How Secure are Messaging Services? - A Bit of Security for April 15, 2025
Secure messaging services are vulnerable – but there are things you can do. Listen to this -
https://youtu.be/PUyFspiAbsI
#cybersecuritytips #Signal #securemessaging #SMS #phonesecurity #BitofSec
Recent searches
Search options
#sms
0 posts0 participants0 posts today
Ellen 
#PSA: the #QUIK #SMS [app] has been updated, and it's way better than before.
I used to have problems with it because the pictures it sent via #MMS were of far poorer quality than the other programs I tried (including the #AOSP default Messaging app), but they seem to have fixed that.
They also have added a nice big button to trigger your phone's native dictation service (you can turn that off if you don't want it, or don't have one).
It has successfully replaced the proprietary SMS program I was using before, which makes me quite glad.
f-droid.orgQUIK SMS | F-Droid - Free and Open Source Android App RepositoryOpen source replacement to the stock SMS app on Android. A revival of QKSMS.
Continued thread
It has come to my attention that sending Mastodon links via text message are being filtered by either T-Mobile or Verizon.... Specifically, at least in this case, links to infosec.exchange ... I shared something with my family in a group SMS last night and no one received it. Today I'm with members of my family and have confirmed that any message with a infosec.exchange link does not go through but all messages without the link do - this involves messages of JUST the URL and ones with text and the URL. I also tried SMS to just my nephew with the URL and it disappeared into the void as well.
I use T-Mobile and the entirety of my family uses Verizon. I have not been able to test to another T-Mobile customer as of yet. I will test with other instance links in a bit.
One of our researchers recently received a text from an unknown number saying they were eligible to receive a full refund for an Amazon order. The message contained a link to a URL on t[.]co, Twitter/X's link shortener. Clicking the link led to the domain 267536[.]cc, which hosted an Amazon phishing page.
From this lead, we were able to find many more domains hosting the same content. The actor registering the domains seems to like .cc, the country code TLD for the Cocos Islands.
Sample of the domains:
236564[.]cc
267536[.]cc
671624[.]cc
687127[.]cc
319632[.]cc
Replied in thread
@ajsadauskas @JessTheUnstill also #BlackBerry's #PlayBook #Tablet was released as a accessory screen for their Phones, which gave it "#WiiU-Effect" in terms of marketing.
- Plus #RIM relying hard on business clients and their proprietary applianced mail systems and having big carriers upsell to business people made them look outdated & quite literally out of touch once #iPhone went mainstream.
I mean, the hardware was never their problem and #SMS-Typists swear by their #BlackberryCurve's #keyboard but BlackBerry's #toolchain - just like #SymbianOS's - was just hideous to the point that devs like @fuchsiii didn't even want to try making #Apps for those devices.
- Unlike #Mozilla fucking up #FirefoxOS by refusing to sell devices to #developers, by the time RIM & #Nokia came from their high horses, their market shares had been squeezed into mere "rounding errors" by #iOS and #Android as it was way cheaper and easier to get #Apps developed, tested, sold, bought and use them than on their devices.
#Sony even released some #Symbian #S60 devices but since they didn't have the same signing keys, one couldn't even #sideload apps (not to mention they didn't had the #OviStore on those either!)...
The #SMS Power! Competition 2025 has finally started! 
Let's check together each entry to this year's Coding category! 
(full list here: https://www.smspower.org/Competitions/Coding-2025 )
Continued thread
Why is this bad? The list of apps installed can reveal a lot about
your social status (allowing price gauging)
whether you owe money
whether you might be pregnant (Roe v. Wade)
…
And some try to get at your "important" #SMS, from banks etc.
https://www.aljazeera.com/economy/2023/12/25/the-dark-world-of-illegal-loan-apps-in-india
Al Jazeera · The dark world of illegal loan apps in India
Ça faisait longtemps que j'utilisais #SilenceIM pour lire/envoyer des #SMS sur #Android, alors que l'application n'est plus mise à jour depuis des années (avec des trucs amusants comme la copie intégrale des messages quand quelqu'un met une réaction émoji dessus 
) et que le nombre de personnes avec qui j'ai échangé des SMS chiffrés se comptent sur les doigts d'une main. Maintenant, les notifications ne fonctionnent plus donc je cherche une alternative #logicielLibre #viePrivée, si possible avec #chiffrement.
J'ai vu #FossifySMS, #QUIK et #DekuSMS (tous sur #Fdroid).
