Use 2FA to Stop This Attack on Your New WhatsApp Account

A simple but noteworthy attack extends to the popular chat service WhatsApp. For some, this is incredibly easy – all they need is access to a single account where you are listed as a contact. And if you are slightly influenced by social media, said attacker can hijack your WhatsApp account quite easily.

Here’s how it works, courtesy of F-Secure Chief Risk Officer Mikko Hipponen . The attacker begins by gaining access to the WhatsApp account where you are listed as a contact. The specified person then tries to convert every contact in that account to a WhatsApp business account . Before that happens, WhatsApp will send you a message asking you to verify your new business account with a six-digit code.

The attacker still controlling the account you are listed on as a contact then sends a message that you pretend to be that person. They will send you something like, “Oh, I didn’t mean to send you this, can you tell me what this six-digit code is?” And if you answer with a number, you can say goodbye to your WhatsApp account. Now the attacker has hijacked him and they will use your contacts to continue the scheme.

Obviously, the best thing you can do to avoid falling into the trap of this attack is to never, ever give anyone else any authentication codes you ever receive. There will never be a case that an authentication code is accidentally sent to you. Even so, the named person trying to request the code for themselves should be able to simply request it again; they don’t need your help.

So a little common sense will save you the pain. However, this attack is also a great reminder that you can and should use WhatsApp two-step verification. You set it up through Settings> Account> Two-Step Verification.

When you set this up, you will need to enter a PIN that only you know, whenever you re-register your phone number with WhatsApp. In other words, if you (or someone else) is trying to pair a new device with your phone number, they will need your PIN to complete the setup process. And this is different from the registration code sent to the phone number; you will need both to set up WhatsApp with your number on your new device.

This is a great and reliable way to make sure no one else can ever hijack your WhatsApp account. And, yes, if you forget your PIN, WhatsApp will email it to you. (Please do not share this email with anyone else.)


Leave a Reply

Your email address will not be published. Required fields are marked *