Recycling is good for the environment, isn’t it?

Earlier this week I was in doing a quarterly health check for one of my clients and I went up to one of the new members of staff. She was showing me her new phone that she had just gotten with the new number for the business. She had just set up WhatsApp and she was getting these strange messages coming into her and she was wondering how these were happening.

What it looks like is that the phone company they’re signed up with have reused or recycled a previous mobile number that had been assigned to somebody else.

How does WhatsApp Number Recycling occur?

Now if you think about it with WhatsApp when you set up an account all you need to authenticate is your mobile number. So in this case somebody had previously had that mobile number that this new member of staff has got now, people who were sending messages to her old number, to that other person’s number maybe in WhatsApp groups or whatever, they’re now going to this new phone that this member of staff has.

How do you protect against this?

The first thing I told her that she should do to protect her account is to setup the two factor authentication and there is also a recovery email option in there as well. So if you do find you’re getting strange messages on a new account or new number then that’s probably what’s happening.

Is this something new?

This has been going on for quite some time because I actually wrote this back in January 2019 and I have a link to the blog post I wrote about it back then. But this is now happening or seems to be happening here now in Ireland.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

The post #WeekendWisdom 087 WhatsApp Number Recycling appeared first on L2 Cyber Security Solutions.

Where is this coming from?

As I said last week, the Data Protection Commission had issued a report for 2020. I’ve had a chance to read through it now in a bit more detail. I really love looking at the case studies that they include there because these are real life events that have occurred.

One of them struck me as something that could occur anywhere.

What? A data breach of bank details??? That’s serious!

It was Case Study 15: Bank details sent by WhatsApp. What had occurred was that a customer of a financial institution had gotten in contact with them wanting to get a copy of their BIC and IBAN details. The member of staff that was dealing with the enquiry knew this person. So, because of that, they took a picture of the details on their personal phone and sent them by WhatsApp to the customer.

WhatsApp is encrypted, so it must be safe. Right?

But it turns out the details that they took the photo of were for somebody else. So, when the customer reported this incident to the bank, they realised this was a data breach. That customer had seen somebody else’s personal details.

How does a business prevent this type of issue?

This is simply a staff training issue. Staff need to be aware that they should always follow proper protocols when dealing with people’s personal details. To make sure that they provide the correct details to the correct person.

As I say it could happen to anybody. So use that example with your staff today.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 068 A Data Breach of Bank Details appeared first on L2 Cyber Security Solutions.

Setting up an account is sooo easy

Cast your mind back to when you set up Whatsapp on your phone for the first time and you set up your account with them. Did you specify a User ID or Username? Did you give it a password? The answer is no. The only authentication was your telephone number, which your phone was giving the app.

Recycling is good for the planet, but not good for security

Mobile telephone numbers get recycled by telephone companies all the time. This is because they don’t have an unlimited amount of numbers that they can issue. If you watch enough crime programmes on the TV, you will see a lot of “burner” phones being used. These are basically a cheap phone and number that might only be used once or twice and then is disposed of forever. Also, people having affairs would sometimes have a second “secret” phone for communicating with their paramour. If the affair doesn’t last long, that phone number will be disposed of.

So phone companies that have old numbers, where a contract hasn’t been renewed or a prepaid number has not been topped up in some time, they will simply assign them to new SIM cards and push them out through their retail channels. Thus the number is recycled and reused.

This is what happened to Abby Fuller. She got a new number and when she installed Whatsapp, she had all of the messages from that telephone number’s previous owner restored onto her device. Because the number is the only means of identifying an account, this is why Whatsapp authentication sucks.

She took the correct course of action and deleted everything. However if she had a bad side, she could have downloaded all of the messages or even worse, she could have impersonated that number’s previous owner in those messages and caused all sorts of issues.

So Whatsapp authentication sucks. What can I do about it?

You can set up, what Whatsapp calls, two step verification. With this enabled, if you (or somebody else), try to setup Whatsapp with your number on a different phone, you (or they) will be asked for a PIN number, which only you should know.

It’s really easy to set up:

1. Go into your Whatsapp settings
2. Select Account -> Two step verification
3. It will have an explanation screen. Click Enable
4. Provide a 6 digit PIN number and then confirm it
5. Optionally (but recommended) you can provide an email address should you forget the PIN number, where a PIN reset request can be sent. You will need to confirm that email address
6. That’s it

If somebody gets your number or they try to take over your phone number, when they try to set up Whatsapp, they will need to input the PIN you just set up. It’s not really the best two step verification in the world, but it should be effective.

I must try and persuade the few Whatsapp groups that I am involved in to switch to something more secure like Signal.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post Whatsapp Authentication Sucks appeared first on L2 Cyber Security Solutions.