There is a new (freshly) discovered way for hacking into people’s WhatsApp accounts. The technique is so simple and is quickly becoming popular with hackers around the globe. The problem is not with WhatsApp security features per say, but with how voicemail accounts in most telecommunications networks are secured.
The hacker begins by installing WhatsApp on a new device using your number
If you have been using WhatsApp, then you probably know the steps the company use in authenticating users. You go to your respective app store, download the WhatsApp app to your device, and then the company sends you a verification code via SMS.
At the verification stage, you can opt for voice call verification instead of the SMS. Here is where things go wrong. Hackers now install the app on a device using your number and opt for the phone call verification. Where WhatsApp makes a call to the number to be verified and reads out a loud the verification code to be used for login into the account. The hackers then time their activities to a time you most likely will not be receiving any calls.
Voicemail default password that you never change
For most people, nighttime when you are asleep, you either turn off your phone or set it to silent. So when the WhatsApp call comes through for verification, it goes straight to your voicemail. However, most people don’t bother securing their voicemail accounts. They leave the password to default settings of either 0000 or 1234.
Coupled with the fact that most telecommunications companies around the world give their subscribers a generic phone number to call and retrieve their voicemail. All a hacker needs to do to hijack your account is to time when you are most likely not going to receive a phone call. Then sign into WhatsApp using your number and on the stage for verification opt for the voice call.
When the WhatsApp phone call comes through to your end, it will go to voicemail, since you did not pick up. The hacker will then call the generic phone number for voicemail given by your carrier, and then try out any of two above mentioned passwords. For most subscribers, it is either one of the two, but even if it was not, a clever hacker could use brute-force tactics to break into your voicemail.
Hacker uses Voicemail default password to get verification code
Once the hacker successfully accesses your voicemail. They will playback the voicemail from WhatsApp for authentication, and just like that, they now have the code needed to sign into your account.
You will only realize you have been hacked (or rather kicked out of your own WhatsApp account) the next time you try to use the app. Some hackers go as far as now setting up two-factor authentication and using their credentials to fully lock you out. In which case it would be extra hard to get back into your account.
As a rule of thumb, you are strongly requested to set up two-factor authentication on your WhatsApp right now, if you haven’t. Just simply go to Settings > Account > Two-step verification > Enable.
You will be asked to set up a six digits PIN that you will be asked for each time you log into WhatsApp again. Followed by an email address for verification.