Taking into consideration dissatisfaction of many clients with one-factor verification based on the SMS-code, the developers of the famous messenger added the second identity check factor. In this article, we are going to talk about two-step verification in Telegram and its reliability in terms of the clients’ information security.
Until April 2015, a user could log in to the system by entering a code received in the text message. At the same time, the additional protection from unauthorized login did not existed. In such a way, the intruders could intercept a message sent to a client’s phone and get access to his conversations. Though there were no mass cases of such hacks registered, the developers headed by Pavel Durov decided to eliminate this possibility.
Due to the implementation of two-step verification in Telegram, today a user can set an additional password which can be entered in case of opening an application on some new device. Besides, the SMS verification carried out at the first stage of logging in to the system is still remained.
Two-step login is carried out in the following way:
At first sight, the given innovation is very useful for safe information storage on Telegram servers. However, as practice showed, there is still a possibility of account hacking even despite of two verification factors. So, here is how it works:
In fact, in order to neutralize two-step security, it is enough to get to know the SMS code sent to a victim’s phone number. The difference is in the final result. In this case, a hacker has access to an empty page while one-factor security hacking allowed reading all conversations.
In April 2016, practically simultaneous hacking of Telegram accounts owned by Georgy Alburov (Anti-Corruption Foundation) and Oleg Kozlovskiy (nonprofit organization “Vision of Tomorrow”) took place. It is interesting that an unauthorized access to their pages was received as a result of disablement of SMS reception and sending option on Alburov and Kozlovskiyʼs smartphones. Further, the representatives of a mobile network operator (MTS) stated that their technical support team had not disabled the services on the given phone numbers and the communication problems had been caused by a virus attack.
Three months later, a similar trouble occurred to Sergey Parkhomenko, a Russian journalist. According to his version, he received the text messages containing verification numbers. When trying to log in to his profile, the journalist was offered to sign in, as if he visited the service for the first time. When opening his account, Sergey found out that it was reset and the entire message history was deleted. Thus, even two-step verification did not prove to be helpful, because the hackers had managed to get necessary data from a mobile network operator.
If you want the system to request both the SMS code and a password when you log in to an application from some new device, it is necessary to carry out the following procedure:
Such instruction is appropriate for all Telegram platforms. To make sure that the new settings take effect, you need to try logging in to a messenger from some other device. If the system requests a password after entering the SMS code, it means that authentication works correctly.
The “Passcode” section appeared in one of the latest Telegram updates for iOS and Android. The given option allows setting up security for signing in to an application. The code may contain both a simple combination of 4 numbers and more complicated one containing letters and other symbols.
The realization of such security is flexible enough. A user can enable the code request option at each Telegram switching or activate it only if needed by clicking a special icon which looks like a lock. The latter variant is very handy in case if you temporarily leave your telephone off-hand and there is a chance that your conversations may become available to a stranger.
Moreover, there is also a possibility of setting up an auto lock timer which will lock an application and request a code in case of inactivity for a particular period of time. The system allows enabling a lock in 1 and 5 minutes or 1 and 5 hours.
As explained by Pavel Durov, there were no problems with the messenger security. Moreover, he put the blame for application hacking on the MTS Company. Nevertheless, the support team temporary disabled a possibility of an active profile reset in case of the forgotten password. In other words, Durov actually admitted the existence of the problem and promised to solve it as soon as possible in a more elegant manner.
As of the end of August 2016, account hacking is still possible: after receiving the client’s SMS code, a hacker can reset his profile without using a logon password. Put it otherwise, two-step verification does not work or it is not as secure as Telegram users want it to be.