Telegram Security

Key Takeaway: Stay vigilant with group chats on Telegram. Implement verification steps and secure communication practices to protect against sophisticated interception attacks.

While Telegram is widely used in the crypto community, it's crucial to understand its security limitations. Telegram does not offer end-to-end encryption (E2EE) by default, which means your messages could potentially be accessed by third parties. Additionally, Telegram's reliance on phone numbers for account creation can expose users to SIM swapping attacks, and its peer-to-peer call feature can reveal your IP address to other users. If E2EE is a priority, consider using Signal.

However, if you choose to use Telegram, the following best practices can help enhance your security.

---

Table Of Contents

• Telegram Security
  • Standard Security
    • Configure 2FA
    • Hide Your Phone Number
    • Disable P2P Calling
    • Manage Inactive Sessions
  • Extended Security
    • Consider Using a Different Phone Number
      • Using a VoIP Number
      • Using an Anonymous Number
    • Turn On Auto-delete Messages
  • Advanced Security Measures
    • Use Secret Chats for Enhanced Privacy
    • Regularly Update the Telegram App
    • Be Cautious with Third-Party Bots and Integrations
    • Implement Device-Level Security
    • Manage Group and Channel Admin Permissions
    • Educate Community Members on Security Practices
  • Example of a Man-in-the-Group Attack
    • Scenario: Intercepting a Payment Deal
      • Step 1: Initial Communication
      • Step 2: Attackers Create Cloned Groups
      • Step 3: Replicating Conversations
      • Step 4: Swapping Payment Details
      • Step 5: Execution of the Scam
  • Extended Security
    • Devices
    • Passcode Lock
    • Privacy and Security
      • Security
        • Two-Step Verification
      • Privacy
      • Settings > Privacy and Security > Data Settings
  • Tips for Safe Use

Standard Security

Configure 2FA

Telegram sign-ups require a phone number, but you can also enable two-factor authentication via a password—your main protection if you’re ever SIM-swapped. Don’t reuse this password anywhere else.

1. Go to: Settings > Privacy and Security > Two-Step Verification
2. Set: A strong password and recovery email (store both in a password manager)

Hide Your Phone Number

Making your phone number visible can expose you to unwanted contact or social engineering attacks. Restricting visibility helps safeguard your personal info.

1. Go to: Settings > Privacy and Security > Phone Number
2. Who can see my phone number?: Select Nobody
3. Who can find me by my number?: Select My contacts

Disable P2P Calling

By default, Telegram calls can connect you directly to the other user, potentially revealing your IP address.

1. Go to: Settings > Privacy and Security > Calls
2. Use peer-to-peer with: Select Nobody

Manage Inactive Sessions

Telegram supports auto-terminating inactive sessions. You can also manually review and end any suspicious active sessions.

1. Go to: Settings > Devices
2. Review: Delete any sessions you don’t recognize
3. Auto-terminate: Set inactive sessions to end after 1 month

Extended Security

Consider Using a Different Phone Number

Even if you implement all the recommended security measures, there are still valid reasons to use a separate phone number. For instance, it can help prevent your contacts from discovering your Telegram account or reduce the risk of accidental number exposure. This is particularly important because the "Share My Phone Number" option is enabled by default whenever you add a new contact.

Using a VoIP Number

Telegram restricts many VoIP providers, but services like Google Voice or Burner might work. Purchase a burner number solely for Telegram if you prefer additional anonymity.

Using an Anonymous Number

In December 2022, Telegram introduced support for anonymous numbers purchased through its TON blockchain infrastructure. You can also check out Fragment for such options.

Turn On Auto-delete Messages

Consider the photo you shared with a friend several months ago. While it might have slipped your mind, an attacker who gains access to your account could find such information quite valuable.

1. Go to: Settings > Privacy and Security > Auto-Delete Messages
2. Set: Choose a time frame (e.g., 1 week) based on your risk tolerance

Advanced Security Measures

Use Secret Chats for Enhanced Privacy

For conversations that require an extra layer of security, use Telegram's Secret Chats, which offer end-to-end encryption.

1. Start a Secret Chat: Open the chat with the desired contact, tap on their name, and select Start Secret Chat
2. Benefits:
   • Messages are encrypted and can only be read by you and the recipient
   • Offers self-destruct timers for messages
   • Prevents forwarding of messages to other chats

Regularly Update the Telegram App

Ensure you are always using the latest version of Telegram to benefit from the newest security patches and features.

1. Check for Updates: Visit your device's app store regularly
2. Enable Automatic Updates: If possible, turn on automatic updates to stay current

Be Cautious with Third-Party Bots and Integrations

Third-party bots can enhance functionality but may also introduce vulnerabilities.

1. Use Trusted Bots: Only add bots from reputable sources
2. Review Permissions: Limit the permissions you grant to bots
3. Regular Audits: Periodically review and remove unnecessary bots

Implement Device-Level Security

Protect the device you use to access Telegram to prevent unauthorized access.

1. Use Strong Passwords or Biometrics: Secure your device with a strong passcode or biometric authentication
2. Enable Device Encryption: Ensure your device's storage is encrypted
3. Install Security Software: Use reputable antivirus and anti-malware solutions

Manage Group and Channel Admin Permissions

Properly managing admin permissions can prevent misuse and unauthorized access.

