It’s incredibly simple and yet incredibly effective—to stop your WhatsApp account being stolen, you absolutely must change this one setting today...
Don't fall for this stupidly simple hack
It’s now 2024—and so it’s deeply troubling that the most stupidly simple WhatsApp hack continues to claim victims around the world. As Apple, Google, Microsoft and others make changes to platforms and services to eradicate such vulnerabilities, it’s high time Meta did the same and shut down this ludicrous threat.
We’re talking one-time passcode (OTP) theft, of course. And while the flavor of social engineering might vary—simple texts, “hi mum” pleas, friends in distress, or the latest (1,2,3) audio calls teeing up group chats, the concept is the same.
When you set up WhatsApp on a new phone, the platform sends your registered phone number a one-time passcode by SMS to confirm it’s you. That doesn’t restrict the phone on which you can activate WhatsApp, though. So a code sent to one phone can be used to activate WhatsApp on another. And so if a fraudster can trick you into disclosing the code, they can install your WhatsApp on their own phone.
The crux of the trick, whatever the specifics, is to pretend you’re being send a code for something or someone else, you then share the code and your WhatsApp transfers. You can easily prevent this happening by setting up multi-factor authentication on your device, which means the SMS OTP isn’t enough on its own.
WhatsApp has also introduced passkeys—to Android last year and to iPhone last month, which further reduce the SMS risk. A passkey links a login to a trusted ecosystem, meaning your phone and any other trusted device linked to you. it’s much more secure than a texted coded, as it is linked to physical hardware.
But in reality none of this matters. Because the users who have set up backup email addresses and multi-factor authentication will now switch to passkeys. And the users who have done nothing will still do nothing.
“Two-step verification is an optional feature,” WhatsApp says, “that adds more security to your WhatsApp account. This “two-step verification” can be enabled and it can be disabled—and it can be ignored. Just as with the new passkeys. MFA has been part of WhatApp for eight years—and yet it’s still optional.
Contrast this with Google’s and Apple’s essentially mandatory MFA for many of their own platforms and services, protecting the core ecosystems on which WhatsApp operates, which has normalized MFA such that most users are now familiar. This wasn’t always the case and MFA was seen as optional—but that has now changed.
While WhatsApp plays with new login notifications and MFA encouragement, none of this is anywhere close to just mandating two-step security. The facts tell us clearly that hackers can socially engineer their way around OTPs—it will be harder to have users also disclose the passcodes they have chosen themselves for their accounts.
And so, first things first—if you don’t have two-step verification on your WhatsApp account, then stop reading this article right away and go set it up. It takes 10 seconds and can save you a world of pain down the road. You should also add and verify an email address, which will help you if you ever need to recover the account.
Second, WhatsApp, please make this mandatory—it’s well past time to do so...
