Beware of Unauthorised Deactivation of WhatsApp Account
Recently an overseas security researcher has demonstrated how to exploit a flaw in the SMS verification and account deactivation process of WhatsApp to deactivate a person’s WhatsApp account  without his or her knowledge. Even two-step verification could not prevent the move. As WhatsApp is a widely used instant messaging app in Hong Kong, the potential impact of the flaw could be quite substantial.
From the demonstration, the attacker would first try to set up a WhatsApp account using the victim’s phone number in his device. When WhatsApp asks for the entering of a verification code which is sent to the legitimate owner of the phone number via SMS, the attacker would repeatedly enter a wrong verification code into WhatsApp to trigger the app to disallow any further attempts. The attacker would then impersonate the victim to contact the customer service team of WhatsApp, claiming that the mobile phone has been stolen, and request for an account deactivation.
HKCERT recommends WhatsApp users to take the following actions to protect their accounts:
- Enable two-step verification and fill in the email address ;
- Do not forward or share the SMS verification code to anyone. If you did not request for it, report this abnormality to WhatsApp immediately; and
- Set up screen lock of the mobile phone to protect against theft or loss
Since WhatsApp uses mobile phone number to authenticate user, therefore, in case you lose your mobile phone, you should:
- Report the loss of the phone to your mobile phone operator immediately;
- Sign into WhatsApp with your phone number after getting a new card, as it will log out all the active sessions of your account automatically ; and
- Use lost tracking feature (e.g.: Apple - Find My iPhone / Google - Find My Device) to lock your device or erase all data in order to protect from data leakage.