Signal PINs: Is Secure Messaging at Risk?
Two months ago, Signal (well-known encrypted messenger) introduced a new feature that seems to contradict its ‘total security’ concept — storing your data in the cloud and providing access to it via PINs.
The team explains it as the desire to allow users to recover their data in case of “losing your phone to the toilet” and make the registration process even more secure in the future — without using a phone number.
A quick reminder: Signal has been considered one of the most secure solutions for private communication as it didn’t collect a lot of user’s data. Thus, even if the court makes requests, Signal wasn’t able to provide information.
But now, all the user’s profile information, contact list, and some settings are stored on the company’s server under the PIN protection.
What do cybersecurity experts say?
Cryptographers from Johns Hopkins University consider this Signal update a lousy decision as people don’t get used to PINs and most often create weak in terms of safety PINs. However, Signal uses a unique system of Intel SGX enclaves to make it safe. But, according to cryptographers, it is not so secure and reliable — in case of an attack by an experienced hacker, the servers are under threat.
Other experts believe PINs are beneficial for users as they allow them to migrate to a new device and retain their own data. As they say, it would enhance user metadata security and let introduce new features. Eventually, users can get rid of phone connection during logging in. That’s certainly a good point.
Read more on the topic: Why Do Cyber Criminals Want to Get Into Your Inbox?
What do Signal users say?
I’ve collected a couple of opinions from Reddit to understand what users think of a new update.
Some users are okay with an update and completely rely on the Signal team in the question of privacy of communication:
Others are puzzled — trusting central servers doesn’t seem them the best decision ever:
That’s not surprising, it’s known that the best privacy and anonymity are provided only in case of decentralization — absence of central servers where data is stored.
Privacy isn’t the only point of user dissatisfaction. The convenience of use is also on the line:
People don’t like to be forced to use the PIN feature as it’s inconvenient for them:
What can be done?
There are two options you have in the current situation:
1. Use the strong PIN to protect your account.
A convenient PIN is synonymous with the word “insecure,” as most often, it is the owner’s year of birth or date plus a month or something simple, which is just as easy for someone who wants to steal your data. I know 3 methods to make PIN strong:
- Historical date method. If you know the story well, then a random date will be good as a PIN. For example, the date of the first human-crewed space flight is 1204 — April 12, 1961. You will definitely remember your PIN-code, but if you forgot, then you can easily remember it by date.
- PIN as a contact. You have several hundred contacts on your phone, so why not use one of them as your secret PIN. It is more convenient to make a PIN code out of the last four digits.
- Add the digits method. There is a year of your birth. 1986, for example. Add to this number 3 in each digit, and you get – 4219. This number no longer makes any sense either for you or for a potential thief in relation to you, but remembering the method of obtaining such a number does not seem difficult.
2. Switch to a decentralized messenger
It’s another option you have — use messengers like Utopia, which doesn’t ask you to provide any personal information during the registration at all and is completely decentralized.
Choose the right messenger — save your right for privacy for yourself.