With over 2 billion users in the world, WhatsApp has been the ideal place to run for years scams of all kinds. For a few days, for example, one that had appeared for the first time last year and had a first flare up in April, during the first lockdown, has returned in vogue.
This is the second authentication factor (2FA), better known as the 6-digit code scam. Compared to other scams that run on the messaging platform, this one is different for two reasons: the first is that it uses a WhatsApp security mechanism, the second is that the final purpose is to take possession of the victim’s profile. Furthermore, it is a scam “second level“, Because to be successful you must run it from an already hacked profile. In short, it is something not within everyone’s reach and, precisely for this reason, particularly dangerous.
How the WhatsApp 2FA scam works
This scam exploits the legitimate mechanism provided to change number on WhatsApp, which involves sending a confirmation code to the new number as a second authentication factor (also called OTP: One Time Password). It is a Six-digit numeric PIN, sent by SMS.
The scam works like this: if a hacker has managed to take control of a WhatsApp profile that is among our contacts, he can try to take control of ours too (or of any of the contacts of the first victim). Just launch the number change procedure on WhatsApp and enter as our new number. To this number, that is ours, will be sent theConfirmation SMS which contains the 6-digit code and also a link. To confirm the “portability”On WhatsApp the hacker must receive this code, or he has to convince us to tap that link.
For this, from the profile (which was) of our contact, he sends us a message stating that he has sent a code by mistake to our number and asks us to return it to him. If we do it, however, he can insert it on his smartphone and within a few seconds takes possession of our WhatsApp account.
From then on he cannot read previous messages, but he can access all our groups and chat with all our contacts on our behalf, without anyone having any way of understanding that it is not us. Eventuality definitely worrying.
How to defend against the 6-digit code WhatsApp scam
WhatsApp itself, in the pages of its online help, invites users to be wary of these messages. When the SMS is sent, WhatsApp also sends a notification on the target smartphone: “The WhatsApp registration code for your phone number has been requested“.
Everything is absolutely insufficient to warn users of this scam and, for sure, WhatsApp should study a procedure that clarifies the attempts to steal the profile.
As long as this procedure is not implemented, however, the only way the user can defend himself is to inquire and do two things: the first is to never communicate the code received, the second is to contact the person from whose WhatsApp profile the message arrived immediately by phone.
This is because this profile has certainly been stolen and the rightful owner may not have noticed it. And, as long as he doesn’t notice, the perpetrator of the profile theft can continue to use it for its illicit purposes.
– .