WhatsApp has announced several new security features which include an extra check when an account is transferred to a new device. This check asks that users confirm the transfer on their old device. This should warn users in case there is a transfer in progress started by somebody trying to hijack their account.
This Account Protect feature may have been triggered by an increase in account take-overs, like the one we reported about a few months ago, where cybercriminals take over your account while you are away from your device.
Another new security feature is Device Verification, which is mainly meant to stop malware on a device from sending spam and phishing messages. This specifically targets fake versions of WhatsApp that contain malware. WhatsApp uses cryptographic keys to ensure that communications across the app are end-to-end encrypted. One of these encryption keys is the authentication key. The authentication key allows a WhatsApp client to connect to the WhatsApp server to establish a connection based on previously established trust, so the users don’t have to enter a password, PIN, SMS code, or other credential each and every time they turn on the app.
This mechanism is secure because the authentication key cannot be intercepted by any third party, including WhatsApp. But, if a device is infected with malware the authentication key can be stolen and abused for nefarious purposes. These purposes include impersonating the victim to send spam, scams, and phishing attempts to other potential victims.
WhatsApp uses three different methods that benefit from how people typically read and react to messages sent to their device to distinguish between a connection request of the actual user or one started by malware.
The Device Verification feature is only available for Android users at the moment, iOS users can expect it to be rolled out shortly.
The third new feature we want to highlight is Key Transparency, which allows users to automatically check they are using a secured connection. End-to-end encryption is the foundation of private messaging on WhatsApp, helping to ensure that only you and the person you’re communicating with can read what’s sent, and nobody in between, not even WhatsApp.
In fact, the option to verify the keys on the other end of the conversation already existed, but the method was rather complicated—comparing a a 60-digit number—and this feature can now be replaced with a new Auditable Key Directory (AKD). This AKD means that WhatsApp has a Security Page for each contact that has a QR code and a 60-digit number that can be verified outside of WhatsApp to make sure it matches what your contact sees on their device. In short, it’s a unique hash of both your public keys and their public keys, so if either of you have the wrong value, the hashes won’t match.
The old methods required QR code scanning for in person contact, or the number matching feature. But either way required communicating with your contacts outside of WhatsApp and was near impossible to do in larger groups.
Making WhatsApp more secure
These security features will be made available for all devices in the coming months. Until then there are a few things you can do yourself to make WhatsApp more secure.
- Only install WhatsApp from the Apple App Store or Google Play, to avoid getting an infected version of the app.
- Enable two-step verification:
- Open Settings in WhatsApp under More (three vertical dots) > Settings
- Tap Account > Two-step verification > Enable.
- Enter a six-digit PIN.
- Enter an email address, or tap Skip if you don’t want to. WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.
- Tap Next.
- Confirm the details and tap Save or Done.
- Use of end-to-end encrypted backups:
- Open Settings in WhatsApp under More (three vertical dots) > Settings
- Tap Chats > Chat Backup > End-to-end Encrypted Backup.
- Tap Turn On, then follow the prompts to create a password or key.
- Tap Create, and wait for WhatsApp to prepare your end-to-end encrypted backup. You might need to connect to a power source.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.