WhatsApp, the popular instant messaging app, announced a new account verification feature on Thursday to safeguard users’ accounts from malware. Owned by Meta, WhatsApp seeks to counter the growing threat of mobile device malware that can compromise users’ devices without consent and send unsolicited messages using their accounts.
Device Verification to thwart ATO attacks
Device Verification, the new security measure, aims to fight account takeover (ATO) attacks. It blocks threat actors’ connections and lets users affected by malware continue using the app without disruption. Its main goal is to stop attackers from using malware to steal WhatsApp authentication keys, take over victims’ accounts, and impersonate them to send spam and phishing links to their contacts.
The feature brings a security-token stored locally on the device, along with a cryptographic nonce to determine when a WhatsApp client contacts the server for new messages. It also includes an authentication-challenge that serves as an “invisible ping” between the server and the user’s device. Every time the client connects to the server, it needs to send the security-token and update it when fetching offline messages.
If a client responds to an authentication-challenge from a different device, indicating an attacker’s connection, the challenge is considered a failure, and the connection is blocked. If the client doesn’t respond after several attempts, the connection is also blocked.
WhatsApp enhances user authentication and encryption verification
WhatsApp has rolled out Device Verification to all Android users, with iOS users soon to follow. This feature is a component of a larger set of improvements for authenticating and verifying users’ identities. It also includes alerts for account migration attempts between devices.
Additionally, WhatsApp has launched the Key Transparency feature, which automatically confirms end-to-end encryption in chats without user action. WhatsApp employs a new Auditable Key Directory (AKD) based on protocols such as CONIKS and SEEMless to enhance conversation security for users. The AKD enables WhatsApp clients to automatically validate a user’s encryption key and allows for audit-proof directory verification.
At present, users have to manually compare security codes. They can send them via SMS or email, or scan QR codes when physically close to each other. Key Transparency simplifies this process with an automated flow that logs public key changes. This allows clients to check against the directory. WhatsApp plans to launch this feature in the coming months. However, an Auditable Key Directory is already operational for all users.
{{user}} {{datetime}}
{{text}}