Telegram Security
Last updated
Last updated
Two-factor authentication prevents someone with access to your phone messages (think SMSes coming in via both your iPhone and iPad but your iPad was unattended when the attacker had access to it) to access your account. In Telegram's case, this is a password on top of the usual phone number authentication.
Go to your Telegram settings > Privacy and Security and ensure that Two-Step Verification is On
Having access to a phone number enables things like allowing people to launch an attack on you via an external avenue such as an unsolicited phone call for a completely unrelated matter which eventually gives access to your wallet via accessing other accounts.
Go to your Telegram settings > Privacy and Security and ensure that Nobody is allowed to see your Phone number.
In Telegram, you will not know when a message you sent was being forwarded. To make things worse, the forwarded message has an attribution which by default is a link to the original sender. From a privacy POV, it is obvious why this should be disabled.
Go to your Telegram settings > Privacy and Security and ensure that this setting indicates Nobody.
By default, everyone is allowed to call you. Allowing everyone to call you is dangerous because a scammer who has gained knowledge of who you are via other channels could pose as someone you know to get you to do certain things for them.
Go to your Telegram settings > Privacy and Security and ensure that this setting indicates My contacts. If you'd like to be extra safe, set this to Nobody.
By default, everyone can add you to groups and channels. This is dangerous because a scammer who knows which groups you are in is able to create a group/channel that looks like the original and post links which lead to the scammer's site. This actually happens a lot, trust us.
Go to your Telegram settings > privacy and Security and ensure that only My contacts are allowed to add you. If you'd like to be extra safe, set this to Nobody. When friends do want to add you somewhere, ask them to send you a link.
Automatic downloads can be dangerous especially on laptops with access to your wallet. Accidentally clicking a download which you did not intentionally want to access can result in data loss or giving of access to an attacker.
Go to your Telegram settings > Advanced and observe this group of settings:
Tapping/clicking into any of them should lead to another page with the configurations:
Ensure that minimally, the settings for automatic downloading of Files is disabled. Photos can usually be enabled safely (systematically safe) for convenience.
The risk of enabling automatic downloading of photos is when a zero-day appears which affects the entire killchain from image file format to the library Telegram uses to load images, to your operating system's image rendering (this is highly unlikely to happen).
One preventive measure you can take to limit damage is to be aware of where you have open Telegram sessions. Always terminate sessions which you have not accessed in awhile (you may have even forgotten a session exists on a device you no longer use which might be picked up by an attacker)
Go to your Telegram settings > Privacy and security and click on Show all sessions and remove all sessions which you do not recognise. Do this on a monthly basis, or weekly if you suspect someone may have access to your account via other means.
