The Big Reason a Twilio/Signal Breach Couldn’t Happen to MySudo

Oct 17, 2022 | Privacy Tips

Did you hear how a recent phishing attack on Twilio, which provides secure messaging app Signal with phone number verification services, exposed the phone numbers and SMS verification codes of 1,900 Signal users? 

Did you also hear the attacker re-registered one particular phone number they were searching for during the attack to another device using the stolen verification code?

And do you know why that same attack couldn’t happen to the MySudo app? The answer is very simple: 

MySudo doesn’t ask for a phone number or any personally identifiable information (PII) to set up your account, like Signal does. Instead, we use public key infrastructure (PKI) to protect your account — and that’s a huge privacy and security difference.

If Signal didn’t require its users’ phone number on account set-up, they or any third party service provider like Twilio wouldn’t have the phone numbers for any data processing, and vulnerable to attack.

Over at MySudo, where we also offer end-to-end encrypted messaging like Signal, as well as other secure communications channels, we don’t ask for your phone number or any of your personal information, like email address. Instead, we protect your account with authentication and encryption keys that never leave your device.

PKI is security through encryption

CSO Online puts it well when it says: “Public key infrastructure helps you authenticate the people you talk to and keep what you talk about secret.”

Encryption is the act of encoding data to render it unintelligible to someone who doesn’t have the authorization to access the data. Once data is encrypted, only authorized parties who have an appropriate ‘key’ can read or use the data. Here are some examples of data encryption in MySudo: 

Key generation

1. When you install and launch MySudo for the first time, MySudo generates public/private key pairs on your device.

2. The private keys are stored in the mobile device’s specific secure key storage (e.g. iOS keychain and Android keystore). Users of MySudo on iOS may optionally backup their encryption keys to their Apple iCloud account, or to a laptop using Apple iTunes as part of an encrypted backup. Users of MySudo on Android may optionally backup their encryption keys to their Google Drive account, protected by a password of their choice. The private keys are never stored in the Sudo Platform. 

3. The public keys are uploaded to the Sudo Platform.

Data encryption

1. Incoming content from a non-Sudo phone number or email address is received by the Sudo Platform and encrypted before being stored in the Sudo Platform and delivered to your device.

2. An AES-256 data encryption key (DEK) is generated in the Sudo Platform.

3. The DEK is then encrypted with your public key, and the plaintext version of the DEK purged from the Sudo Platform, so that only the receiving MySudo user (you) can decrypt the DEK, and hence the incoming content.

Data decryption

  1. On your device, you receive the encrypted message content and encrypted DEK. Recall that the DEK was previously encrypted using your public key.
  2. The DEK is decrypted using your private key.
  3. The encrypted message content is then decrypted using the DEK.
  4. The decrypted message content is then visible to you.

MySudo settings

  1. MySudo app settings (including contacts and browser bookmarks) are encrypted on your device using AES-256 symmetric key encryption.
  2. The encrypted settings are stored in the Sudo Platform. This allows for synchronization across your multiple devices.
  3. The encryption key is never sent to, or stored in, the Sudo Platform.

Want more? Read “Encryption in MySudo: A Deep Dive on How We Keep Your Data Safe

But it’s not only PKI that sets MySudo apart. MySudo actually has more privacy functionality than Signal, Telegram or any other privacy app on the market today. 

Signal and Telegram are private instant messaging apps. MySudo is an all-in-one privacy app. MySudo is an excellent tool for not only in-app messaging but also all out of network communications. 

MySudo uniquely offers private and secure voice, video and group callsSMSemailbrowsing and payments all in one app.* It’s also built around Sudo digital identities, which make using the most powerful data privacy strategy known as compartmentalization easy.

So, even if you use WhatsApp, Signal or Telegram for private instant messaging, if you’re serious about your privacy you will want even more privacy features than those apps can give you. MySudo delivers those features.

A final word about Twilio and Signal

We were sorry to hear about the Twilio phishing attack that led to 1,900 Signal customers being exposed. Fortunately, Twilio and Signal’s responses were prompt and appeared to limit the extent of the security incident. We never want to see any organization or its customers suffer a data breach or other privacy violation – which is why we built MySudo: to put people in control of their own personal data. Download MySudo in iOS or Android now. 

Oh, before we go, we just want to stress that we’ll only ask for personal information if you opt-in to use our virtual cards feature because we must do a one-time verification of your identity by law. At this time, we will ask you for your accurate and up-to-date legal identity information (name, residential address and date of birth) and verify it with a third party provider, so we can comply with US government regulations to limit the risk of fraud, money laundering and funding of terrorist activities. 

*Virtual cards are currently iOS and US only. Android and more locations are coming soon.

Get privacy, cyber safety and decentralized identity insights in your inbox:

You May Also Like…

Download Mysudo

Plans start at USD 0.99 a month.
Try SudoFree today.

Browse plans

Download Mysudo

Plans start at USD 0.99 a month.
Try SudoFree today.

Browse plans