Story image

WhatsApp users warned to change voicemail PINs

18 Feb 2019

Australia’s Stay Smart Online is warning WhatsApp users to change their mobile’s voicemail PIN from the default PIN, if they haven’t done so already.

Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes. Those codes can allow the attacker to use a victim’s WhatsApp account on the attacker’s own device.

The attack method isn’t new – it has been doing the rounds since 2017 and Israel’s National Cyber Directorate issued a warning about it - however people are still falling victim to the attack. 

Stay Smart Online explains how it works:

The attacker will install WhatsApp on their own device using a genuine user’s phone number. Usually this happens late at night when a user would generally be sleeping and not using their phone.

While WhatsApp will send a one-time verification SMS to the user’s phone, the attacker cannot see this if they don’t have the phone.

However, if a user doesn’t use the SMS code WhatsApp switches to a voice verification code. It calls the user’s phone and speaks the one-time verification code out loud. But because the user is asleep, the automated call goes to voicemail.

“Most mobile service providers allow remote access to your voicemail account, by calling a generic number and entering your PIN code,” Stay Smart Online says.

“So to retrieve the voicemail, the hacker simply needs to call the generic phone number and enter the victim’s four-digit PIN – which, if you haven't changed it, is typically a simple combination such as 0000 or 1234 by default."

“Once the hacker listens to the pre-recorded voicemail and hears the verification code, they can then access your WhatsApp account on their own device."

“When the attacker uses the default PIN to access the victim’s voicemail, they can hear the code and then enter it into their own device, completing the transfer of the victim’s phone number to their own WhatsApp account,” adds Sophos’ Danny Bradbury.

“To seal the deal, the attacker can then enable two-step verification, which is an optional feature that WhatsApp has been offering since 2017. This requires the user to set a custom PIN, which they must then re-enter if they wish to re-verify their phone number. Turning on this feature prevents the victim from regaining control over their own phone number.”

WhatsApp users should change their voicemail PINS to a strong password. This can be done in the phone’s voicemail settings or by calling the user’s phone service provider.

Users should also enable two-factor authentication on their WhatsApp account for an extra layer of security. This can be done by opening the app and going to Settings > Account > Two-step verification > Enable.

Five things MSPs need to keep in mind in 2019
A Datto APAC channel exec outlines the most important factors for MSP to being paying attention to in the coming year.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nozomi and RIoT to deliver advanced ICS security solutions to Australia
''As a specialised integrator of robust and resilient ICT and IoT solutions within Australia, we are delighted to be partnering with Nozomi Networks."
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.