Unless your profession is high-risk or you campaign against an authoritarian regime, you can ignore stories about WhatsApp spyware. You are not at risk—at least not from that type of sophisticated cyberattack. But your WhatsApp is probably at risk from a different kind of hack. It’s one you can easily protect against, but, chances are you have left yourself exposed. It takes 30 seconds to fix this. Do that today.
The hack is a socially engineered theft of SMS authentication codes, enabling attackers to hijack accounts and then use those accounts to target the victim’s contacts with requests for money or malware-laced attachments.
If you haven’t seen reports into how this hack works, it is very simple: Your WhatsApp account is linked to your phone number. When you install WhatsApp onto a new phone, the app does not know the number of the phone it has been installed on. Instead, it asks you for your phone number, then texts you a code.
Relying on this SMS system means WhatsApp can be linked to a different number than the phone on which it’s installed. This creates a security vulnerability that attackers have been exploiting around the world for more than a year.
An attacker gets holds of your number from the compromised account of a friend. They install WhatsApp on a device and enter your number as the account—the system then texts you the SMS code. The attacker messages you on SMS or Facebook, pretending to be your friend, claiming to have locked out their phone. They say they’ve asked the network to text you their unlock code—please forward it to them.
That code is obviously a WhatsApp authentication code for your account. As soon as you send the attacker the code, they immediately hijack your account. The attacker won’t have your contacts or message history, but they will receive your new messages and see those contacts and other members of groups you belong to. With your account under their control, the attacker can message your contacts.
Fortunately, WhatsApp provides a surefire way to prevent your account being hijacked in this way. In addition to the six-digit SMS authentication code WhatsApp sends to authenticate a new install, the app also allows you to set a six-digit PIN of your own. The two numbers are different—but both are needed to enable a new install.
Unfortunately, there is a nasty new twist to this hijack. Attackers are setting up PINs in hijacked accounts to make it more difficult to recover stolen accounts. So when you reinstall the app, you’re asked for a PIN number you don’t have. WhatsApp has got wise to this, and as soon as you enter the SMS code it locks out the attacker, but the account owner still needs to wait seven days to reclaim the account.
“The hacker now has set up 2 step verification,” one reader messaged me, “and I have to wait 7 days to reset. The WhatsApp support team is not supportive at all… I am so worried, and the support team is not answering at all.”
WhatsApp is unlikely to respond to support requests to help restore a stolen account, but you can find full details on its support site explaining what you should do.
And so it’s now even more critical to set up a PIN code, not doing so leaves you exposed. To set the PIN, go to Account-Two Step Verification in the app’s settings, then enter a code of your own choice and an email address in case you forget it. WhatsApp will periodically ask you to enter the code when using the app, this is part security and part to help you remember the code, given how rarely you change device.
It is surprising how many users have still not enabled this PIN code, despite all the warnings about this socially engineered hack. And while you will think it likely you’d spot the attack, the methods can vary—including messages that claim to come from WhatsApp itself asking for you to send back an SMS code.
It is also surprising just how many people are getting caught out by this attack. I know multiple victims—chances are that you do as well. So now you’ve finished reading this article, go straight into WhatsApp and ensure you have the PIN set up. I promise you that avoiding the inconvenience of reinstalling the app, messaging your contacts to warn of the compromise and then losing a week’s messages as you wait for the account to restore is worth the 30 seconds of your time.
You can go to this link for additional help: https://faq.whatsapp.com/general/account-and-profile/lost-and-stolen-phones/?lang=en
(This article was written by Zak Doddman and first published on Forbes.com on August 4, 2020)