WhatsApp users need to ensure they have changed their settings to protect themselves from a security threat, which could leave them without access to their chats for seven days or more. As reported by Forbes, WhatsApp users who do not tweak their settings could be at risk from a new account stealing scam.
Detailed by cybersecurity expert Zak Doffman, attackers can “easily” steal WhatsApp accounts using this new scam technique. This is because a WhatsApp account identifier is your phone number, and the only time WhatsApp checks that a phone number and device matches up is when WhatsApp is first installed.
To check this, a randomly generated six-digit SMS code is sent to the corresponding phone number entered into WhatsApp during the set-up process.
A bad actor could get hold of your phone number and enter it into WhatsApp as the account identifier. However, to take over your account, they need to trick the two-factor authentification, which sends a six-digit code to the phone number associated with your account. If they don’t have your phone in their hands… that could be tricky.
READ MORE: Ditching WhatsApp just got easier, as Telegram launches import feature
However, there are ways threat actors can try to steal this code. There have been a number of attacks in recent weeks where bad actors are able to steal these verification codes sent over SMS via an Android backdoor. This vulnerability means lock screen previews of SMS codes can also be obtained using some malware.
The crucial six-digit verification code needed to set up a WhatsApp account has also been obtained via social engineering scams too. A compromised WhatsApp or Facebook account may contact a target saying a code has been accidentally sent to the victim’s device and asking them to forward it onto them.
After they’ve entered the six-digit verification code, WhatsApp (incorrectly) believes their handset belongs to you and grants them access. It’s a scam that Express.co.uk reported on towards the end of last year, but appears to be on the rise now. Last November veteran British radio presenter Jeremy Vine alerted his fans on Twitter to the threat after becoming a target.
Thankfully, even if a bad actor is able to get hold of this two-factor authentication code there is a way WhatsApp users can protect themselves right now.
In the WhatsApp app, users can head to the Settings section to enable Two-Step verification. This is a unique code that you can set up yourself and bad actors would not be able to hijack your account without it.
To set it up, simply open WhatsApp then head to Settings, Account and then Two-Step Verification.
Select Enable and then enter in a six-digit code of your choice.
Having this set up is an important safeguard as if hackers do manage to hijack your account it can leave you without access to WhatsApp for at least a week. As WhatsApp explains online, in the event of an account hijacking attempt if you don’t have a Two-Step Verification code you could be without access for seven days.
And in that time nefarious parties could be wreaking havoc, messaging your contacts all sorts of things. Explaining how compromised users can recover an account, WhatsApp said: “Sign into WhatsApp with your phone number and verify your phone number by entering the 6-digit code you receive via SMS. Once you enter the 6-digit SMS code, the individual using your account is automatically logged out.
“You might also be asked to provide a two-step verification code. If you don’t know this code, the individual using your account might have enabled two-step verification.
“You must wait 7 days before you can sign in without the two-step verification code. Regardless of whether you know this verification code, the other individual was logged out of your account once you entered the 6-digit SMS code.”