Use 2FA to Stop This New WhatsApp Account Attack

Use 2FA to Stop This New WhatsApp Account Attack

A simple but noteworthy attack is making the rounds on popular chat service WhatsApp. It’s incredibly easy for someone to pull off — all they need is access to a single account that has you listed as a contact. And if you’re susceptible to a bit of social networking, said attacker can take over your WhatsApp account pretty easily.

Here’s how it works, courtesy of F-Secure chief risk officer Mikko Hypponen. An attacker starts by gaining access to a WhatsApp account that has you listed as a contact. Said person then attempts to convert every single contact in that account to a WhatsApp business account. Before this happens, WhatsApp sends you a message asking you to confirm your new business account with a six-digit code.

The attacker, still in control of the account that’s listed you as a contact, then messages you pretending to be that person. They’ll send you something along the lines of, “Oops, didn’t mean to send that to you, can you tell me what the six-digit code is?” And if you reply with the number, then you can kiss your WhatsApp account goodbye. The attacker has now taken it over, and they’ll use your contacts to continue the scheme.

Obviously, the best thing you can do to prevent yourself from being suckered in by this attack is to never, ever give anyone else any authentication codes you ever receive. There will never be a time when an authentication code is accidentally sent to you. Even if that was the case, said person trying to request a code for themselves should be able to just re-request it; they don’t need your help.

So, a little common sense prevents a lot of pain on this one. However, this attack is also a great reminder that you can and should be using WhatsApp’s two-step verification. You set it up via Settings > Account > Two-Step Verification.

Screenshot: David Murphy
Screenshot: David Murphy

When you set this up, you’ll have to input a PIN that only you know whenever you’re re-registering your phone number with WhatsApp. In other words, if you (or someone else) is trying to associate a new device with your phone number, they’ll need your PIN to finish the setup process. And that’s different than the registration code that gets texted to a phone number; you’ll need both to set up WhatsApp using your number on a new device.

It’s a great, sure-fire way to ensure that nobody else is ever going to be able to take over your WhatsApp account. And, yes, if you forget the PIN, WhatsApp can email it to you. (Please don’t share that email with anyone else ever.)

Comments


Leave a Reply