That risk is not just theoretical. I made a test account (on another service; not Signal) using a free anonymous SMS number. A few months later, the account had been hijacked.
Of course, if it’s a disposable account, then having it hijacked after you’re done with it might be a good thing.
Register a new account over that phone number.
They can’t get into any previous accounts register with that phone number.
They could potentially manage to find the pin if the previous user really used a guessable one, but then again, they won’t be able to check the previous messages and the linked owner of that account will be warned of that new connection.
I cant find any information that discusses the security risk. But it would seem that this transfering all content to the owner of the phone number is a standard feature.
So, maybe its not discussed because it doesn’t frequently happen.
It doesnt seem like a trustworthy way to ensure users content remains secure.
tl;dr the sms verification falls back to voice and they just used a payphone.
I guess if you count the airport full of cameras they went to to do this as “anonymous”, then sure :)
Just wear a face mask and sunglasses and hoodie when using the pay phone. That way you’ll blend-in and be anonymous
That risk is not just theoretical. I made a test account (on another service; not Signal) using a free anonymous SMS number. A few months later, the account had been hijacked.
Of course, if it’s a disposable account, then having it hijacked after you’re done with it might be a good thing.
Signal has account pins now so I don’t think the attack vector is as large as it used to be
They can’t “take over” your account, but they can “override” it and delete yours.
How can they override it?
Register a new account over that phone number. They can’t get into any previous accounts register with that phone number. They could potentially manage to find the pin if the previous user really used a guessable one, but then again, they won’t be able to check the previous messages and the linked owner of that account will be warned of that new connection.
I don’t think that’s possible with a registration lock unless you are inactive for longer than 7 days.
”It’s important to maintain control of this phone number."
I strongly feel that this is false.
Care to elaborate?
If someone trys to register with an existing number then it wont work if its already being used.
Got a source for that? There have already been multiple contradicting sources posted saying this isn’t true.
I cant find any information that discusses the security risk. But it would seem that this transfering all content to the owner of the phone number is a standard feature.
So, maybe its not discussed because it doesn’t frequently happen.
It doesnt seem like a trustworthy way to ensure users content remains secure.