Hackers can steal someone else’s Whatsapp accounts. This requires a phone call and a certain technique. How to protect yourself.
Nasty trick: How hackers steal Whatsapp accounts
© DANIEL CONSTANTE/Shutterstock.com
With a nasty trick, hackers can take over someone else’s Whatsapp account and gain access to their personal messages and contact lists. This is reported by the US IT security news site Bleeping Computer, citing a corresponding post by Rahul Sasi, CEO of CloudSEK, on Linkedin. The attacker only needs a few minutes for this. However, the attacker must know the victim’s phone number and also master some social engineering tricks.
Attacker has to convince his victim on the phone
Because the attacker has to call the victim and, with his call, get him to call a telephone number that starts with a so-called “Man Machine Interface Code” (MMI). Mobile phone providers actually use this technology to forward calls when the line is busy or unavailable. Depending on the mobile network operator, an MMI code can also forward all calls to a terminal device to another number. Such codes always start with “*” or with “#” – for example **67* – and have ten digits.
The security researcher explains that the 10-digit number for the victim to call belongs to the attacker and the prepended MMI code instructs the mobile operator to forward all calls to the phone number provided after it. In other words, by calling this MMI number, the victim consents to having all of their calls forwarded to another number.
The attacker can now start the registration and verification for the Whatsapp account on his own device. Including a verification code, which is now sent to the hacker’s cell phone thanks to MMI forwarding. And the Whatsapp account is already hijacked, including the possibility for the hacker to set up 2-factor authentication for it. This means: The actual owner of the Whatsapp account is locked out of his own Whatsapp account.
The attacker has to overcome these hurdles
Bleeping Computer was able to replicate this attack method at least with the providers Verizon and Vodafone. However, there are quite a few hurdles for the attackers. So ideally the cellular provider needs to use MMI code that routes all calls in all cases and not just in those cases when the phone is busy. Otherwise, the attacker would have to keep his victim on the phone until the Whatsapp authentication code was sent and – since the victim’s cell phone was occupied by the call with the hacker – was forwarded to the hacker’s cell phone thanks to MMI.
Also, the Whatsapp account owner will receive text messages informing them that their Whatsapp account has been registered on another device. On top of that, if call forwarding is activated, a notification to this effect is displayed on the victim’s smartphone.
How to protect yourself
But there is a simple protection against this attack method: Set up two-factor authentication for Whatsapp! Then the attacker has no chance.