1. Limit Admin Roles: Only grant admin privileges to trusted individuals
2. Review Permissions: Regularly check what permissions each admin has
3. Use Role-Based Access: Assign roles based on responsibilities to minimize risks

Educate Community Members on Security Practices

A secure community relies on the awareness and vigilance of its members.

1. Provide Security Guidelines: Share best practices with your community
2. Conduct Training Sessions: Offer regular training on recognizing phishing and other threats
3. Promote Safe Communication: Encourage the use of Secret Chats and cautious sharing of personal information

---

Example of a Man-in-the-Group Attack

Attackers can exploit Telegram's group chat features to intercept and manipulate communications between two parties. Here's a concise example of how such an attack might occur:

Scenario: Intercepting a Payment Deal

Step 1: Initial Communication

• Alice and Bob decide to finalize a cryptocurrency deal using a Telegram group chat named "Crypto Deals".

Step 2: Attackers Create Cloned Groups

• Attacker 1 creates Group A impersonating Alice.
• Attacker 2 creates Group B impersonating Bob.

Step 3: Replicating Conversations

• In Group A (Impersonating Alice):

  • The attacker, posing as Alice, relays Alice's messages from Group B to maintain the conversation.

• In Group B (Impersonating Bob):

  • The attacker, posing as Bob, mirrors Bob's messages from Group A, acting as a middleman without altering the content.

Step 4: Swapping Payment Details

• In Group A:

  • Fake Alice and Bob agree to the terms of the deal.
  • Bob shares his payment address.

• In Group B:

  • Fake Bob shares his swapped payment address.
  • The conversation continues normally, with neither Alice nor Bob aware of the swap.

Step 5: Execution of the Scam

• Alice sends the payment to what she believes are Bob's details but are actually those of Fake Bob.
• The attacker now controls both ends of the conversation, having successfully redirected the funds.

Extended Security

Devices

• Settings > Devices: The default setting for automatically terminating old sessions is set to 6 months. It is highly recommended to change this setting to a shorter period—1 month or even 1 week—depending on how frequently you use Telegram.

Passcode Lock

• Settings > Privacy and Security > Passcode Lock: This feature adds a passcode to access your Telegram app after a period of inactivity. The default setting is "away for 1 hour."
  • Recommendations:
    • Store Passcode Securely: Do not lose this passcode—store it offline if needed.
    • Unique Passcode: Ensure it is different from your phone's unlock passcode.

Privacy and Security

Go to: Settings > Privacy and Security

Security

Two-Step Verification

• Overview: Telegram does not require a login by default. However, you can set up a password that acts as a "second" 2FA method when logging in from a new device.
• Security Measures:
  • SMS Codes: Telegram sends a code via SMS, which is not secure.
  • Email Recovery: Offers email recovery, which is more secure but lacks options for authenticator apps or hardware keys.
• Important:
  • Backup Password: If you lose this password, access to your account may be compromised.
  • Secure Storage: Write it down offline and ensure it is not lost.

Privacy

Consider adjusting the following settings based on your country, usage, and purpose for using Telegram:

• Phone Number: Set to Nobody to prevent exposure.
• Last Seen & Online: Set to Nobody to enhance privacy.
• Profile Picture: Set to Everybody to stop scammers from impersonating your profile picture.
• Bio: Set to Nobody (depending on use of Telegram).
• Date of Birth: Set to Nobody.
• Forwarded Messages: Set to Nobody.
• Calls: Set to Nobody or Contacts Only (depending on use of Telegram).
• Voice Messages: Set to Contacts Only (depending on use of Telegram).
• Messages: Set to Everybody or Contacts Only (depending on use of Telegram).
• Invites: Set to Contacts Only or Nobody to prevent being added to random groups that may impersonate legitimate groups and lead to scams.

Settings > Privacy and Security > Data Settings

• Sync Contacts: Disable (depending on use of Telegram) to prevent syncing your contacts.
• Suggest Frequent Contacts: Disable (depending on use of Telegram) to avoid unsolicited contact suggestions.

Tips for Safe Use

• Use Secret Chats: When messaging someone, create a 'secret' chat to ensure encrypted 1:1 communication, providing end-to-end encryption for sensitive transactions.
• Verify Group Invites and Authenticity: Always triple-check group invitations and confirm the legitimacy of group chats through separate channels to avoid joining impostor groups that share malicious links.
• Beware of Unsolicited DMs: Never trust direct messages from anyone sending links or posing as "support," "exchanges," or "team" members.
• Double-Check Payment Details: Verify payment information through multiple methods before transferring funds to prevent fund redirection.
• Block and Report Scammers: Use the block function to prevent further contact, and report spammers/scammers instead of just deleting chats.
• Limit Group Permissions: Restrict who can add members to groups to prevent unauthorized cloning and protect against raids.
• Educate Members: Train community members to recognize and report suspicious group activities and security threats.
• Exercise Caution with Mini Apps: Avoid logging in or providing information to mini apps that redirect outside of Telegram. Triple-check the username of the mini app to ensure its legitimacy, as Telegram lacks a bot verification system. Never download or run any commands from Telegram on your device.
• Enhance Privacy with a VPN: Advanced tip: Set up a proxy or VPN to hide your IP address while using the Telegram app.
• Stay Vigilant Against Scam Ads: Be aware that anyone can post ads in channels, with 99% being scam ads. Exercise caution when interacting with advertisements.