Recently, a spate of successful social engineering attacks on high-value users of the Signal secure messaging tool has raised significant concerns, spawning as many questions as impassioned critiques about how to properly secure communications.
A significant challenge is that the field of Internet security is so complex that it makes constructive dialogue difficult, even for modern, digital professionals. This blog is an attempt to simplify some of the terms of conversation in the service of better-informed discussion and decisions.
Securing Communications Includes Messages and Members
In any two-way or multi-party communication over the Internet, you have members — humans using devices and software — and you have messages: the data sent between the members.
This may seem obvious, but it is critically important. Mistaken assumptions, particularly about how members behave and how they are secured, is where most secure communication tools break down in practice.
Securing Messages Is the Easier Part to Understand
One key criterion for judging secure communications is whether the tool does a competent job of securing messages. For example, are messages end-to-end encrypted, or E2EE, so that only the members who are party to the communications can read them? Can any servers access messages in a readable state, such as via backup keys? Can any admins from the app provider, or from a business or organization, read them?
The degree to which messages are protected makes a huge difference. This is why organizations outside the U.S. are so concerned about FISA and the Cloud Act: they grant legal authority for state-based surveillance of their valuable business or even classified data. This is why most secure communications applications severely limit administrative access to user messages.
Securing Members Is About User Profiles
Secure communications applications share this in common: they are software systems comprising clients, servers, and administrative functions. There are many techniques to secure the people, devices, and application software. But at the end of the day, the key question comes down to the profile of the users.
For example:
- Are they strictly individuals, or are they part of an organization, and thus is the information and communication they want to protect personal or organizational in nature?
- Are they technically knowledgeable, highly careful, and well-trained in operational and cybersecurity principles and practices?
- Are they not so technical, not very careful, and not trained in operational security and cybersecurity?
- Are they high-value targets?
- Are they busy and distracted?
Ultimately, you need to choose software that offers protection for the right user profile. For example, you could have an application that implements sound E2EE, but it will not be secure enough if the user personas are too untrained, unaware, or distracted to practice good cybersecurity hygiene, and the app does not help safeguard users with those realities in mind.
Following is a breakdown of how to assess the profiles and needs of different user types. Keep in mind that not all of these descriptions are exclusive. For example, social engineering is a top risk for every single user. The point is not to take this breakdown as the absolute truth for your circumstances, but to make a sound evaluation of your user profiles to ensure that you are choosing the right tools and processes to support them.
| Dimension |
High-Value Users
(Execs, officials) |
Organizational Users
(Enterprise teams) |
Highly Aware Personal Users
(Activists, journalists) |
| Operating reality |
Busy, high-pressure, targeted |
Structured environment, managed IT |
Careful, intentional, self-directed |
| Primary risks |
Social engineering, impersonation, and account takeover |
Data leakage, misconfiguration, and insider risk |
Surveillance, interception, metadata exposure |
| User behavior |
Inconsistent caution, fast decisions |
Imperfect, guided by policy and tools |
High vigilance, verifies identity out of band |
| Tolerance for friction |
Low, except at critical moments |
Medium, accepted if standardized |
High, if it improves privacy/security |
| Needs from the system |
Reduce decisions, enforce safety, detect/recover |
Enforce policy, control access, audit activity |
Maximize privacy, minimize trust in infrastructure |
Why Were Social Engineering Attacks on Signal Users Successful?
Short answer: The social engineering attacks targeted users who are not an ideal fit for Signal.
TL;DR version: Signal is one of the most effective tools ever invented for encrypted private communications. Signal is specifically designed to allow individuals, not organizations, to conduct communications in strict privacy, with the assumption that surveilling forces are actively at work trying to invade that privacy, and that any systemic dependencies, such as servers, admins, metadata, stored credentials, usernames, emails, and passwords, are vulnerable to being compromised by surveilling parties and should be avoided.
As a result, Signal binds devices cryptographically to phone numbers, which are portable and owned by individuals.
In doing so, it also removes many systemic security measures, such as Single Sign-On and SCIM. And it operates with minimal access controls. For example, by default, any user can unilaterally contact any other user if they know their phone number or username.
The reason is that Signal wants to foster a world where anyone can communicate with whomever they want, while maintaining privacy. This is an admirable goal. Signal has been immensely successful. And Signal makes design choices guided by its core principles.
This design is very effective for two types of users:
- Highly careful, OpSec-aware users operating in adverse surveillance environments. This type of user will likely always validate potential communication partners out of band to ensure privacy. If you know your privacy is under active threat, your instinctive trust barriers will be very high.
- Casual individual users without any information of significant economic or political value to protect. Signal is much more secure than typical email or non-encrypted messenger and works well for these users, since they are unlikely to be targeted by serious threat actors.
Recently, however, Signal has been shown repeatedly to be decidedly less effective for high-value personas. These people are often older, less technically savvy, extremely distracted, and in the habit of delegating to others. In other words, they are neither highly careful nor casual users. Yet they have large amounts of high-value information and communication to protect.
It is also not designed for organizational users — those who are professionals within businesses, government agencies, or NGOs — as evidenced by the lack of enterprise identity, access, and administrative controls. This is not a flaw; it is simply not the aim of the application.
Wire Is Focused on Protecting High-Value and Organizational Users
Wire is built for organizational users who have “normal” levels of OpSec and cybersecurity awareness and training. Collectively, these users have access to goldmines of intellectual property, business plans, and corporate data. Yet they are also busy, distracted, and prey to their own human cognitive biases, such as a tendency to trust others, especially those who claim authority, like admins, even when there are signs to be cautious.
As a result, Wire not only implements strong E2EE and preserves message security across servers and admins, but also ensures that its architecture at every level enhances members’ security. For example, the Wire UI reduces decision fatigue so users do not have to choose to be secure.
Some other ways that Wire strives to protect these types of users include:
- Account identities are not based on phone numbers, and emails used as identity anchors are not exposed to external parties except their own Wire team.
- Individuals need to accept a contact request before being able to receive messages.
- SSO support with MFA via the identity provider raises the bar for successful phishing attempts.
- Team admins can easily remove compromised users from all communications as an incident response to limit potential impact.
- Before messages are sent, verified conversations warn users about newly introduced clients that have not been verified yet.
- User-controlled, non-admin-accessible groups allow for highly private and secure communications that protect against insider threats and credential compromise of admins.
None of these measures means that Wire is immune to social engineering attacks. However, it does mean that Wire’s user profile is distinct from Signal’s, and Wire’s many years of experience have yielded a system that is deeply shaped to secure high-value and organizational members as much as the messages they send.
Who Are You Trying to Protect?
At the end of the day, your secure communication choices should not be primarily focused on individual capabilities such as E2EE, as important as they are. The most important question to ask first is: what types of users are you trying to protect?
Clarity on your user profiles will help you make the best decisions for yourself, your users, and your organization.
If you want to explore how Wire can help your team, it is easy to get started or request a meeting to learn more.
