before the wave of whatsapp account theft In Mexico, the messaging service announced that it will tighten security to prevent hacking. The new method requires an extra step when receiving the verification code six digits with a phone call.
Starting today, users they will have to answer the automated call and press the number 1 to receive the code. User interaction is essential because if the call is forwarded to voicemail, the verification code will not be stored.
The tweak is due to a security flaw that attackers take advantage of to steal WhatsApp accounts. When we reinstall the application or change the phone, it is essential to reactivate it with a security code sent by SMS or phone call.
If the victim does not notice the message or does not answer the call, the PIN code is sent to voicemail. Later, hacker accesses voicemail remotely, an option offered by some operators. Voicemails often use four-digit passwords that are brute-forced or, in the worst case, not protected at all.
Account theft is a constant in Mexico
The scam rose to prominence in late 2021 when it was revealed that the governors of Oaxaca and Sonora had been victims of account theft. Alejandro Murat and Alfonso Durazo reported the hack on their social media and communication channels and asked not to respond to messages.
Weeks later, other governors fell into the trap. The common denominator of all the attacks was the contact extortion attempt. The hacker requested deposits from the victim’s friends or relatives via WhatsApp messages, although in extreme cases, gave instructions to other state officials.
Implementing this step is always welcomed, although the user should be aware that this is not the final solution. WhatsApp is the most used messaging app in Mexico and other Latin American countries. Despite users spending hours chatting, most of them didn’t bother to enable security options.
So you can protect your WhatsApp account
- Enable two-step verification. To get it, just go to WhatsApp Settings and select Account > Two-Step Verification. There you have to press Activate and enter a six-digit PIN. Try not to use your date of birth. It should be easy to remember but difficult to understand.
This PIN code is unique and you must remember it because WhatsApp will ask you for it from time to time or when you activate your account. Very important: The 6-digit PIN for two-step verification is different from the verification code that WhatsApp sends via text or call.
Two-step verification is an effective measure against account theft because the attacker needs not only the WhatsApp verification code but also the security PIN. If you don’t enter it, you won’t be able to use the account.
- Activate a voicemail password. The steps are different for each operator, although the phone to activate it is the same. From your mobile phone, dial *86 and access the configuration. If you have not created a password, the system will offer you the necessary steps to activate it and access your voicemail.
AT&T starts setup each time you dial *86. We don’t know if this is a bug, but we saved the password and after a few days the process restarts. If you have a line with Telcel, you will need to check option 3 and choose to enable or disable the personal password in option 4 of the next menu.
What if my account is stolen?
If you received an SMS with the verification code without asking for it, it is possible that someone wants to access your account. If your account has been stolen, report it to firstname.lastname@example.org and let your contacts know so they don’t fall for a possible scam.