Reports emerged yesterday that some Israeli WhatsApp users’ accounts have been hacked, and that the problem is sufficiently widespread that the Israeli government has seen fit to send out a warning about it.
Leave a message
The hack exploits the fact that many consumers never change their voicemail PIN from the default ‘0000’ or ‘1234’.
Hackers use WhatsApp’s security mechanism whereby it calls users with a spoken verification code when those sent by SMS are unsuccessful. By timing the requests for verification codes for late at night, or other times when they know users are away from their phones, they then extract the code from the user’s voicemail service.
This allows hackers to link user’s real phone numbers with an illicit device. Once they’ve done that, they can enable two-step verification (one of the methods of avoiding such a hack in the first place) and prevent the legitimate user from regaining access to their account.
So far, the problem seems to be confined to Israel, but considering plenty of mobile operators globally also have a default voicemail password, there’s no reason the same method couldn’t be used elsewhere.
The easiest way to prevent such an attack is to either change you voicemail password to something more secure (and preferably not something easily looked up, like your birthday), set up two-step verification in your WhatsApp account, or even better, do both.
As a general rule, in addition to ensuring you change all default passwords and PINs, and ensure they’re different for every major service you use, it also pays to enable two-step verification (often called two-factor authentication or 2FA) wherever it’s offered. We recommend using it for Gmail, Facebook, Twitter, WordPress and any financial services you use, in particular.