by Micah Lee, The Intercept:
JUST A FEW years ago, sending encrypted messages was a challenge. Just to get started, you had to spend hours following along with jargon-filled tutorials, or be lucky enough to find a nerd friend to teach you. The few that survived this process quickly hit a second barrier: They could only encrypt with others who had already jumped through the same hoops. So even after someone finally set up encrypted email, they couldn’t use it with most of the people they wanted to send encrypted emails to.
The situation is much better today. A number of popular apps have come along that make encryption as easy as texting. Among the most secure is Signal, open-source software for iOS and Android that has caught on among activists, journalists, and others who do sensitive work. And probably the most popular is WhatsApp, a Facebook-owned platform with encryption setup derived from Signal. For me, the spread of encrypted chat apps means that, with very few exceptions, all of my text messages — with friends, family, or for work — are end-to-end encrypted, and no one even has to understand what a “public key” is.
But there is a major issue with both Signal and WhatsApp: Your account is tied to your phone number.
This makes these apps really easy to use, since there are no usernames or passwords to deal with. It also makes it easy to discover other app users; if someone is a contact in your phone and has the app installed, you can send them encrypted texts with no further effort.
But it also means that if you want people to be able to send you messages securely, you need to hand out your phone number. This puts people who interact with the public in an awkward bind: Is the ability for strangers to contact you securely worth publishing your private phone number?
In this article I explain how to create a second Signal number that is safe to publish on your Twitter bio and business cards, so strangers have an easy way to contact you securely, while your primary phone number remains private. I explain how to obtain a second phone number, how to register it with the Signal server, and how to configure it to use Signal Desktop — even if you’re already using Signal Desktop with your private phone number. I will focus on Signal rather than WhatsApp for reasons I’ll explain further down (basically, WhatsApp appears to block non-cellular phone numbers that make all this possible with Signal).
Why Wouldn’t You Want to Publish Your Phone Number?
WHEN YOU GIVE out your phone number, you risk opening yourself up to abuse. As freedom of expression activist Jillian York wrote on her personal blog, “As a woman, handing out my phone number to a stranger creates a moderate risk: What if he calls me in the middle of the night? What if he harasses me over SMS? What if I have to change my number to get away from him?”
If you’re a public figure, and especially if you’re a women or person of color, you’re probably used to sexist or racist jerks yelling slurs and threats at you on Twitter, Facebook, and in the comments section under the articles you write. Publishing your private phone number could make this problem worse and could make these people harder to mute.
It could also open up your online accounts to attack. Last year, someone hacked racial justice activist DeRay Mckesson’s Twitter and email accounts by taking over his phone number. The hacker called Verizon and, impersonating Mckesson, asked to change the SIM card associated with his phone number to a new one that they controlled, so they could receive SMS messages sent to his phone number.
By calling @verizon and successfully changing my phone's SIM, the hacker bypassed two-factor verification which I have on all accounts.
— deray mckesson (@deray) June 10, 2016
Having a unique public number just for Signal could mitigate this sort of attack; it’s harder for a hacker to hijack the number that’s tied to your Twitter and email accounts if they don’t know it in the first place.
(If an attacker takes control of your phone number, like they did with Mckesson, they could also take over your Signal account. If someone did this to your friend, you’d see a “safety number changed” warning in Signal — the same message you see when a friend gets a new phone. If you ignore this warning and text them anyway, you’ll actually be texting the attacker. You can verify safety numbers to confirm that your Signal app is encrypting messages to your friend’s phone, and not to some attacker’s phone.)
How to Obtain a Second Phone Number
WHEN YOU OPEN the Signal app for the first time and type in your phone number, here’s what happens:
- The Signal service tries sending an SMS message with a verification code to your phone number. If you can receive that message or the app can receive it directly, and the message contains the correct code, then the app successfully registers the account.
- If you can’t receive the verification message, Signal gives you the option to try a voice call instead. In this case, the Signal service tries calling your phone number. When you answer, a robot voice tells you a verification code, and you can type it into the app. If you type the correct code, the app registers the account.
Read More @ TheIntercept.com