Who is not familiar with this Facebook-owned messenger app: WhatsApp. WhatsApp a primary communication channel for 2 billion users. We feel sad to share about the new WhatsApp verification code scam, reported by thousands of users. Please be aware of this WhatsApp verification code scam and let others know how to protect WhatsApp account from hackers.
Table of Contents
- Who Can Be The Victim Of This ‘WhatsApp Verification Code Scam’?
- Symptoms Of The ‘WhatsApp Account Suspension Attack’:
- How Do Attackers Hijack WhatsApp Accounts In This New ‘WhatsApp Verification Code Scam’?
- How WhatsApp Can Address This ‘WhatsApp Verification Code Scam’?
- How You Can Protect Your WhatsApp Account From Hackers?
Who Can Be The Victim Of This ‘WhatsApp Verification Code Scam’?
This attack could be targeted at any of 2 billion WhatsApp users. It could be a random user or a potentially targeted user. We urge you to be aware and make others aware of this WhatsApp verification code scam and protect your WhatsApp account from hackers.
Symptoms Of The ‘WhatsApp Account Suspension Attack’:
Before we jump into how it works, let’s allow us to tell about the symptoms of the WhatsApp account suspension attack.
No technical knowledge is required to understand this attack. You will start receiving multiple verification messages to your phone number with a six-digit verification code. You could get more than 5 to 6 verification messages within a very short amount of time. Although, you can’t do anything to stop those messages. But, you can totally ignore them all and report to WhatsApp support team about this. Ignorance and reporting is the two best possible ways that you can follow to be safe from this attack.
How Do Attackers Hijack WhatsApp Accounts In This New ‘WhatsApp Verification Code Scam’?
Now it’s time to know how an attacker uses your phone number to deactivate your WhatsApp account on your phone and stops your getting back in. You will say you have two-factor authentication (2FA) is enabled on your WhatsApp account. And, you may not believe WhatsApp’s two-factor authentication does not prevent the attack. We are here to share the story of how this WhatsApp attack works.
- First, the attacker will get your phone number. The attacker has multiple ways to get your phone number and other information: 1. Dark Web 2. Social media sites 3. Social engineering attacks 4. Phishing and 5. On the WhatsApp app itself. You might be aware of what recently security researchers reveal about the Facebook data breach, which lets 533 million Facebook users’ phone numbers and personal data have been leaked online.
- You might know that whenever you install the WhatsApp app on the phone, it asks to enter your phone number. In the next step, it sends a six-digit verification code to your phone number for verification. Attackers use this verification process as a weakness. The attacker will install the WhatsApp app on his phone and enter your phone number. Then you will receive a six-digit verification code or a call from WhatsApp.
- The attacker repeatedly enters an incorrect verification code. You will repeatedly receive verification codes from WhatsApp when the attacker attempts with wrong codes on this WhatsApp.
- WhatsApp has a limitation policy to stop brute-forcing it. Under this policy, WhatsApp limits the attacker. After few attempts, the attacker’s WhatsApp says: “Resend SMS/Call me in 12 hours,” and stops generating new codes to your phone number and blocks the code entry on the app for the next 12 hours. However, there is no change in your WhatsApp function. It will continue to work as before. Nothing much you can do to stop all these.
- The real game starts now. Anything will happen in these 12 hours of time. It purely depends on your action. If you report these verification messages to WhatsApp support and ignore all those messages, then you are safe. If you ever try reinstalling and reverify WhatsApp on your phone, then there is a high chance of losing your WhatsApp account.
- By the time you complete your re-verification process on your phone. The attacker will use his email ID (stolen or compromised) to write a complaint to [email protected], saying to deactivate your number.
- WhatsApp will send an auto-generated email to the attacker’s email ID asking to enter a new phone number. WhatsApp doesn’t have any mechanism to confirm that it wasn’t really you who requested the deactivation request and completes the deactivation process. All these happen with the automatic process without your knowledge.
- After a couple of hours, your WhatsApp stops working on your phone, and you see a notification: “Your phone number is no longer registered with WhatsApp on this phone. This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.”
- At this point in time, if you try reactivating your phone number, your app will say, “You’ve tried to register your number recently. Wait before requesting an SMS or a call.”. However, you will not receive the verification code or call your phone number as your phone is subjected to 12 hours of restriction. You can’t request a new code until the completion of 12 hours, and your recent code will also not work. Your account is freeze.
- After 12 hours of freeze time, you can reverify your account with the six-digit verification code. But, there is a twist at this point in time. Attacker, rather than writing to WhatsApp to deactivate, he could repeat the process after elapsing 12 hours. You will receive few more verification messages again if the attacker does so.
- The attacker tries repeating the process for the third time, WhatsApp will break down this time and says”, You have guessed too many times, try again after -1 seconds”. The app blocks both the attacker and you from requesting and entering the new code.
- In this race, if the attacker reaches WhatsApp before you, then you are too late. You don’t have any stone left to hit the attacker. You will have to contact WhatsApp and find someone who can help.
How WhatsApp Can Address This ‘WhatsApp Verification Code Scam’?
This auto verification system with 12 hours of freeze time triggers the issue. We recommend WhatsApp to address this issue. Blocking someone from his account shouldn’t be this easy. It is not difficult for WhatsApp to address this using a trusted device system as Apple does to manage multidevice login.
Whenever WhatsApp finds multidevice access, 2FA verified app on the first device can only authorize the app on the second device instead of using the same 2FA authentication on the second device. This solution could fix this vulnerability.
How You Can Protect Your WhatsApp Account From Hackers?
Hackers always discover new ways to hijack your WhatsApp account. As an owner of the account, it’s your’s prime responsibility to be protected from all such attacks. In this WhatsApp verification code scam as a user, nothing you can do much. But, you can’t sit silent, leaving all the responsibility on WhatsApp. There are few things in your hand which helps to protect your WhatsApp account from being hacked.
- Report to WhatsApp support: If you start getting multiple verification messages in a short amount of time, please report to WhatsApp support. Don’t react to those messages. This is the clear indicator that says someone is attempting to register using your phone number.
- Don’t try reinstalling the app: This is the common mistake most does. Please don’t try to reinstall and reverify your account. If an attacker reached maximum attempts, WhatsApp would block you from the reverification process for 12 hours. You are going to lose your account at least 12 hours. Don’t commit the mistake of reinstalling the app.
- Enable two-step verification: Enabling two-step verification is one of the best ways to protect. The six-digit PIN and email address are the key factors for securing your account. Using your email address to set up two-step verification helps the WhatsApp support team to identify that it was you.
- Set a lock on WhatsApp: When you set up a six-digit PIN, WhatsApp will ask you to enter the PIN when your account is tried to set up on another device. This will work as a shield against the attack.
- Export chats and delete: It is always to export your chats data to your email or cloud storage and protect with a password as the default export option will not be encrypted. Then delete the complete chat history.
- Move the backups to external storage: This option is only for Android users. Android users can export the backup to external storage and delete the backup. This would protect your data from being accessed by the attacker.
- Install WhatsApp updates: Always upgrade your WhatsApp app without fail whenever there is a new version available. This ensured many bugs and vulnerabilities got fixed, which was exist in old versions.
Please read this article and share it with your friends and family so that you protect them from being victimized by this WhatsApp verification code scam and protect their WhatsApp account from hackers.
Thanks for reading this article. Please visit our blog to read such interesting articles like this.