebook dropping support for it, oh well. It works without them. It will work after the current round of commercial chat apps die off.
In telegram instead of using real mobile phone number you can buy pseudo-number on blockchain https://fragment.com/numbers. If you use tor and ton-wallet, that's not linked to your identity, this number will be fully anonymous
I guess they are not letting to use email because they will instantly be overrun by bots
What's the point of buying it from fragment (which is basically Telegram's way of using their scam currency) and spend at least €50 when you can just buy one for a few cents on websites such as smspva?
I thought that decentralized identity is one of the legit uses of blockchain. Why not? With that, you can potentially use same identity on different platform and don't worry about your identity being banned by your provider or just closing the whole platform (looking at you, google)
> Seems like a security issue too. User could be phished from another user's number
While this is an issue in theory, it's probably not that big of an issue in practice because you need to get lucky (ie. all of out of all the relays your phone has to be chosen). Depending how much telegram cares about security they can also implement countermeasures to frustrate this (eg. sending the codes in two parts from multiple numbers, so you need to get lucky twice rather than once; or switching to sending it themselves if too many codes are being requested and/or the login is otherwise high risk).
> or the user relaying messages can intercept OTP codes?
It definitely can be intercepted, especially if you have a rooted phone. Even barring that, at the very least you can intercept it at the cellular network level. This isn't as hard to pull off as you think, you don't need to set up a full blown MNVO, there are many IOT/M2M connectivity providers that allow you to set up a private network and arbitrarily route IP/SMS/voice.
Numbers used for toll fraud are concentrated in certain countries/prefixes. Without knowing exactly what measures telegram is using to avoid toll fraud, it's impossible to know whether they're actually "pushing that problem onto users" and to what extent. The charitable interpretation is that they're doing only routing known low risk numbers to be sent by users (eg. +1 numbers corresponding to Canada/US is probably safe), or are sending the codes indiscriminately.
This is true, but their terms of service do say explicitly that they are not responsible for charges. Are they going to get it right in every region, in every number range? Is it even possible to distinguish between premium rate and regular rate in all parts of the world? It's really quite high risk for users.
> eg. +1 numbers corresponding to Canada/US is probably safe
Probably, until you consider that the NANP also includes some smaller countries, often served by a single incumbent telco, whose area codes have been involved in call pumping schemes before.
Are you absolutely sure your provider blocks these automatically and doesn't charge you horrendous sums per message there? If so, are you sure Telegram knows about the problem and has taken all the necessary precautions?
>Probably, until you consider that the NANP also includes some smaller countries, often served by a single incumbent telco, whose area codes have been involved in call pumping schemes before.
Even its opt-in, you can still get exposed to it. Imagine receiving a otp from a user who has opt-in for this. Your number will be exposeed to that user.
In the wide open. I'm blown away. Normally it's so quiet the average person wouldn't know about it or how it "works".
I've once placed a call from a dodgy VoIP service and my call terminated into a MetroPCS "your account has been suspended for nonpayment" recording instead of actually routing anywhere. I suspect that call was routed in similar way...
The main risk here is not to the sender but to the receiver. Receiver gets an OTP code from some number, it works, then they associate this number with telegram. So if sender, sends some secondary SMS like "we detected an intrusion attempt, please secure your account by following [some scam link]" they can have high degree of success.
SMS sender IDs can be spoofed quite easily as far as I know, just like caller ID, so they were never a trusted channel – but of course most people don't know that, and it's definitely a worrying extra threat.
I remember reading an article (that I unfortunately can't find right now, maybe somebody here remembers it?) about this being provided as a service to third parties, and it ended up getting used by banks and other high-risk businesses.
The scheme was something like
- "Provide us SMS access in exchange for free in-game coins" (with or without disclosing that the goal was to send outgoing SMS)
- Resell that outbound SMS gateway for much cheaper than Twilio to various third parties
- Third-party buys the cheapest message route available and doesn't care how it can actually be that cheap
- Random people's mobile games end up serving SMS-OTPs for banks
49 comments
[ 2.9 ms ] story [ 107 ms ] threadSMS termination fees in some countries are on the order of a couple of cents per minute. Normal personal use involves sending as many messages as you receive, on average, so it balances out for the provider.
Sending 150 a month and receiving zero can easily make you an unprofitable customer. That's why T&Cs usually exclude such usage.
WhatsApp does that in some countries on Android (where there's an API to read caller IDs of incoming calls).
"Future auth token" sounds scary: So clients just allow users to log back into the app without any authentication on devices they've used previously!?
We really, really need to come up with a better "proof-of-stake" mechanism standard for spam prevention and authentication, than abusing the legacy peering complexity of SMS/WWAN access.
You can disable discovery by phone number as well
>Then there is a massive issue of privacy, which allows strangers to look up your number and use it for spam and fraud.
They have info that this phone number exists and nothing else. Ok, also that the user uses telegram. Not much. This info can be reasonably used for spam with lots of numbers, not 150/month
Also I already trust sms to the centralized greedy third party usually acting against my interests called mobile phone operator. Now this also includes some random person and it suddenly becomes "privacy nightmare"
And finally my $1/month 50.000 free worldwide texts burner phone is earning some $$$. Well $$$$$ to be exact.
I tried searching for anonymous chat app few years ago and the only thing I found was GG. Semi modern reincarnation of Polish chat app from times of ICQ.
It uses random numbers as your identifier.
Out of the ones you mentioned Jami seems well done and full featured.
I guess they are not letting to use email because they will instantly be overrun by bots
While this is an issue in theory, it's probably not that big of an issue in practice because you need to get lucky (ie. all of out of all the relays your phone has to be chosen). Depending how much telegram cares about security they can also implement countermeasures to frustrate this (eg. sending the codes in two parts from multiple numbers, so you need to get lucky twice rather than once; or switching to sending it themselves if too many codes are being requested and/or the login is otherwise high risk).
> or the user relaying messages can intercept OTP codes?
It definitely can be intercepted, especially if you have a rooted phone. Even barring that, at the very least you can intercept it at the cellular network level. This isn't as hard to pull off as you think, you don't need to set up a full blown MNVO, there are many IOT/M2M connectivity providers that allow you to set up a private network and arbitrarily route IP/SMS/voice.
Probably, until you consider that the NANP also includes some smaller countries, often served by a single incumbent telco, whose area codes have been involved in call pumping schemes before.
Are you absolutely sure your provider blocks these automatically and doesn't charge you horrendous sums per message there? If so, are you sure Telegram knows about the problem and has taken all the necessary precautions?
It doesn't seem too hard to have a whitelist of 3 digit area codes known to be a "safe" jurisdiction. You can just reference https://en.wikipedia.org/wiki/List_of_North_American_Numberi... and be done within an hour.
glad it's opt-in, at least
I've once placed a call from a dodgy VoIP service and my call terminated into a MetroPCS "your account has been suspended for nonpayment" recording instead of actually routing anywhere. I suspect that call was routed in similar way...
The scheme was something like
- "Provide us SMS access in exchange for free in-game coins" (with or without disclosing that the goal was to send outgoing SMS)
- Resell that outbound SMS gateway for much cheaper than Twilio to various third parties
- Third-party buys the cheapest message route available and doesn't care how it can actually be that cheap
- Random people's mobile games end up serving SMS-OTPs for banks
It is a noteworthy lesson on branding, marketing, and UX being valued much more highly than actual security by most users, though.