For many years, many cyber security professionals (myself included) have droned on about the need for people to change their default passwords to something only they know.
You know the ones:
- your router admin page
- your wifi password
- your mobile phone
- your windows / mac password
- your M&S sparks account
- your NEXT account
- your Ring doorbell
- etc.
But what about your voicemail PIN?
Have you changed that one?
WhatsAPP hack
In recent months WhatsApp accounts have been targetted in a very simple attack, and this is how:
Step 1 – You are asleep. A hacker attempts to login to your WhatsApp account.
Because you’ve set up 2FA, you get a text message with a PIN that says “Do not share this”.
But you don’t see this text, because you are asleep.
Step 2 – The hacker clicks on the option that says the SMS didn’t arrive and asks for a verification by phone.
WhatsApp now call your phone, but you’re sleeping, and the phone is on silent so it goes to Voicemail.
Your voicemail stores the automated message with the PIN that the attackers are trying to obtain.
Step 3 – Next, the hacker now accesses your voicemail by calling your number and when the voicemail kicks in, they press the * key which is the prompt to log-in.
By simply by trying the default PIN which you haven’t changed they now can access your messages.
For a large number of mobile operators worldwide, the default PIN is the last 4 digits of your mobile number, for others its 0000, or 1111 number in many carriers.
Note: Most, but not all UK mobile operators enforce a rule which forces you to change your default PIN the 1st time you use voicemail. So this should not affect most UK WhatsApp users.
Once they access the voicemail, they retrieve the PIN and delete the message
The hackers can now log in to your WhatsApp.
Conclusion
Change your defaults, whatever they are on – change them to something only you know. If there is an option to use 2FA or MFA, then set that up as well.
Having any of your accounts or systems compromised is a horrible thing, so make it harder for criminals to target you and your accounts.