Categories
Privacy and Anonymity The Dark Forest of the Internet The Next Computer Wellness when Always-On

My friend’s Whatsapp was hacked – and how you can avoid it

Last week, a friend of mine called me saying she had been locked out of her Whatsapp account on her phone, and someone else was logged in to Whatsapp as her.

My friend had received a message from one of her friends, saying that a code had mistakenly been sent to her number as an SMS, and could she please send it. Since the message came from a person my friend trusted, and in parallel, she had in fact received an SMS, she sent it.

Right away, she was logged out of her Whatsapp app.

My friend had been phished.

Phishing is an example of social engineering techniques used to deceive users.

Users are lured by communications purporting to be from trusted parties [such as friends]… typically carried out by email spoofing, instant messaging, and text messaging

The Wikipedia page on Phishing

My friend then told me that this attacker had then gotten control of friends’ and relatives’ accounts by simply repeating what the attacker had done with her.

The friend could not log right back into her account because Whatsapp imposes a limit on how frequently you can log into new phones. This is presumably to guard against situations like this, but the result was that the legitimate owner of the account had been locked out.

Eventually the attacker tried to get control of my account. This is the message I received from my friend’s Whatsapp:

And of course, in parallel, I had received a message from Whatsapp itself:

You can see how, if you’re in the middle of something, that you could distractedly copy and paste the OTP text – and lose control of your account before you knew what happened.

The attacker had simply entered my number into a Whatsapp login screen on a phone, triggering an OTP to my phone. Since they already had control of my friend’s account, they then messaged me as her, saying exactly what they had at the beginning of this post – that the OTP was meant for her but was sent to my number, could I please send it?

“So what? You can’t log into my bank from Whatsapp”

In a discussion about this later, someone had asked

“What do you get by hacking someone’s WA. It’s not like you can use the OTP for logging into bank accounts?”

Even if damage is not financial, it could be worse. A compromised Whatsapp account is a form of identity theft. This friend is in a leadership position. Whatsapp is a big part of their engagement – her team and key customers are all on Whatsapp. As are groups with parents, family, friends, professional groups.

My friend later wrote to me

The person who took over btw after a while went nuts…booted people out of my groups where I am admin, started writing gibberish and changed group names to angry faces etc

This is embarrassing, and it could have been a lot worse. Plus, after the fact, she had to do a form of contact tracing to find out who else had been phished via this compromised account, and if they had suffered any reputational damage.

How to protect yourself from such an attack

Turn on two-step verification. It’s under Whatsapp ➝ Settings ➝ Account

From a 2018 Indian Express article about the feature.

Do it now. Stop reading this article and do it, and then read on. It takes under one minute to setup.

To reduce the chances of you forgetting your six digit code, Whatsapp will occasionally ask you to enter it when you launch the app – not every time, but just enough that you stay familiar with what it is.

Here is why two-step verification (also called two-factor authentication) makes it all but certain you will never fall for a phishing attack:

When you set up Whatsapp on a new phone, or re-install it on the same phone, you now need to go through two verification steps. One, you enter an OTP that’s sent to your phone. And two, you enter this six-digit code.

An attacker who has phished your friend’s Whatsapp account may trigger an OTP for your number to your phone, and may message you asking for it. You may even be fooled into sending it to them. But Whatsapp will then ask for your six digit code. Now the attacker can’t pull the same trick saying they need a six digit code for their account – no, they have to explicitly ask you for your account’s six digit code.

Even if they’re posting as your friend, it is highly likely you’ll suspect something’s up.

So.

Do protect your Whatsapp account with two-factor authentication. Do get your parents, siblings and friends to set this up. Phishing is social engineering, and, like so many of our problems, has a social solution.

End note: What happens if you do forget your six digit two step verification code?

Well, Whatsapp will send login instructions to the email account that you provide when you set up two-step verification.

But what happens if the attacker first gets control of my email address? The verification code will be sent to an inbox that the attacker has access to.

Well. You protect your other accounts with two factor authentication as well. Especiallty your email address – for many, also their Google account. This is my guide on how to do that, without needing to remember several such six-digit two-factor codes:

Your guide to protecting your Gmail, Instagram, Facebook, Linkedin, Twitter and other accounts from being hacked

(Featured image photo credit: Rachit Tank/Unsplash)

3 replies on “My friend’s Whatsapp was hacked – and how you can avoid it”

What’s your thoughts on Password Manager like Last Pass and others to manage your various codes???

Venkat – very good point. It’s coming up in a post soon. Before that I want to address the last part of this post – how to manage two factor codes for your Google, Facebook, Instagram and other accounts once you turn them on.

By Post Author

Comments are closed.