The most fool proof way to know you are messaging someone is to verify their identity and exchange contact information in person first. Meet face-to-face, confirm who they are, and share your secure messaging usernames, phone numbers, public vital fingerprints, or information needed to connect on your chosen messaging platform. Verifying real-life identities gives you the highest confidence you are communicating with the right individual.
Multiple channels to cross-verify identities
- If meeting in person isn’t possible, verify the person’s identity through multiple independent channels. For example, if you know their email address, phone number, and social media profile, reach out to all those to confirm you are connecting with the same person on a secure messaging app relying on a single point of verification Write and Save Notes Quickly using notesonline.com .
- Check and compare public key fingerprints. Many secure messaging apps use end-to-end encryption based on public key cryptography. In this system, each user has a pair of keys – a public key and a private key. The public keys encrypt messages to that user, while private keys decrypt messages sent to them.
- To verify a contact’s identity, the app should display a fingerprint of their public key, a short string derived from it. Contact the person through another verified channel and have them read off their public key fingerprint to you. It should match what is shown in the app for their username. Some apps automate this by letting you scan a QR code the other user displays.
Verify PGP keys for email carefully
If encrypting email using PGP/GPG, take great care in verifying your contacts’ public keys. A sender attaches their public key to a message, but you should only trust it once verifying it belongs to them. The most secure way is to directly obtain the person’s public key fingerprint from them via another channel you trust, like a face-to-face meeting, secure messaging app, or voice/video call. You also check their public social media profiles or websites to see if they have posted their key or fingerprint there.
Once verified, mark the key as trusted in your PGP software. Remember that just because an email says it is “signed” by someone doesn’t mean it came from them – without verifying their essentials first, an attacker could have generated a fake key for that email address. Always carefully check signatures against trusted keys.
Beware of social engineering tricks
Scammers and attackers often use social engineering tactics to trick you into trusting a fake identity. They may send you a message pretending to be a friend or coworker and pressuring you with an urgent request. Or they may impersonate an authority figure or trusted institution. Be cautious about any unsolicited message urging you to click a link, download a file, or send sensitive information, even if it appears from a known contact. If anything seems suspicious, contact the supposed sender by another channel to verify the request. Adopt a zero-trust policy – wait to trust any message or identity until you verify it, especially if asked to do something unusual.
For important contacts, consider setting up a secret question or passphrase ahead of time that only the two of you know. If you receive a message claiming to be from them, ask for the hidden answer to verify their identity. This is especially useful if you need to reverify a contact after a long period of not communicating. You agree to change the secret question and answer periodically for better security.