How to know that my personal account is not compromised and someone is not restored it already and not reading all my incoming messages?
If you are referring to the Testfairy issue we recommend all testers and users of the mobile nightly builds create a new account and transfer funds into the new account.
A blog post will be published soon with more information.
Thanks, great to know!
The question is not directly referring recent issue.
I’m trying to figure out if it’s supposed to have second layer (probably, optional) of security around shared information between public accounts. It can be additional encryption bounded to the keys stored only on authorized devices. Or network level solution that unlocks data after authorization and therefore network can warn user if unauthorized access happened. Or DApp extension to Status chat with additional encryption of messages.
I am working on pairing devices, so I had been looking into this.
There are a few considerations to make, this is the current situation:
If your seed phrase is compromised, a potential attacker can:
- Read any message sent to you
- Impersonate you
1 is basically not detectable
2 is only detectable as you might receive replies to messages you have not sent
They will not have access to data that is on your device (and not on the mailserver).
With PFS 1 would not be possible, while 2 would still happen, but it would be harder to detect as only the attacker would be able to decrypt those messages, although your device will see that a message has been sent to your PK but you were not in the device list, so the user can be notified.
Sharing data across devices the strategy we are following is to have each device need to be confirmed by the user before it starts sending data (so in this case an attacker who compromised your pk, and created device A2 , would need to trick the user on device A1 into accepting that device A2 is authorized before A1 would send any data to A2).
@cammellos thank you for all that details!