WhatsApp Introduces New Device Verification Feature To Prevent Account Takeover Attacks

WhatsApp Introduces New Device Verification Feature To Prevent Account Takeover Attacks

WhatsApp, a popular instant messaging program, introduced a new account verification feature on Thursday that protects users against malware that may be installed on their mobile devices.

“Mobile device malware is one of the biggest threats to people’s privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages,” the Meta-owned company said in an announcement.

ALSO, READ How To Create A Secure Password For Your Accounts/Profile (2022)

The security mechanism, known as Device Verification, is meant to assist avoid account takeover (ATO) assaults by stopping the connection of the threat actor and allowing the victims of the malware infection to continue using the app normally.

To rephrase, we want to stop bad actors from using malware to steal WhatsApp authentication keys, take over users’ accounts, and then pose as them to send out spam and phishing links.

WhatsApp Introduces New Device Verification Feature 

This, in turn, is achieved by introducing a security-token that’s stored locally on the device, a cryptographic nonce to identify if a WhatsApp client is contacting the server to retrieve incoming messages, and an authentication-challenge that acts as an “invisible ping” from the server to a user’s device.

The client is required to send the security-token every time it connects to the server so as to detect potentially suspicious connections. The security-token, for its part, is updated every time it fetches an offline message from the server.

ALSO, READ Android Device Can Be hacked By Knowing Your Phone number: See How

An authentication-challenge is considered a failure when the client responds to the challenge from a different device, indicating an anomalous connection originating from an attacker. This causes the connection to be blocked.

Should there be no response from the client, the process is retried a “few more times,” after which the connection will be blocked if the client still doesn’t respond.

“These three parameters help prevent malware from stealing the authentication key and connecting to WhatsApp server from outside the users’ device,” Meta’s Attaullah Baig and Archis Apte explained.

WhatsApp said Device Verification has been rolled out to all Android users and that it’s in the process of being rolled out to iOS users.

WhatsApp Introduces New Device Verification Feature 

The feature is part of a broader set of new enhancements that are designed to authenticate and verify users’ identities, including displaying alerts when there is an attempt to migrate a WhatsApp account from one device to another.

Also launched by WhatsApp is a Key Transparency feature to automatically confirm whether chats are end-to-end encrypted without requiring any additional actions from the user.

To do so, it’s implementing a new Auditable Key Directory (AKD) that’s based on existing protocols like CONIKS and SEEMless to help users verify their conversation security.

“The AKD will enable WhatsApp clients to automatically validate that a user’s encryption key is genuine and enables anyone to verify audit-proofs of the directory’s correctness,” the company said.

Verification currently requires users in a chat to manually compare the security code (which exists as a QR code and a 60-digit number) by sending it to the participant on the other end via SMS or email, or alternatively by scanning the QR code if the parties are physically next to each other.

WhatsApp Introduces New Device Verification Feature 

The security code is nothing but a unique hash of both the public/private key pair that’s generated to facilitate end-to-end encrypted messaging. Complicating matters further, it can change when users switch devices or reinstall WhatsApp.

Key Transparency streamlines the verification process by making use of an automated flow that obviates the need for the long code, instead maintaining a record of public key changes in a directory and allowing a client to check against it.

ALSO, READ An Easy Guide On How To Recover A Hacked WhatsApp Account On Android

“Key transparency describes a protocol in which the [WhatsApp] server maintains an append-only record of the mapping between a user’s account and their public identity key,” Meta explained. “This allows the generation of inclusion proofs to assert that a given mapping exists in the directory at the time of the most recent update.”

WhatsApp intends to make this feature live in the coming months, although it’s already hosting and operating an Auditable Key Directory of all its users. “This is an important mechanism that empowers security-conscious users to verify an end-to-end encrypted personal conversation quickly,” the company added.