Beware of ‘friends’​ asking for security codes on WhatsApp

Wattsapp Hacking
All about Wattsapp Hacking

Beware of ‘friends’ asking for security codes on WhatsApp

Hackers use the codes to gain full access to their victims’ accounts.

Recently few incident has come to light wherein a secondary school friend contacted an acquaintance months ago asking for a verification code on WhatsApp. His friend simply claimed to have “accidentally” sent the code to his number. The victim did not suspect anything was amiss but within seconds of sending the code, the Victim was automatically locked out of his own WhatsApp account. The Victim WhatsApp has been hijacked.

Though the person regained control of his account some 24 hours later after writing to WhatsApp. By then, the hacker had assumed his identity and tricked two of his friends into handing over their verification codes as well.

There have been several WhatsApp users who have reported to become victims of social hacking, where scammers use already hijacked social media accounts to contact victims by posing as their friends or family. This does not include unreported cases, which is expected to be a much higher number.

Hackers typically request or trick their victims into handing over their WhatsApp security verification codes, which must be entered when registering a mobile phone number for a new phone or device.

They then use the codes to gain full access to their victims’ accounts.

Cyber security firm Kaspersky’s Asia-Pacific managing director, Mr Stephan Neumeier, said that with over two billion users, WhatsApp has become a “prime target for cyber criminals looking to leverage on the wealth of user data that is available”.

National University of Singapore Associate Professor Chang Ee-Chien said the impersonation tactics used by hackers, which are also known as “social engineering” attacks, are far more common than other attacks like zero-day vulnerability attacks, where hackers take advantage of a vulnerability in the application’s software.With full access to their victim’s account, hackers may then exploit the victim’s personal relationships and ask for money from friends or family.

Or, if they glean enough information about their victim’s place of employment, they may also target the victim’s workplace, added Prof Chang or they may even sell their victim’s personal information on the dark web.

However, experts say, there are preventive measures that users can take to prevent such attacks.

How to safeguard your account

  • Enable two-step verification, which requires the entry of a unique PIN to access your account.
  • Never divulge your PIN or verification codes to anyone, and do not click on any unknown links or attachments.
  • Ensure that you log out of WhatsApp Web properly, especially if your computers are not secured by passwords or biometric data.
  • Check app settings to limit the amount of information hackers could get from your WhatsApp account if it is compromised. For instance, do not allow WhatsApp to share location information and do not allow unknown people to add you to group chats.
  • Deactivate the autofill option on your phone. While it is a time-saving feature, it also means that your personal details are stored on your phone, and any hacker who has access to your phone will be able to see such information.
  • When you have a particularly sensitive transaction to make, use a virtual private network (VPN) to protect yourself from hackers. The VPN will disguise your Internet Protocol address, making it impossible to track you. It also provides another layer of encryption.

These tips were compiled from Kaspersky, the Association of Information Security Professionals and WhatsApp. 

Things to Remember:

1. A growing pool of WhatsApp users have become victims of social hacking, where scammers use already hijacked social media accounts to contact victims by posing as their friends or family. 

2. Protect your WhatsApp account – enable two-step verification and never divulge your PIN or verification codes to anyone. 

Leave a Reply

Your email address will not be published.


*