How to protect yourself from deanon in Telegram

[Man]

Salute to all, dear friends!

While Pavel Durov was criticizing WhatsApp security, Telegram user databases, including numbers and logins, managed to end up not only in the hands of security forces, but also on the darknet.

Punching a mobile number by username has become a routine and not even very expensive task, leading to big problems for users.

Of course, not everyone links their personal SIM card to Telegram. Let's say the dissident they want to track down bought a SIM card in a subway and never registered it in his name. How can his identity be established?

The first way is to establish where the SIM card was activated and from which device. Each mobile device has an IMEI - a unique identifier, and when the SIM card is activated, it is transmitted to the operator. Using the IMEI, you can find out what other SIM cards were inserted into the device. Few, even the most ardent, advocates of anonymity throw the phone in the trash immediately after activation.

Even if the victim inserted the SIM card outside of their home, it will be checked what mobile devices were nearby at the time of activation. If a personal mobile phone was in their pocket and turned on at the time, or if it was turned off in the same place shortly before activating the anonymous SIM card, it is a failure.

The second way is billing, namely, to study how the purchased SIM card was replenished, what SMS came to it. Perhaps it was replenished through a street terminal placed under the cameras, and at that moment the person replenishing had his personal mobile phone turned on, or it was replenished from a personal electronic wallet, which is even better for identifying the person.

If we are talking about a rented virtual number, then the services that provide them, contrary to popular belief, are very willing to give out all the information. In recent years, they have been under serious pressure, including threats to disable the infrastructure. I had the opportunity to talk to one of the owners. He does not include work with complaints in the price of the number, otherwise the price would increase tenfold, and therefore the service gives out all available data upon request from law enforcement agencies of any country.

They earn money by offering to save on international calls, and renting a number for one-time SMS reception is, one might say, working at a loss. Although, if you have a reliable service that you can access via Tor, specify a disposable email, and where you pay with bitcoins, this is a good option.

But let's get back to the protests and Telegram. When the topic of deanonymizing users received public attention, Telegram management added a new privacy setting, "Who can find me by number," where one of the options was "Nobody."

The "Nobody" option, or one big deception!​

Telegram management responded with a new option to specify "Nobody" in the "Who can see my phone number" option. A brilliant solution that could solve all the problems of checking mobile numbers, but it was not so ... The "Nobody" option in its first implementation was a deception of users by Telegram. It still allowed anyone who had a phone number linked to this account to receive data about the Telegram account. Yes, you read it correctly: it was just smoke in the eyes.

Many people were shocked by this news at the time. After all, the number indicated in Telegram could still be obtained without any problems by both special services and criminals.

A little later, Telegram tightened the settings, allowing you to find by phone number only those who are added to the contact list on the target device. I have fairly reliable information that this seriously complicated the work of checking the current number. The overwhelming majority of services offering this kind of service work with databases collected in early autumn 2019.

What definitely doesn't work​

I would like to draw your attention to the fact that it is not enough to change your mobile number and username or not to use it at all. Each Telegram account has a permanent User ID, which the user cannot change. Many databases already contain User ID, which allows you to get a history of mobile numbers that were previously linked to the account and previously used usernames. Therefore, special services will always be able to get data on previous phone numbers linked to a specific User ID and check each of them. User ID changes only when you completely change your account. I recommend deleting your current account and registering a new one if maximum anonymity is important to you.

Here's another important point: some users do not activate privacy settings immediately after registering an account. Already an hour after registering an account, your data may end up in similar databases and further measures will be ineffective. Therefore, setting up security some time after registration is better than not setting it up at all, but it is not enough if you are seriously concerned about your anonymity. Attention: Security must be set up as quickly as possible after registering an account.

It gets more interesting: Singapore forums are actively discussing the topic of a Cossack planted in the Telegram support team, who can get the government the data they need upon request. Unfortunately, even in the absence of strong evidence, this cannot be ruled out. And in this case, even changing the account will not help; you need to change the phone along with the account.

What is worth doing​

First of all, block Telegram access to contacts, this can be done in the settings of your device. For example, in iOS it looks like this.

In the data management settings, delete imported contacts and turn off contact syncing. You've probably heard this advice a million times.

In privacy settings > phone number, prevent anyone from seeing your phone number, and allow only those who are added to your contacts to search by phone number.

I also recommend that you stop using username and prohibit forwarding your messages. The main thing here is not to go to extremes and use this advice only if you do not need the options described.

Well, if the basic recommendations are not enough for you, buy a new device, register a new account in the Google/Apple app store. Then look for a virtual number rental service where you can pay with crypto and register with Tor, rent a virtual number there, and register a new Telegram account.

That's all. Take care of yourself

 

[Man]

Security in Telegram 2024​

We would like to tell you about what you need to do to make your communication in Telegram truly safe and private.

Salute to all, dear friends!

Continuing our column for beginners, we would like to tell you about what you need to do to make communication in Telegram truly safe and private.

Despite the fact that the advice presented in the article will be as simple as possible, and for some of you even obvious, this is the maximum that can be done for your own safety in Telegram.

Let's get started!

1. Set up two-factor authentication and a password to log into Telegram​

First, it is worth protecting your account from hijacking using two-factor authentication. Since the primary method of confirming your login to a Telegram account is a one-time code in an SMS (or in a Telegram message, provided that you have logged into this account on another of your devices), the messenger offers to set a password as the second factor.

Privacy To do this, select Two-step verification (in Android) or (in iOS) in the Cloud password tab and set some reliable combination.

• Settings -> Privacy -> Cloud Password (2- step verification )

2. Do not use your real name, surname, or photos​

3. Set a ban on searching for a user by mobile phone number​

• Settings > Privacy > Phone Number

4. Set a ban on viewing your latest activity, as well as forwarding your messages, group invitations and calls to your account in the menu:​

Settings > Privacy

5. Do not allow Telegram access to your geolocation, do not use the "people nearby" function​

6. For confidential communication, use only "secret" chats​

In current versions of Telegram apps, the option to create a “secret” chat is hidden quite deeply and is not so easy to find – especially for a novice user of the messenger.

To create a "secret" chat, you need to open your interlocutor's profile, click the button with three dots (sometimes it has the signature More , and sometimes there is no signature) and select Начать секретный чат.

After this, a chat will open, the messages in which will be encrypted with end-to-end encryption (at first, this will even be specifically written in the chat window).

You can also set a time after which your messages will be automatically deleted: to do this, click on the clock icon in the message input panel and select the interval.

7. Regularly clear your chat history, use auto-delete messages​

8. Never follow external links or download files from unverified sources​

9. Install and constantly use a VPN service (preferably one you set up yourself)​

10. For chat administrators - set the anonymity of published messages​

• Chat Settings > Administrators > Anonymity

11. Leave comments on behalf of the channel​

You can create a channel in Telegram and leave comments on channels on its behalf.

• To do this, when writing a comment, click on your avatar to the left of the input field:

Telegram Security for the Most Cautious​

The above tips should be enough for most users, but for the more cautious, we have a few more recommendations:

• Use a separate phone number to log into Telegram. Or even a virtual phone number instead of your real mobile. However, be careful and make sure that this number is not a disposable one, otherwise someone else may gain access to your account.
• When registering an account and using it, always use anonymization tools to hide your IP address - Telegram can report it, for example, at the request of law enforcement agencies.
• Consider using another messenger that is more suitable for secure and private communication - for example, Session.