Telegram's Peer-to-Peer Login System is a Risky Way To Save $5 a Month 32
Telegram is offering a new way to earn a premium subscription free of charge: all you have to do is volunteer your phone number to relay one-time passwords (OTP) to other users. This, in fact, sounds like an awful idea -- particularly for a messaging service based around privacy. From a report: X user @AssembleDebug spotted details about the new program on the English-language version of a popular Russian-language Telegram information channel. Sure enough, there's a section in Telegram's terms of service outlining the new "Peer-to-Peer Login" or P2PL program, which is currently only offered on Android and in certain (unspecified) locations. By opting in to the program, you agree to let Telegram use your phone number to send up to 150 texts with OTPs to other users logging in to their accounts. Every month your number is used to send a minimum number of OTPs, you'll get a gift code for a one-month premium subscription. Boy does this sound like a bad idea, starting with the main issue: your phone number is seen by the recipient every time it's used to send an OTP.
Clever Cost Savings (Score:3)
Since sending these SMS messages is one of the largest costs for these services, this is a pretty clever cost savings.
Downside for user would spammers could use it to harvest active phone numbers, though frankly it's not that hard to get a list of active phone numbers these days without needing to slowly register more and more telegram accounts which would each need a new number.
Re: (Score:2)
without needing to slowly register
Slowly?
Re: (Score:2)
Since sending these SMS messages is one of the largest costs for these services, this is a pretty clever cost savings.
Downside for user would spammers could use it to harvest active phone numbers, though frankly it's not that hard to get a list of active phone numbers these days without needing to slowly register more and more telegram accounts which would each need a new number.
If a virtual number, such as Google Voice, can be used the whole spammer collection is not an issue as you have a burn #. I have a burner gmail account I use to sign up for some stuff and never open any messages I get. Not sure if you can send texts outside of the app, though.
Re: Clever Cost Savings (Score:3)
Boy does this sound like a bad idea, starting with the main issue: your phone number is seen by the recipient every time it's used to send an OTP.
Seriously? You think this is a problem?
So let's say Angelina Jolie signs up for this offer, and her cell phone number is used to send 150 Telegram users their OneTimePassword. So what? How will any of those 150 users know the (seemingly) random number that sent the OTP belongs to Ms. Jolie?
Do you really imagine phone number harvesters/spammers will create a Telegram account and repeatedly ask for OTP and record the number the OTP came from for some nefarious purpose?
It would be much, much easier to simply '
Re: (Score:2)
When a service provider texts me an update (like telling me my Rx is ready for pickup), it *never* occurs to me to try and find out where that number rings/whose number it is.
That's because it comes from an SMS gateway that doesn't have a real phone number. The phone number comes across as a 5- or 6-digit ID to that SMS gateway. That's what it looks like if you're "doing it right."
It's really obvious in basically any SMS app if it's a real phone number you're getting a message from, rather than a SMS gateway. Accordingly, it would also be trivial to set up a Google Voice (or some other VoIP-ish service that can receive SMS messages), and then script a loop to login / retrieve
Awful? More like catastrophic (Score:2)
If you give their app permission to send SMSs and someone hacks it or its got some special For Vlads Eyes Only code squirrelled away in it your phone is owned and you are utterly screwed. I can't imagine the kind of imbecile that would say yes to this.
Re: (Score:2)
Those sound extremely implausible events. You're suggesting that someone might hack telegram, have it send a 6 digit code and somehow sending this SMS will "own" your phone. Of all the things to worry about with this, your phone being hacked by it is not one of them.
Re: (Score:2)
Congrats on not understanding what I meant. Never mind, carry on...
Re: (Score:2)
Must be someone's inability to convey information...
Re: (Score:2)
Congrats on not understanding what I meant. Never mind, carry on...
The point is that it's unclear from your comment what additional risk to the user's phone is created by letting an app already installed on the user's phone send messages.
Your IF>THEN was
"if someone hacks it or its got some special For Vlads Eyes Only code squirrelled away in it your phone".
But if that is the case, your phone is already "owned and you are utterly screwed". The ability of the app to send SMS messages is of no significant further risk to YOUR phone. It's potentially a risk to other people'
Re: Awful? More like catastrophic (Score:2)
By opting in to the program, you agree to let Telegram use your phone number to send up to 150 texts with OTPs to other users logging in to their accounts.
They want to use your phone NUMBER, not your telephone - there is a difference.
and when telegram sms get flagged as spam by cell (Score:3)
and when telegram sms get flagged as spam by cell carriers for coming from many differnt numbers for something that should be on an short code or an small list of fixed full numbers?
Re: (Score:2)
and when telegram sms get flagged as spam by cell carriers for coming from many differnt numbers for something that should be on an short code or an small list of fixed full numbers?
(for the hard of attention span, the question was "what if the numbers get flagged as spam")
Then telegram gets the ability to cut off random parts of the numbering plan from SMS making internet messaging services more valuable and necessary. QED.
Re: and when telegram sms get flagged as spam by c (Score:2)
Your number will be used 150 times/month, 5x a day, give or take - that would have to be a very sensitive SPAM detector... oh, and let's not forget that, by definition, none of the messages sent in this program qualifies as spam, because someone has to request an OTP message to access their Telegram account.
stop code rules? (Score:2)
Now if the number you get this from does not take an stop command that is bad and what if you don't even have an telegram account to remove your number from?
Re: stop code rules? (Score:2)
It a one-time password sent in response to a request, it's not an on-going/recurring message, why offer 'STOP' option, the OTP has been sent/received, at best a 'stop' option would mean "never send me OTP even if I request it", what's the point of that? It would be a form of DNR for your Telegram account!
XMPP (Score:2)
Someone other spammers uses it? (Score:2)
Privacy? (Score:3)
Re: (Score:1)
That is not true.
https://core.telegram.org/techfaq#q-how-does-server-client-encryption-work-in-mtproto
and
https://core.telegram.org/techfaq#encrypted-cdns
Re: Riddle me this (Score:3)
Re: (Score:3)
Same reason MS is more popular than Linux, McAfee is more popular than ... well, every other (and better) AV tool and so many others where the inferior product is more popular than a superior one: They spend their money on marketing rather than creating a good product, and that's what sells.
Re: (Score:1)
I use Telegram for getting front line news from the Russia/Ukraine war. That's about it.
I give it credit though, far better news from both sides than anything coming through the traditional news sources.
Would Google Voice work? (Score:2)
Pretty sure I get free SMS with it. And I could create a new number just to throw away.
Not that I care to get access to Telegram premium.
Why is this a bad idea? (Score:2)
Can someone explain what the actual risk is?