The only bit of information this leaks to the recipient is that you're a Telegram user and opted into this feature. Otherwise, it's no different to someone randomly typing your phone number in and texting you?
What is the risk exactly? If someone wanted to spam/harass/etc people, he can do that by just mashing 10 random digits in the dialler UI and repeat until he gets a successful call/text through, or lookup their country's number range allocations to narrow down to a specific carrier/etc.
Somebody could resell some of the received OTP codes (or just get them siphoned off their phone by malware without knowing it) to facilitate account compromises.
It could be that the login process is two-way, first establish a session and get a token, then a 2FA code is sent which needs to be presented alongside that session secret, thus an attacker merely having a 2FA code (without the associated session token) can’t use it.
Maybe there is an optional way to enable multifactor auth for Telegram, but in my experience it isn’t the default at least: Receiving and entering the SMS-OTP is everything I need for full account access, including to historic messages.
Yes, my point is that internally the client could be first obtaining a session token and then requesting a 2FA code, and then submitting both. This means an MITM that only has the code wouldn’t be able to complete the flow.
The attacker can of course initiate a new login flow (thus getting a session token), but this is rate-limited, would invalidate the previous flow, might alert the user (if the user is logged in on other devices, they get notifications when someone tries to login) and relies on this MITM being picked to send the 2FA code to the user again (they might only use one sender per receiver to thwart this attack, or use IP/fingerprint heuristics to avoid pairing potential attackers & victims together).
It’s still a much too high risk in my view, given the sensitivity of a long-term historical communications log that’s on the other side of that authentication.
I’m also not sure that these are effective deterrents: The people trying to brute-force my Instagram password certainly don’t care about sending me a warning email and locking my account once per day, for example.
Obviously if you want high security you can enable an actual password on your account.
I’m not convinced this is more insecure than sending it though conventional means - telecoms are well and truly compromised and don’t give a shit about it. If you’re gonna get dubious security anyway, at least you can save some money by not having to pay for it.
Locking your Insta account means they’re effectively only getting a couple attempts per day - the rate-limit is working at thwarting targeted attacks towards your account. The reason it keeps going on anyway is because they aren’t targeted attacks and are hoping to win the lottery and get into any account by sheer luck (just to spam - this is not a targeted attack and they’d have no interest in your chat history).
So regular users don't deserve reasonable security? That seems out of line with Telegram's ostensible focus on security and privacy. I'm not surprised at all, though.
> I’m not convinced this is more insecure than sending it though conventional means - telecoms are well and truly compromised and don’t give a shit about it. If you’re gonna get dubious security anyway, at least you can save some money by not having to pay for it.
The telco is still in the loop, though, so this still increases the number of parties with potential access to the verification messages.
I could see it as a second factor, but as the only factor (by default), it's outright scary.
It has a lot to do with it: Since Telegram is not encrypted and additionally stores all chat history server-side, a compromised login process has a much higher impact since it also compromises past message content, not just those received after the breach.
What is the risk exactly? If someone wanted to spam/harass/etc people, he can do that by just mashing 10 random digits in the dialler UI and repeat until he gets a successful call/text through, or lookup their country's number range allocations to narrow down to a specific carrier/etc.