HKCERT Alerts the Public on Preventive Measures Against WhatsApp Account Theft
Recently, there has been a surge in cyber attack targeting WhatsApp accounts. Hackers are sending messages to victims, impersonating their friends and family, and requesting that the victims forward the registration codes of their WhatsApp accounts. The fraudsters exploit these registration codes to gain access to the victims' WhatsApp accounts, subsequently hijacking them. The fraudsters then use the victims' accounts to send messages to contacts in their address books, attempting to deceive them for financial gain or to obtain sensitive personal information for criminal purposes.
The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) is closely monitoring recent attacks and has compiled answers and security recommendations for three common questions from the public regarding account security:
Can the account owner regain control immediately after it has been stolen?
Once the hackers obtain the registration code for the victim’s WhatsApp account, they can log into and hijack the victim’s account. Meanwhile, the victim will be forcefully logged out of their own account, and WhatsApp will display a screen requesting the input of the phone number. If the victim immediately logs in with their registered phone number at this point, they can regain control of their account.
The steps are as follows: Once the victim enters their phone number to log in again, WhatsApp will request a one-time registration code. At this point, the user can wait and choose to receive and enter the registration code through SMS or phone call. After completing this process, they can regain control of their account.
When the victim logs in to their account again, they will be prompted to enter the registration code for their WhatsApp account. User should choose to receive the verification code via SMS or phone call.
Can enabling two-step verification provide effective protection for the account?
Enabling two-step verification can effectively prevent hackers from logging into and hijacking user accounts.
After enabling two-step verification, users are required to set a 6-digit PIN code. Once set, even if a fraudster manages to obtain the user's login registration code and successfully accesses the user's account, the fraudster will still be prompted to enter the user's pre-set two-step verification PIN code in order to use the user's WhatsApp account. In other words, after setting up the PIN, hackers cannot take over the user’s WhatsApp account.
Hackers cannot use the user's WhatsApp account if they do not have the user's two-step verification PIN code.
If the original account does not have two-step verification enabled and the fraudster enables it after gaining access, would it be impossible to regain control of the account?
No. If a fraudster manages to hijack a user's account and enables two-step verification, the user can still regain control.
When the user logs into the account again, WhatsApp will require the user to enter the two-step verification PIN set by the scammer. User could not use WhatsApp without the PIN. However, according to WhatsApp’s guidelines, it would allow the user to reset the PIN after seven days. Besides, it also allows the user to reset the PIN by email, which the user has provided to WhatsApp, if any.
Nonetheless, regardless of whether you possess the PIN or not, if the user enters the SMS registration code, the other party will be forced to log out and be unable to use the WhatsApp account anymore.
HKCERT reminds the public on preventive measures against WhatsApp account theft. It is recommended to:
- Enable WhatsApp’s two-step verification.
- Set up a recovery email for the PIN, in case you have forgotten the PIN.
- Do not share the WhatsApp registration code and two-step verification PIN with others.
- Regularly check the linked devices in the WhatsApp settings and log out of any devices that are no longer in use.
- Avoid downloading and using the WhatsApp application from unofficial sources.