Gettings unsolicited SMS verification codes
We have covered the launch of the awesome Telegram app for iOS and the first steps to set it up. The free messenger for the technically inclined has been designed with strong security measures that have helped me to keep my account secure when someone tried to log in and take over from another device. This weekend someone tried to hijack my account and this is how Telegram stopped it.
Mobile messengers and chat apps such as WhatsApp, Viber, Line and Telegram, use your mobile number as part of your account information you need to start using the service. On the ease of use front, this means you will never have to sign up to anything choosing an username, password and giving and email address — the most usual method on the web.
On the security front, this means the service already has a mobile number to be used as a second-step verification tool, which Google and Facebook have been trying to implement for so long with users worried about giving too much information about them. The basic idea is that if one day you forget your password, you can reset it with some information sent to your mobile phone via SMS instead of a reset link to your email account, which could be compromised.
Privacy of the SMS verification code
The issue using your telephone number is that this is not a particularly private piece of information. Anyone from your parents to a plumber you called three years ago might have access to this information. Since the verification code is sent via SMS, it will appear on the homescreen on a locked device as a new text message if you haven't tweaked how your phone displays message notifications already.
To log on to Telegram from a new device or app, the service will ask you for the mobile number associated to the account and this verification code sent to your phone to confirm it's you it's really doing this. When I start receiving several text messages from Telegram giving new verification codes, I realise what's going on. Could it be that someone is typing their own phone number incorrectly and it happens to be the same as mine? Or worse... maybe I forgot to blur my own telephone number on the screenshots for my Telegram review! Either the system has decided to send new codes randomly or someone has tried to use my mobile number to use Telegram on another device. When I receive a call from Telegram I know this is a serious attempt to hijack my account. Further conversations with their tech support confirmed the rogue attempts to log in, using incorrect verification codes that afternoon.
Fortunately in this occasion I realised what was going on and I had the luck to get in touch with Telegram very quickly to clarify the situation. If you face a similar situation and even if someone gains access to your Telegram account on another app, there is a panic button to revoke access to other sessions but yours.
On the Telegram iOS app, you need to navigate to Settings → Chat Settings → scroll down to Security → Terminate all other sessions. This will log out all devices except yours. Depending on the client the other person is using, the chat history that has been downloaded if they manage to log in, including the private encrypted ones, will stay in their machine. No other new messages will appear but there is no way to wipe out the information they already got remotely.
I'm hoping Telegram pushes some API to be able to delete this information when the users taps on the panic mode and that third-party developers begin integrating it on their applications.