Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses Privacy

Telegram's Peer-to-Peer Login System is a Risky Way To Save $5 a Month 32

Telegram is offering a new way to earn a premium subscription free of charge: all you have to do is volunteer your phone number to relay one-time passwords (OTP) to other users. This, in fact, sounds like an awful idea -- particularly for a messaging service based around privacy. From a report: X user @AssembleDebug spotted details about the new program on the English-language version of a popular Russian-language Telegram information channel. Sure enough, there's a section in Telegram's terms of service outlining the new "Peer-to-Peer Login" or P2PL program, which is currently only offered on Android and in certain (unspecified) locations. By opting in to the program, you agree to let Telegram use your phone number to send up to 150 texts with OTPs to other users logging in to their accounts. Every month your number is used to send a minimum number of OTPs, you'll get a gift code for a one-month premium subscription. Boy does this sound like a bad idea, starting with the main issue: your phone number is seen by the recipient every time it's used to send an OTP.
This discussion has been archived. No new comments can be posted.

Telegram's Peer-to-Peer Login System is a Risky Way To Save $5 a Month

Comments Filter:
  • by Ksevio ( 865461 ) on Tuesday March 26, 2024 @09:45AM (#64345899) Homepage

    Since sending these SMS messages is one of the largest costs for these services, this is a pretty clever cost savings.

    Downside for user would spammers could use it to harvest active phone numbers, though frankly it's not that hard to get a list of active phone numbers these days without needing to slowly register more and more telegram accounts which would each need a new number.

    • without needing to slowly register

      Slowly?

    • Since sending these SMS messages is one of the largest costs for these services, this is a pretty clever cost savings.

      Downside for user would spammers could use it to harvest active phone numbers, though frankly it's not that hard to get a list of active phone numbers these days without needing to slowly register more and more telegram accounts which would each need a new number.

      If a virtual number, such as Google Voice, can be used the whole spammer collection is not an issue as you have a burn #. I have a burner gmail account I use to sign up for some stuff and never open any messages I get. Not sure if you can send texts outside of the app, though.

    • Boy does this sound like a bad idea, starting with the main issue: your phone number is seen by the recipient every time it's used to send an OTP.

      Seriously? You think this is a problem?

      So let's say Angelina Jolie signs up for this offer, and her cell phone number is used to send 150 Telegram users their OneTimePassword. So what? How will any of those 150 users know the (seemingly) random number that sent the OTP belongs to Ms. Jolie?

      Do you really imagine phone number harvesters/spammers will create a Telegram account and repeatedly ask for OTP and record the number the OTP came from for some nefarious purpose?

      It would be much, much easier to simply '

      • When a service provider texts me an update (like telling me my Rx is ready for pickup), it *never* occurs to me to try and find out where that number rings/whose number it is.

        That's because it comes from an SMS gateway that doesn't have a real phone number. The phone number comes across as a 5- or 6-digit ID to that SMS gateway. That's what it looks like if you're "doing it right."

        It's really obvious in basically any SMS app if it's a real phone number you're getting a message from, rather than a SMS gateway. Accordingly, it would also be trivial to set up a Google Voice (or some other VoIP-ish service that can receive SMS messages), and then script a loop to login / retrieve

  • If you give their app permission to send SMSs and someone hacks it or its got some special For Vlads Eyes Only code squirrelled away in it your phone is owned and you are utterly screwed. I can't imagine the kind of imbecile that would say yes to this.

    • by Ksevio ( 865461 )

      Those sound extremely implausible events. You're suggesting that someone might hack telegram, have it send a 6 digit code and somehow sending this SMS will "own" your phone. Of all the things to worry about with this, your phone being hacked by it is not one of them.

      • by Viol8 ( 599362 )

        Congrats on not understanding what I meant. Never mind, carry on...

        • Must be someone's inability to convey information...

        • Congrats on not understanding what I meant. Never mind, carry on...

          The point is that it's unclear from your comment what additional risk to the user's phone is created by letting an app already installed on the user's phone send messages.

          Your IF>THEN was
          "if someone hacks it or its got some special For Vlads Eyes Only code squirrelled away in it your phone".
          But if that is the case, your phone is already "owned and you are utterly screwed". The ability of the app to send SMS messages is of no significant further risk to YOUR phone. It's potentially a risk to other people'

    • By opting in to the program, you agree to let Telegram use your phone number to send up to 150 texts with OTPs to other users logging in to their accounts.

      They want to use your phone NUMBER, not your telephone - there is a difference.

  • and when telegram sms get flagged as spam by cell carriers for coming from many differnt numbers for something that should be on an short code or an small list of fixed full numbers?

    • and when telegram sms get flagged as spam by cell carriers for coming from many differnt numbers for something that should be on an short code or an small list of fixed full numbers?

      (for the hard of attention span, the question was "what if the numbers get flagged as spam")

      Then telegram gets the ability to cut off random parts of the numbering plan from SMS making internet messaging services more valuable and necessary. QED.

    • Your number will be used 150 times/month, 5x a day, give or take - that would have to be a very sensitive SPAM detector... oh, and let's not forget that, by definition, none of the messages sent in this program qualifies as spam, because someone has to request an OTP message to access their Telegram account.

  • Now if the number you get this from does not take an stop command that is bad and what if you don't even have an telegram account to remove your number from?

    • It a one-time password sent in response to a request, it's not an on-going/recurring message, why offer 'STOP' option, the OTP has been sent/received, at best a 'stop' option would mean "never send me OTP even if I request it", what's the point of that? It would be a form of DNR for your Telegram account!

  • Can we just collectively switch back to Jabber already? Telegram, Discord and Slack are clearly downgrades.
  • Five crisp American dollars. But then how will Blad afford his bodka?
  • by Artem S. Tashkinov ( 764309 ) on Tuesday March 26, 2024 @10:29AM (#64346027) Homepage
    Aside from encrypted p2p chats most people don't even know exist, Telegram is not about privacy, it's quite the opposite: your entire messaging history is stored unencrypted on Telegram's own servers, available to anyone with enough power or credentials.
    • by pain ( 18144 )

      That is not true.

      https://core.telegram.org/techfaq#q-how-does-server-client-encryption-work-in-mtproto
      and
      https://core.telegram.org/techfaq#encrypted-cdns

  • Pretty sure I get free SMS with it. And I could create a new number just to throw away.

    Not that I care to get access to Telegram premium.

  • Can someone explain what the actual risk is?

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...