Whatsapp Authentication Sucks

Whatsapp Authentication sucks. It sucks really badly. I’d never thought about it before, but then I saw this tweet yesterday. A lady got a new phone number and when she set up Whatsapp, she had a load of messages on there from the previous owner of the number. “Wait a minute!” I hear you cry “Surely Whatsapp, owned by Facebook and used by millions of people, has super security?” Well I’m sure it’s back-end systems are all well protected. The messages between users are all properly encrypted and secure. But to authenticate to the service … all you need is a telephone number. If you use the telephone number of another user or a former user, you get their messages!!! There is a way to prevent this, which I’ll get to later.

Setting up an account is sooo easy

Cast your mind back to when you set up Whatsapp on your phone for the first time and you set up your account with them. Did you specify a User ID or Username? Did you give it a password? The answer is no. The only authentication was your telephone number, which your phone was giving the app.

Recycling is good for the planet, but not good for security

Mobile telephone numbers get recycled by telephone companies all the time. This is because they don’t have an unlimited amount of numbers that they can issue. If you watch enough crime programmes on the TV, you will see a lot of “burner” phones being used. These are basically a cheap phone and number that might only be used once or twice and then is disposed of forever. Also, people having affairs would sometimes have a second “secret” phone for communicating with their paramour. If the affair doesn’t last long, that phone number will be disposed of.

So phone companies that have old numbers, where a contract hasn’t been renewed or a prepaid number has not been topped up in some time, they will simply assign them to new SIM cards and push them out through their retail channels. Thus the number is recycled and reused.

This is what happened to Abby Fuller. She got a new number and when she installed Whatsapp, she had all of the messages from that telephone number’s previous owner restored onto her device. Because the number is the only means of identifying an account, this is why Whatsapp authentication sucks.

She took the correct course of action and deleted everything. However if she had a bad side, she could have downloaded all of the messages or even worse, she could have impersonated that number’s previous owner in those messages and caused all sorts of issues.

So Whatsapp authentication sucks. What can I do about it?

You can set up, what Whatsapp calls, two step verification. With this enabled, if you (or somebody else), try to setup Whatsapp with your number on a different phone, you (or they) will be asked for a PIN number, which only you should know.

It’s really easy to set up:

1. Go into your Whatsapp settings
2. Select Account -> Two step verification
3. It will have an explanation screen. Click Enable
4. Provide a 6 digit PIN number and then confirm it
5. Optionally (but recommended) you can provide an email address should you forget the PIN number, where a PIN reset request can be sent. You will need to confirm that email address
6. That’s it

If somebody gets your number or they try to take over your phone number, when they try to set up Whatsapp, they will need to input the PIN you just set up. It’s not really the best two step verification in the world, but it should be effective.

I must try and persuade the few Whatsapp groups that I am involved in to switch to something more secure like Signal.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR