Hacker News new | past | comments | ask | show | jobs | submit login

>it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code

That's a thing? If my number expires and gets reassigned to someone else, and they register for Signal, I'll get locked out of my account just like that? And they'll start getting all the messages that were addressed to me?




It's not your account any more. The new owner gets "your" SMS and phone calls too. The identity is backed by the ownership of the number, not your person.

Importantly the safety number will change since it's a new device. If you care about stuff like this, verify the new device out of band and distrust any unexpected changes. Most people don't care and they still see a huge improvement over plain SMS.


Though note that your message history is still private, as you have to manually export and import the local message history whenever you get a new device.


Services like Signal and WhatsApp can user 3P services that allow them to be notified when a phone number is rotated (given to a new user). They should ideally be doing this, I cannot verify if they are or not.

Second, Signal and other services have implemented secondary registration requirements such as a PIN, which they will require during a new device install or at other times.

Third, you can build models or crude business logic to identify when a number no longer appears used for a period of time. Carriers do not reassign a number immediately. Assigning a number thus one user cancelled, to another user, is seldom done before a 90 day hibernation period.

I used to work at a cell provider.


Your account is tied to your phone number so pretty sure that’s the case, yep!


That sounds horrible. Would I be SoL even if I had ticked "Registration Lock" prior to that?


Apparently as long as you use Signal at least once every 7 days from a linked device, you should be good: https://support.signal.org/hc/en-us/articles/360007059792-Si...

Still, given that your number is used as a primary identifier, I'd avoid using it in that way for an extended amount of time. Among other things, I'm not sure if it's possible to re-register using just your phone number and PIN (but not access to SMS-OTPs on the associated phone number) in case you lose your own device, for example.


No, this is exactly the kind of thing registration lock is intended to address.

If you enabled Registration Lock, your account cannot be hijacked by sms, provided you’ve been actively using your signal account within the last week.

There’s an automated keep-alive for the case that you still have signal installed but haven’t been sending/receiving any messages.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: