WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover Attacks
Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user’s mobile device does not affect their account.
“Mobile device malware is one of the biggest threats to people’s privacy and security today as it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages,” the company owned by Meta said in an announcement.
On the phone Device VerificationSecurity measures are designed to help prevent account takeover (ATO) attacks by blocking the threat actor’s connection and allowing the target of a malware infection to use the app without any interruption.
In other words, the goal is to prevent attackers from using malware to steal WhatsApp authentication keys and hijack victims’ accounts, and then impersonate them to distribute spam and phishing links to other contacts.
This, in turn, is achieved by introducing a security token that is stored locally on the device, a cryptographic code to identify if the WhatsApp client contacts the server to retrieve incoming messages, and an authentication challenge that acts as an “invisible ping”. ” from the server to the user’s device.
The client is required to send a security token each time it connects to the server to detect potentially suspicious connections. The security token, for its part, is updated each time it takes a message offline from the server.
The authentication challenge is considered failed when the client responds to the challenge from a different device, indicating an anomalous connection originating from the attacker. This causes the connection to be blocked.
If there is no response from the client, the process will be retried “a certain number of times”, after which the connection will be blocked if the client remains unresponsive.
“These three parameters help prevent malware from stealing authentication keys and connecting to WhatsApp servers from outside the user’s device,” explained Attaullah Baig and Archis Apte of Meta.
WhatsApp says Device Verification has been rolled out to all Android users and is in the process of rolling out to iOS users.
The feature is part of a broader suite of new enhancements designed to authenticate and verify user identity, including displaying an alert when an attempt is made to move a WhatsApp account from one device to another.
Also launched by WhatsApp is a Key Transparency feature to automatically confirm whether a chat is end-to-end encrypted without requiring any additional action from the user.
To do so, it implements a new Auditable Key Directory (AKD) that are based on existing protocols such as CONICS And SEEMless to help users verify the security of their conversations.
“AKD will enable the WhatsApp client to automatically validate that a user’s encryption key is genuine and allow anyone to verify audit evidence of directory correctness,” the company said.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
Verification currently requires user in the chat to manually compare the security code (which exists as a QR code and a 60-digit number) by sending it to the participant on the other end via SMS or email, or alternatively by scanning the QR code if the parties are physically next to each other.
The security code is nothing but the unique hash of the two public/private key pair created to facilitate end-to-end encrypted messaging. Complicating matters even further, it can change when the user switches devices or reinstalls WhatsApp.
Key Transparency streamlines the verification process by leveraging an automated flow that eliminates the need for lengthy codes, instead maintaining a record of public key changes in a directory and allowing the client to review them.
“Key transparency describes the protocol in which the server (WhatsApp) keeps a record of the mapping between user accounts and their public identity keys,” explains Meta. “This allows creation of inclusion proofs to assert that certain mappings existed in the directory at the time of the latest update.”
WhatsApp intends to enable this feature in the coming months, although it already hosts and operates an Auditable Key Directory of all its users. “This is an important mechanism that empowers security-conscious users to quickly verify end-to-end encrypted private conversations,” the company added.
(Story was updated after publication to include more information about how the Device Verification and Key Transparency features work.)
