In 2024, the persistence of a simple yet damaging WhatsApp hack remains a significant concern, with victims worldwide falling prey to it. While other tech giants like Apple, Google, and Microsoft have taken steps to address vulnerabilities in their platforms and services, it’s imperative that Meta follows suit and eliminates this threat.
The issue at hand is the theft of one-time passcodes (OTPs). Although the methods of social engineering may vary—from straightforward text messages to urgent pleas from friends or even audio calls—the fundamental concept remains unchanged.
When setting up WhatsApp on a new device, the platform sends a one-time passcode via SMS to verify the registered phone number. However, this code isn’t restricted to a specific device, allowing fraudsters to use it to activate WhatsApp on their own device if they can trick the user into disclosing the code.
The crux of the trick lies in convincing users to share the code under false pretenses. However, this risk can be mitigated by enabling multi-factor authentication (MFA), which requires more than just an SMS OTP for verification.
WhatsApp has also introduced passkeys, which are more secure than SMS OTPs as they are linked to physical hardware. However, the effectiveness of these measures ultimately depends on user adoption.
Unfortunately, many users still fail to implement basic security measures, such as enabling MFA or setting up backup email addresses.
While WhatsApp provides optional security features like two-step verification and passkeys, they remain largely underutilized. In contrast, tech giants like Google and Apple have made MFA mandatory for many of their services, normalizing its use among users.
Despite efforts by WhatsApp to encourage MFA adoption through login notifications and other means, the reality is that many users continue to overlook basic security measures. Therefore, the first step for users is to enable two-step verification on their WhatsApp accounts to safeguard against potential threats.
While WhatsApp continues to explore various security measures, the onus is on users to take proactive steps to protect their accounts. Implementing basic security measures like two-step verification and adding a verified email address can go a long way in enhancing account security.