Vous avez des #avis / #conseils / #suggestions pour m'aider ?
Dug out the GP2X today.
I had some real fun with this ARM-based Linux-game console - wow - nearly 20 years ago! A little Montezuma's Revenge for the SMS shown running under emulation, here.
Such a fun device!
"Franse overheid voert phishingtest uit op 2,5 miljoen leerlingen"
https://www.security.nl/posting/881630/Franse+overheid+voert+phishingtest+uit+op+2%2C5+miljoen+leerlingen
KRANKZINNIG!
Het is meestal onmogelijk om nepberichten (e-mail, SMS, ChatApp, social media en papieren post - zie plaatje) betrouwbaar van echte te kunnen onderscheiden.
Tegen phishing en vooral nepwebsites is echter prima iets te doen, zoals ik vandaag nogmaals beschreef in https://security.nl/posting/881655.
(Big Tech en luie websitebeheerders willen dat niet, dus is en blijft het een enorm gevecht).
What happened to @silence ?
There are no updates available at @fdroidorg since 6 years and the website https://silence.im isn't working anymore.
It was a great encrypting app for #sms.
Without looking it up what’s the default text messaging app called on stock Android?
Please note I said default text messaging (ie. SMS/MMS etc) and stock (as in what Google Android Open Source Project and many other Google Play enabled phones run for their OS.
Gestern flatterte ein Brief ins Haus von einer dubiosen Firma, die sich als neuer Zahlungsdienstleister für die #Kreditkarte meine Frau ausgibt und will, dass wir irgendeine App runterladen und da sensible Daten eingeben.
Alle Alarmglocken an, erstmal recherchiert.
Ergebnis: Die Dienstleister der #Sparkasse sind tatsächlich unter dem Namen #qards fusioniert (@sparfindig hatte berichtet) und müssen aufgrund der neuen dritten Payment Service Directive #PSD3 (#EURichtlinie) u.a. sowas wie #ZweiFaktorAuth für #onlineShopping implementieren.
Weil wir die Kreditkarte selten nutzen und die Gattin nicht noch eine supersichere App (S-ID-App #SIDApp) installieren will, bekommt sie jetzt halt für 10ct ne #mTAN per #SMS aufs Handy.
Und das, obwohl das mTAN-Verfahren wohl schon mehrfach gehackt wurde. Wenn ich's richtig verstanden habe, waren dabei aber immer Trojaner auf Rechner und Handy im Spiel und die Betroffenen hatten keine Alarmglocken eingebaut, als sie ihre Daten fröhlich in irgendwelche Masken eingaben.
Das ist ein umfangreiches Referat, fast schon eine Hausarbeit, und ich kriege nicht mal ne gute Note dafür. Wäre schade, wenn das kurzzeitig agglomerierte Wissen einfach so abgehakt und vergessen würde. Also trööte ich es einfach hier hinein in der Hoffnung, dass es jemand nützt.
Tiens, je ne trouve point d'app Android libre pour envoyer des messages utilisant RCS au lieu de SMS 
Ça existe ?
Does anybody now about #RCS messages in #GrapheneOS?
RCS can be used instead of #SMS/MMS, but needs to be supported by network & devices on both ends (sender & receiver). There's a Google App (who would have guessed), but it would be better if it was supported by the built-in SMS app.
I couldn't find any option to enable it on #GOS & nothing relevant in their forums.
I know there's privacy issues to know about, but that's also true for SMS.
Any hints are appreciated. Boosts ok.
@GrapheneOS
Replied in thread
@lauren : in 2020 I wrote a "Secure SMS 2FA Proposal" (https://security.nl/posting/638976) - there's English and Dutch text.
The main idea is for the recipient to modify the received code using a shared secret, before entering it as the second factor.
Of course weak 2FA (without E2EE channel binding) is not phishing proof, but my proposal should prevent successful SIM-swap attacks (and redirecting calls and messages by manipulating the telco backbone as shown in https://www.youtube.com/watch?v=wVyu7NB7W6Y).
I cannot change anything in those postings anymore (and I'm in no way related to security.nl apart from being a regular -unpaid- contributor).
Feel free to pass this idea to your contacts at Google as an alternative to QR-codes - from which I fail to understand how they'd improve security. In fact, the unprotected channel from screen with QR-code to the camera recording it, allows for all kinds of (AitM) phishing attacks.
security.nlSecure SMS 2FA Proposal - Security.NL