Singapore

Hackers hijacking WhatsApp accounts by asking for security codes

When a secondary school friend contacted him out of the blue a few months ago asking for a verification code on WhatsApp, administrative executive Tan Jun Heng, 25, did not suspect anything was amiss.

His friend simply claimed to have "accidentally" sent the code to his number.

But within seconds of sending the code, Mr Tan was automatically locked out of his own WhatsApp account.

It had been hijacked.

"I started panicking and tried to log back in, but I ended up competing (virtually) with the hacker for control of the account," said Mr Tan, who regained control of his account some 24 hours later after writing to WhatsApp.

By then, the hacker had assumed his identity and tricked two of his friends into handing over their verification codes as well.

Mr Tan and his friends are among a growing pool of WhatsApp users who have become victims of social hacking, where scammers use already hijacked social media accounts to contact victims by posing as their friends or family.

Hackers typically request or trick their victims into handing over their WhatsApp security verification codes, which must be entered when registering a mobile phone number for a new phone or device.

They then use the codes to gain full access to their victims' accounts, which will allow them to exploit the victim's personal relationships and ask for money from friends or family.

They can also target the victim's workplace, or sell their victim's personal information on the dark Web.

The Singapore Police Force has issued multiple warnings of such "takeover" attacks in the past two years.

The latest advisory in February noted that there had been at least 18 known reports involving the takeover of a victim's WhatsApp account since December last year.

This does not include unreported cases, which is expected to be a much higher number.

National University of Singapore's Associate Professor Chang Ee-Chien, whose research interests include data privacy, said the impersonation tactics used by hackers are "very low-tech, but very effective, as people tend to trust their friends or family".

How to safeguard your WhatsApp account

  • Enable two-step verification, which requires the entry of a unique PIN to access your account. Never divulge your PIN or verification codes to anyone, and do not click on any unknown links or attachments.
  • Ensure that you log out of WhatsApp Web properly, especially if your computers are not secured by passwords or biometric data.
  • Check app settings to limit the amount of information hackers can get from your WhatsApp account if it is compromised. For instance, do not allow WhatsApp to share location information and do not allow unknown people to add you to group chats.
  • Deactivate the autofill option on your phone. While it is a time-saving feature, it also means that your personal details are stored on your phone, and any hacker who has access to your phone will be able to see such information.
  • When you have a particularly sensitive transaction to make, use a virtual private network (VPN) to protect yourself from hackers. The VPN will disguise your Internet Protocol address, making it impossible to track you. It also provides another layer of encryption.

Tips compiled from Kaspersky, the Association of Information Security Professionals and WhatsApp

COURT & CRIME