This is due to phishing attacks and account takeover attempts, not due to the platform itself being insecure.
They state that wire can be signed up with using an email instead of phone number, so it’s less likely that someone will know the validation account used to sign up.
Feels to me like it’s just a different attack vector. Maybe it’s harder to do attacks on wire, but they didn’t really say that in this article.
My gut says it’s less attacked just cause it’s less used, not that it’s more secure. But I’m certainly willing to admit that I haven’t looked into wire much.
Signal faces scrutiny following a series of phishing-based account hijackings. As previously reported, attackers impersonated Signal support staff to trick users into revealing registration codes and PINs, enabling them to re-register accounts on devices under their control. Signal clarified that its infrastructure and encryption were not compromised, attributing the incidents entirely to social engineering.
I got scammed therefore Signal insecure. Got it.
A lot of journalists got that wrong in initial reporting. But as an IT administrator you can see where they are coming from with their switch to another platform.
Signal is end user software, and a very good one at that. But it is no enterprise grade software. It lacks the management and policies needed for such user groups, which Wire seems to provide. Things like a mobile number as primary account handle spells ease and low entrance hurdle for end users, and a security problem for administrations.
The fractured nature of the IT in German politics is probably still keeping the attack surface alive. As outlined here by heise:
https://www.heise.de/en/background/Signal-attacks-Political-reality-bites-the-IT-admin-11279251.html
Politicians and beurocrats shouldn’t be using it anyway. They should be using something centrally auditable. I have Signal, but I talk to my colleagues in Teams for a reason. I could actually get in some trouble for using a secure back channel that cannot be FOI’d.
Some governments use self-managed Rocketchat and similar.
Wire is still around? Tried it literally 10 years ago and didn’t like it at all.
How does being email-based instead of phone-number-based meaningfully help security? I would understand something like non-federated Matrix, where only approved users have accounts on your instance. Less phishing at the cost of convenience.
Yes, it’s a dumb idea. I imagine the idea is that you can tell if an email is from a government domain or not.
You can also run a Matrix site federated but fully private and get similar security with more features.
Seems the solution to spam is active filtering 🤔 locking the system down to a specific European company. Be interesting to see how that plays for them. Not to mention the non availability of email addresses.
It’s an enigma why they chose it in the first instance.
They did not “choose” it as an official tool for internal communication. It was her private phone with a by her installed Signal. Besides that: Phishing can happen on any platform, especially one that is available to the public. Signal is not issue here and swapping email registration against verification by mobile phone number won’t solve anything.
