The Anti-virus Times

Thursday, September 8, 2022

Instant messengers are used everywhere. In the world's largest companies, employees have long switched to instant messengers because this is convenient, fast and relatively safe. Why relatively? By default, many people believe that no one really needs their data and that a messenger account is unlikely to be stolen. Of course, this is a misconception. In today's issue of the Anti-virus Times, we will discuss the security of instant messengers and show the results of our security analysis of the most popular messengers.

Principal messenger security criteria

It is impossible to say unequivocally which messenger is safe to use and which is not. There exist many factors that only in aggregate allow users to judge a product’s security.

First, users should pay attention to the messenger’s privacy policy. You probably remember the recent story about WhatsApp, when users refused en masse to use the messenger as a protest against the forced change in data storage methods. In short: Facebook bought WhatsApp in 2014, and seven years later, they proposed legalising the exchange of social network users’ personal information with a subsidiary, that is, with the messenger. In fact, it turned out that the new privacy policy only affected business accounts, which means that nothing changed for most users.

In addition, it is important to know whether a messenger uses end-to-end encryption. This is a method of transmitting data when only a conversation’s participants can read the message. The message is sent encrypted, and it will be decrypted only on the recipient's device. End-to-end encryption is used in all messengers that claim to be the most secure. However, there are some nuances: in Telegram, this feature is disabled by default and for secure communication, users need to start a "secret chat". All the other popular messengers like Viber or WhatsApp also support end-to-end encryption for both messages and calls.

Of course, the amount of information required for registration is also important. The simple rule “the less, the better” works in this case, but in the meantime, popular messengers usually require a phone number and SMS confirmation. However, no one forbids the use of a virtual number for registration.

Security nuances

There also exist many minor factors that can be used to characterise a messenger as being secure. For example, how often data leaks occur, whether two-factor authentication is provided, whether correspondence is stored on a server, etc.

If you really want to use the safest messenger, you should not just pay attention to the most popular products. At some point, you may have heard about Wickr Me. This messenger allows users to maintain the privacy of their correspondence, so it is very popular in a criminal environment. But, even the alleged high level of its security does not guarantee users complete anonymity. Law enforcement officials regularly conduct operations to “recruit drug dealers” and “stop the trafficking of illicit substances”, resulting in the neutralisation of thousands of potential criminals per year, even despite the use of what is seemingly one of the most secure messengers.

There is another nuance that we have not mentioned: any messenger is relatively secure exactly for as long as you know who is on the other side of the screen. The person you are writing to may have had their phone stolen, and now you are communicating with a cybercriminal or another front person. Such a development is impossible to predict, but its probability should be kept in mind.

Where our data goes and how to avoid this

First, you need to determine who can collect the data, what kind of data they can collect, and where they can collect it. “Who” means law enforcement agencies if you engage in illegal activities, or, more often, intruders. Data is leaked regularly, and it is unlikely that the consequences will be completely eliminated.

However, most messenger "leaks" occur due to the reckless actions of users. For example, in summer 2021, there was a massive data leak of Telegram user data. Victims took advantage of the ‘Eye of God’ Telegram bot, which, upon request, allows its users to receive the personal data of any account in the messenger, and thus they themselves replenished the base for "leakage".

Now let's proceed to the data that is at risk. Here, everything is quite simple: the more personal information you leave on your profile, the more people can learn about you, even without any leaks. For example, in some messengers, you can disable the display of your phone number for unauthorised users. It's great if you enable this option; if not – maybe you should reconsider your position. Many people use their real first and last names instead of nicknames. In the same way, real photos are often used.

In total, there is the risk of losing an account that has public access: first name, last name, phone number, and personal photos. Sometimes, this is already enough for someone to make money dishonestly. Various databases are regularly leaked on the Darknet, and such accounts among a bunch of others are real gold.

However, correspondence confidentiality is a different matter. Much depends on how well you know cybersecurity rules. It is also worth remembering all the various sorts of backdoors and exploits that attackers can use to gain unauthorised access to personal data. Most often, they appear as a result of pirated software being used or carelessness on the Internet.

It is important to carefully monitor where and what information you leave about yourself so that you don’t fall for cybercriminals' tricks. An example of carelessness is a story that occurred in April, 2021. In WhatsApp chats, attackers distributed a "new pink version" of the messenger, and that version was in fact a fake application created to steal personal data. To prevent such situations, follow this issue’s recommendations.

Security analysis of instant messengers

We recently conducted a survey among Dr.Web users to find out which messengers are the most popular among them. Among the leaders were Telegram, WhatsApp, Viber, VK Messenger and Skype.

Today, these messengers are going to participate in another small analysis. We carefully chose 5 criteria for evaluating safety:

• Default support for end-to-end encryption — if this function is not available, you cannot be certain that your correspondence is in absolute secrecy.
• The number of users – the more people constantly using the messenger, the higher the probability of becoming a victim of fraudulent actions.
• The data required for registration – some messengers ask for nothing but a phone number, while others need an email address, a full profile, etc.
• 2FA support – two-factor authentication indirectly affects how easily an account can be stolen.
• The ability to disable the display of the current status can make communication safer from all points of view: a potential cybercriminal will not be able to calculate the schedule of your activities.

WhatsApp is the safest messenger based on the results of the analysis. Registration does not require a lot of personal data, and there is support for end-to-end encryption and two-factor authentication. Only the huge number of users (depending on the number of potential fraudsters) is suspicious.

Telegram is a fairly popular and secure messenger, but the "from the box" version cannot provide complete security. You should at the very least enable end-to-end encryption to make sure that the message reaches the recipient.

Viber is definitely not the best secure tool for instant messaging because it lacks two-factor authentication. This is a fairly important criterion — after all, 2FA allows users to significantly increase the level of safety.

VK Messenger and Skype proved to be the most insecure channels for transmitting data. Neither messenger supports email; both require full registration, and neither permits you to disable the display of your current status.

In our survey, we deliberately ignored the privacy policy because most messengers somehow end up forwarding our data to someone. The final decision about what messenger to share information with is left to the user. You simply choose the messenger you trust the most: Facebook, Mail.ru or another company./p>

Of course, there are many other messengers that can rightly be considered more secure, but how will you use Signal, Threema, or Wickr Me if all your friends are still using Viber, Telegram, and WhatsApp?