How two-step verification secures users’ data in Telegram

Taking into consideration dissatisfaction of many clients with one-factor verification based on the SMS-code, the developers of the famous messenger added the second identity check factor. In this article, we are going to talk about two-step verification in Telegram and its reliability in terms of the clients’ information security.  

Two data security factors

Until April 2015, a user could log in to the system by entering a code received in the text message. At the same time, the additional protection from unauthorized login did not existed. In such a way, the intruders could intercept a message sent to a client’s phone and get access to his conversations. Though there were no mass cases of such hacks registered, the developers headed by Pavel Durov decided to eliminate this possibility.   Due to the implementation of two-step verification in Telegram, today a user can set an additional password which can be entered in case of opening an application on some new device. Besides, the SMS verification carried out at the first stage of logging in to the system is still remained.     Two-step login is carried out in the following way:

1. When logging in to the given application, a client enters his phone number.
2. Further, he gets a text message with a verification code which is required to be entered in the corresponding field.
3. If it is correct, a client will see a field for entering his password (he chooses a combination of symbols at the registration stage by himself).
4. In case of correct combination, a user gets access to his page.

 

Is two-step verification helpful when it comes to account hacking?

At first sight, the given innovation is very useful for safe information storage on Telegram servers. However, as practice showed, there is still a possibility of account hacking even despite of two verification factors. So, here is how it works:

1. An intruder enters his victim’s phone number and sends a request for authentication.
2. A victim receives a verification code which becomes known to an intruder (one possibility of the SMS interception is that a hacker penetrates technical support of a mobile network operator).
3. An intruder enters the received numbers and gets access to the password entry page.
4. Under the pretext of forgetfulness, an intruder presses the corresponding link “Forgot Password?” and receives notification of sending a recovery code to an email address which was indicated upon registration.
5. As an intruder has no opportunity of logging in to his victim’s email account, he presses a link “Havingtrouble accessing your email?” while mentioning that he has problems with
6. The system offers him to carry out a full account reset by deleting all conversations. A hacker accepts these conditions and gets access to his victim’s account along with a possibility of sending messages on her behalf.

    In fact, in order to neutralize two-step security, it is enough to get to know the SMS code sent to a victim’s phone number. The difference is in the final result. In this case, a hacker has access to an empty page while one-factor security hacking allowed reading all conversations.  

Well-known personalities’ account reset cases

In April 2016, practically simultaneous hacking of Telegram accounts owned by Georgy Alburov (Anti-Corruption Foundation) and Oleg Kozlovskiy (nonprofit organization “Vision of Tomorrow”) took place. It is interesting that an unauthorized access to their pages was received as a result of disablement of SMS reception and sending option on Alburov and Kozlovskiyʼs smartphones. Further, the representatives of a mobile network operator (MTS) stated that their technical support team had not disabled the services on the given phone numbers and the communication problems had been caused by a virus attack.   Three months later, a similar trouble occurred to Sergey Parkhomenko, a Russian journalist. According to his version, he received the text messages containing verification numbers. When trying to log in to his profile, the journalist was offered to sign in, as if he visited the service for the first time. When opening his account, Sergey found out that it was reset and the entire message history was deleted. Thus, even two-step verification did not prove to be helpful, because the hackers had managed to get necessary data from a mobile network operator.  

Step-by-step instruction for setting up two-step verification in Telegram

If you want the system to request both the SMS code and a password when you log in to an application from some new device, it is necessary to carry out the following procedure:

1. Get in the settings and select the “Privacy and Security”
2. Then you need to find the “Two-StepVerification” line in a subsection called “Security” and click it. Besides, there is also the “Active Sessions” section one line below. It will be helpful if you want to view all the sessions and close the ones opened on other devices as the need arises.
3. Further, a page with the password entry field will open. It is desirable that the combination you choose contain the numbers and the symbols having upper and lower cases.  
4. After entering your password, it is necessary to confirm it in order to eliminate mistakes.
5. To protect you from forgetfulness, the service offer you to point out a password hint which will steer your thoughts I the right direction and help to remember the required symbol combination.
6. The next stage includes entering your email address which is necessary for carrying out the password recovery procedure. You may jump this step but you should remember that it is the only way to log in to the system in case if you cannot remember the initial combination even with a help of a password hint.  
7. Then a link will be emailed to you to confirm the changes. Click this link and you will see a message notifying that two-step verification is enabled for the given account.

  Such instruction is appropriate for all Telegram platforms. To make sure that the new settings take effect, you need to try logging in to a messenger from some other device. If the system requests a password after entering the SMS code, it means that authentication works correctly.  

Additional “Passcode” option

The “Passcode” section appeared in one of the latest Telegram updates for iOS and Android. The given option allows setting up security for signing in to an application. The code may contain both a simple combination of 4 numbers and more complicated one containing letters and other symbols.   The realization of such security is flexible enough. A user can enable the code request option at each Telegram switching or activate it only if needed by clicking a special icon which looks like a lock. The latter variant is very handy in case if you temporarily leave your telephone off-hand and there is a chance that your conversations may become available to a stranger.   Moreover, there is also a possibility of setting up an auto lock timer which will lock an application and request a code in case of inactivity for a particular period of time. The system allows enabling a lock in 1 and 5 minutes or 1 and 5 hours.    

Developers` reply

As explained by Pavel Durov, there were no problems with the messenger security. Moreover, he put the blame for application hacking on the MTS Company. Nevertheless, the support team temporary disabled a possibility of an active profile reset in case of the forgotten password. In other words, Durov actually admitted the existence of the problem and promised to solve it as soon as possible in a more elegant manner.     As of the end of August 2016, account hacking is still possible: after receiving the client’s SMS code, a hacker can reset his profile without using a logon password. Put it otherwise, two-step verification does not work or it is not as secure as Telegram users want it to be.