New warning as WhatsApp accounts are targeted
Here we go again – I’ve probably warned more about this account hacking threat than any other over the years, but it’s still around and can still wreak havoc on your life. What makes this worse – much worse – is that you can easily protect your phone and WhatsApp account from these attacks. It takes less than a minute. Do it now before it’s too late.
A police force has just warned that “a rise in fraudsters are trying to take over people’s WhatsApp accounts”. This happens in the UK, but it could be anywhere considering that WhatsApp is now installed on more than 3 billion iPhone and Android devices. These latest attacks have targeted groups – including students, health workers, religious and religious groups and businesses. The objective is to capture one account and then attack the rest from there.
The attack itself has never changed. When you install WhatsApp on a new phone, you enter your mobile number and the platform sends you a one-time passcode to verify that the account can work on that device. WhatsApp does not check whether the mobile number associated with the account is the same as the mobile number of the device. This means that you can install any WhatsApp account on any phone – regardless of its number or even its geographical location.
As Meta CEO Mark Zuckerberg himself has just warned, the weakness in WhatsApp’s end-to-end encryption is “bottoms”. While data can be intercepted in transit between devices, if a hacker can capture or control a device that is an endpoint, then WhatsApp is open. If that device is part of a group, then the hacker can also access the group. This opens up the threat of socially generated attacks from the victim’s WhatsApp account against their contacts and groups.
As for the latest police warning, BBC News reports that “an alert was raised by the force after officers were alerted to stolen funds being converted into Nigerian currency… but this type of crime could happen from within the UK and abroad. Police said faith and religious groups in particular were a prime target for fraudsters – often in large groups where each person may not know every single participant.”
So here’s what you should do if you haven’t already. First, open WhatsApp, go to Settings-Account, and then make sure that two-step verification is enabled. This allows you to set a PIN of your choice – different from the one WhatsApp will send – which would also need to be entered by an attacker to gain control of your account. Second, configure a passkey from the same account settings tab if available. This links your login to the biometrics that secure your iPhone or Android. And thirdly, make sure you add an email address, which WhatsApp will then verify and help you recover your account if needed.
“We’ve had reports that the person asking for codes in these groups has a picture in their bio of the organisation’s logo, so they think they’re talking to someone they know and trust,” Derbyshire police warned. “When that person is in control, they’re sending messages in your name and image – they’ll go through friends and family looking to borrow money.”
You should already know that you should never share a one-time code sent to your phone via SMS or even WhatsApp. There are countless lures created by society to trick users into sending these codes to someone they think they know, but is actually an attacker using an already compromised account. But if you add the security settings above, it doesn’t matter if you’ve been tricked into sharing a code. Your account is blocked for you.
