The Israel National Cyber Security Authority recently sent out a security alert about a new method of hijacking WhatsApp accounts.
The method, which has been used to hijack many WhatsApp accounts already, uses a mobile providers’ voicemail systems.
The attacker adds a user’s phone number to a new WhatsApp installation, which sees WhatsApp’s security procedure sending a one-time code via SMS to the victim’s phone.
Several failed SMS validation attempts – which can be sent if the victim is asleep, for example – results in WhatsApp prompting the user to do a “voice verification”.
WhatsApp calls the victim’s phone and speaks the one-time verification code, which is recorded in their voicemail when the call is not answered.
A victim’s voicemail account with a default password is then accessed by the attacker, and the code obtained.
With SIM-swop fraud an increasing problem in South Africa, there is a real chance that an attacker could steal your cellphone number and take over accounts linked to it.
Users who have voicemail services on their smartphones may also be concerned about falling victim to the new attack method.
Fortunately, there is a way to protect your WhatsApp account.
WhatsApp for Android and iOS offers users the option of enabling two-step verification.
Two-step verification will add a layer of security to your account and require you to enter a PIN when registering your phone number with WhatsApp again.
From our tests, having two-step verification enabled will also require you to enter your PIN at random times when using WhatsApp. The gap between requests is long, and is not onerous on the user.
To turn on two-step verification in WhatsApp, users must go to:
- Settings > Account > Two-Step Verification, and then press Enable.
After you have pressed Enable, you will be asked to enter a six-digit PIN.
There is also the option to enter your email address when enabling two-step verification, and it is recommended you do this.
If you forget your PIN, you can request WhatsApp to send you an email with a link to disable two-step verification – preventing you from being locked out of your account.