Story image

WhatsApp users warned to change voicemail PINs

18 Feb 2019

Australia’s Stay Smart Online is warning WhatsApp users to change their mobile’s voicemail PIN from the default PIN, if they haven’t done so already.

Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes. Those codes can allow the attacker to use a victim’s WhatsApp account on the attacker’s own device.

The attack method isn’t new – it has been doing the rounds since 2017 and Israel’s National Cyber Directorate issued a warning about it - however people are still falling victim to the attack. 

Stay Smart Online explains how it works:

The attacker will install WhatsApp on their own device using a genuine user’s phone number. Usually this happens late at night when a user would generally be sleeping and not using their phone.

While WhatsApp will send a one-time verification SMS to the user’s phone, the attacker cannot see this if they don’t have the phone.

However, if a user doesn’t use the SMS code WhatsApp switches to a voice verification code. It calls the user’s phone and speaks the one-time verification code out loud. But because the user is asleep, the automated call goes to voicemail.

“Most mobile service providers allow remote access to your voicemail account, by calling a generic number and entering your PIN code,” Stay Smart Online says.

“So to retrieve the voicemail, the hacker simply needs to call the generic phone number and enter the victim’s four-digit PIN – which, if you haven't changed it, is typically a simple combination such as 0000 or 1234 by default."

“Once the hacker listens to the pre-recorded voicemail and hears the verification code, they can then access your WhatsApp account on their own device."

“When the attacker uses the default PIN to access the victim’s voicemail, they can hear the code and then enter it into their own device, completing the transfer of the victim’s phone number to their own WhatsApp account,” adds Sophos’ Danny Bradbury.

“To seal the deal, the attacker can then enable two-step verification, which is an optional feature that WhatsApp has been offering since 2017. This requires the user to set a custom PIN, which they must then re-enter if they wish to re-verify their phone number. Turning on this feature prevents the victim from regaining control over their own phone number.”

WhatsApp users should change their voicemail PINS to a strong password. This can be done in the phone’s voicemail settings or by calling the user’s phone service provider.

Users should also enable two-factor authentication on their WhatsApp account for an extra layer of security. This can be done by opening the app and going to Settings > Account > Two-step verification > Enable.

Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.