Story image

WhatsApp users warned to change voicemail PINs

18 Feb 2019

Australia’s Stay Smart Online is warning WhatsApp users to change their mobile’s voicemail PIN from the default PIN, if they haven’t done so already.

Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes. Those codes can allow the attacker to use a victim’s WhatsApp account on the attacker’s own device.

The attack method isn’t new – it has been doing the rounds since 2017 and Israel’s National Cyber Directorate issued a warning about it - however people are still falling victim to the attack. 

Stay Smart Online explains how it works:

The attacker will install WhatsApp on their own device using a genuine user’s phone number. Usually this happens late at night when a user would generally be sleeping and not using their phone.

While WhatsApp will send a one-time verification SMS to the user’s phone, the attacker cannot see this if they don’t have the phone.

However, if a user doesn’t use the SMS code WhatsApp switches to a voice verification code. It calls the user’s phone and speaks the one-time verification code out loud. But because the user is asleep, the automated call goes to voicemail.

“Most mobile service providers allow remote access to your voicemail account, by calling a generic number and entering your PIN code,” Stay Smart Online says.

“So to retrieve the voicemail, the hacker simply needs to call the generic phone number and enter the victim’s four-digit PIN – which, if you haven't changed it, is typically a simple combination such as 0000 or 1234 by default."

“Once the hacker listens to the pre-recorded voicemail and hears the verification code, they can then access your WhatsApp account on their own device."

“When the attacker uses the default PIN to access the victim’s voicemail, they can hear the code and then enter it into their own device, completing the transfer of the victim’s phone number to their own WhatsApp account,” adds Sophos’ Danny Bradbury.

“To seal the deal, the attacker can then enable two-step verification, which is an optional feature that WhatsApp has been offering since 2017. This requires the user to set a custom PIN, which they must then re-enter if they wish to re-verify their phone number. Turning on this feature prevents the victim from regaining control over their own phone number.”

WhatsApp users should change their voicemail PINS to a strong password. This can be done in the phone’s voicemail settings or by calling the user’s phone service provider.

Users should also enable two-factor authentication on their WhatsApp account for an extra layer of security. This can be done by opening the app and going to Settings > Account > Two-step verification > Enable.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.