WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover Attacks
Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user’s mobile device doesn’t impact their account.
“Mobile device malware is one of the biggest threats to people’s privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages,” the Meta-owned company said in an announcement.
Called Device Verification, the security measure is designed to help prevent account takeover (ATO) attacks by blocking the threat actor’s connection and allowing the target to use the app without any interruption.
In other words, the goal is to deter attackers’ use of malware to steal authentication keys and hijack victim accounts, and subsequently impersonate them to distribute spam and phishing links.
This, in turn, is achieved by introducing a security-token that’s stored locally on the device, a cryptographic nonce to identify if a WhatsApp client is contacting the server to retrieve incoming messages, and an authentication-challenge that acts as an “invisible ping” from the server to a user’s device.
The client is required to send the security-token every time it connects to the server. The security-token, for its part, is updated every time it fetches an offline message from the server.
An authentication-challenge is considered a failure when the client responds to the challenge from a different device, indicating an anomalous connection originating from an attacker. This causes the connection to be blocked.
Should there be no response from the client, the process is retried a “few more times,” after which the connection will be blocked if the client still doesn’t respond.
WhatsApp said Device Verification has been rolled out to all Android users and that it’s in the process of being rolled out to iOS users.
The feature is part of a broader set of new enhancements that are designed to authenticate and verify users’ identities, including displaying alerts when there is an attempt to migrate a WhatsApp account from one device to another.
Also launched by WhatsApp is a “Key Transparency” feature to automatically confirm whether chats are end-to-end encrypted without requiring any additional actions from the user.
To do so, it’s implementing a new Auditable Key Directory (AKD) that’s based on existing protocols like CONIKS and SEEMless to help users verify their conversation security.
“The AKD will enable WhatsApp clients to automatically validate that a user’s encryption key is genuine and enables anyone to verify audit-proofs of the directory’s correctness,” the company said.
Verification currently requires users in a chat to manually compare the security code (which exists as a QR code and a 60-digit number) by sending it to the participant on the other end via SMS or email, or alternatively by scanning the QR code if the parties are physically next to each other.
The security code is nothing but a unique hash of both the public/private key pair that’s generated to facilitate end-to-end encrypted messaging. It can change when users switch devices or reinstall WhatsApp.
Key Transparency streamlines the verification process by making use of an automated flow that maintains a record of public key changes in a directory, thereby allowing a client to check against it.
WhatsApp intends to make this feature live in the coming months, although it’s already hosting and operating an Auditable Key Directory of all its users. “This is an important mechanism that empowers security-conscious users to verify an end-to-end encrypted personal conversation quickly,” the company added.