All it takes is a few carefully-curated steps to successfully take over someone else's WhatsApp account. Things are that simple.
WhatsApp is the popular instant messaging app, and that it knows that users are being scammed and tricked. To ensure that its users' devices are not longer impacted by malware attacks targeting account takeovers, WhatsApp is introducing a bunch of new security features.
WhatsApp announced this in a blog post, saying that:
Your privacy remains our priority.
To better protect our users, we’re rolling out security features that give you more layers of privacy and more control over your messages
Check the below to see the new account defense updates.— WhatsApp (@WhatsApp) April 13, 2023
The security measures include:
- Account Protect: If ever users need to switch their WhatsApp account to a new device, WhatsApp will check that it's really them. With the update, WhatsApp may ask users on their old device to verify that they want to take this step as an extra security check. This feature can help alert them to an unauthorized attempt to move their account to another device.
- Device Verification: Mobile device malware is one of the biggest threats to people’s privacy and security because it can take advantage of people's phone without their permission and use your WhatsApp to send unwanted messages. To help prevent this, WhatsApp has added checks to help authenticate their account, which requires no action needed from users.
- Automatic Security Codes: WhatsApp's most security conscious users have always been able to take advantage of its security code verification feature, which helps ensure that they're chatting with the intended recipient. Users can check this manually by going to the encryption tab under a contact’s information. To make this process easier and more accessible to everyone, WhatsApp is rolling out a security feature based on a process called “Key Transparency” that allows users to automatically verify that they have a secure connection.
But what Meta is showcasing the most, is the Device Verification feature.
In a separate post, Meta said that in particular, it's "concerned about malware that infects a mobile phone in much the same way a virus infects a computer."
In particular, Meta is concerned about malware that is "used to advance account takeover (ATO) attacks that send messages without the user’s knowledge or permission."
And the Device Verification feature is purposefully designed to help prevent ATO attacks by blocking attacker’s connection, while allowing victims use their WhatsApp account uninterrupted.
The feature utilizes one of WhatsApp's several cryptographic keys to ensure that communications across the app are end-to-end encrypted, to introduce three new parameters:
- A security-token that’s stored on the users` device.
- A nonce that is used to identify if a client is connecting to retrieve a message from WhatsApp server.
- An authentication-challenge that is used to asynchronously ping the users` device.
According to Meta, among the several cryptographic keys WhatsApp uses, one them is the authentication key, which allows a WhatsApp client to connect to the WhatsApp server to reestablish a trusted connection. It's this particular key, that allows people to use WhatsApp without having to enter a password, PIN, SMS code, or other credential every time they turn on the app.
"This mechanism is secure because the authentication key cannot be intercepted by any third party including WhatsApp," said Meta.
However, if a device is infected with malware, the authentication key can be stolen.
Unofficial WhatsApp clients, or other forms of specialized malware can put users' security at risk.
This is because once a malware is present, attackers can use the malware to capture the authentication key and use it to impersonate the victim to send spam, scams, phishing attempts, etc. to other potential victims.
Device Verification can help WhatsApp identify these scenarios and protect the user’s account without interruption.
According to Meta, they security-token gets updated whenever users' WhatsApp client receives an offline message from the server. This process is called bootstrapping the security-token.
The security-token also gets updated when users' WhatsApp client connects to the WhatsApp server.
WhatsApp said Device Verification is initially introduced to users on Android.
"This is an important mechanism that empowers security-conscious users to verify an end-to-end encrypted personal conversation quickly," the company said.