Malicious WhatsApp hacks are making news again this week, with more users tricked into surrendering their accounts to attackers who then target their contacts with malware and financial scams. WhatsApp is not as secure as you might think—but it does offer safeguards to stop your account being hijacked this way. You need to change your settings, and you should do that today.
This WhatsApp hack relies on social engineering—you’re tricked into sharing an SMS code that’s sent to your phone with an attacker using an already hijacked account belonging to one of your friends. This enables the attacker to take over your account as well. Getting the account back can take serious time and effort. The attackers know how to make it difficult by adding extra security settings to confuse and delay the process.
You can protect against this. You can also protect against other security weaknesses in your WhatsApp app by changing some of your settings. WhatsApp should be more secure—it is getting the balance of security and functionality wrong. As Joel Wallenstrom, CEO of uber-secure WhatsApp rival Wickr, told me, “WhatsApp is designed for consumer use, and like other consumer products, security takes a back seat to fun… If you are a consumer who wants to take privacy more seriously, then try to avoid products from companies who are monetizing end-user data.”
But the reality is that WhatsApp wins out for the size of its user-base and its simplicity. It has become the default SMS replacement for many of us. Despite its shortcomings, Wallenstrom describes WhatsApp as “a huge step up from SMS—having billions of users more protected on WhatsApp is good for the world.” But you can make it a lot safer and more secure than it comes by default. Here are three settings that you must change and one that you can change if you want to be especially secure.MORE FOR YOU
Let’s start with that SMS account take-over hack. WhatsApp provides “two-step verification” that lets you enter a six-digit code into your app. This is different to the code that WhatsApp sends by SMS when you install and register the app on a new phone. Even if an attacker gets hold of that WhatsApp SMS to register your account on their phone, they will fail to complete the hijack without knowing your two-step verification code.
Everyone using WhatsApp must use this security setting. I can’t stress that enough. I am inundated with emails from users who have found my articles on WhatsApp hacks afterfalling victim. WhatsApp should really make this mandatory in the same way as two-factor authentication is now mandatory with many online backing other financial apps. In WhatsApp, go to Settings—Account and you will see the Two-Step Verification option. You can set the PIN and an email address to use as a backup if you ever forget that PIN. Obviously, never share that PIN with anyone.
Next, we come to WhatsApp’s perilous handling of photos and videos. This is exactly the kind of lapse Wallenstrom has in mind when he claims WhatsApp puts fun ahead of security. By default, when a contact sends you photos or videos in a chat, these are saved to the album on your phone. That might be convenient but it’s also dangerous. You should only save photos and videos when you can vouch for the sender and you are sure the photos or videos were taken by a person you know—not found online or on social media sites and then shared over WhatsApp.
While a media file viewed within WhatsApp is almost certainly safe, once that file is saved to your phone you run the risk that if it’s hiding malicious code it run malware or crash your device or apps. ESET’s Jake Moore warns that “automatically saving WhatsApp photos is like leaving your front door open—it comes with a level of risk which is not a necessity and could potentially harm your phone.” Check Point’s Ekram Ahmed describes saved media files as a Trojan horse for hackers to invade your phone.” His firm recently disclosed that just such a media file could hijack your Instagram account. In WhatsApp, go to Settings—Chats and disable “save to camera roll” on iPhone or “media visibility” on Android.
The third setting you should change it less acute and more around protecting your privacy and helping to prevent data that could be used for social engineering attacks falling into attackers’ hands. Under Settings—Account-Privacy, you can decide who can see when you were “last seen” as well as your profile and photo. There is one setting here that is critical—limiting who can add you to groups. In each case, you can select everyone or just your contacts, or be even more restrictive. None of those settings should be set to “everyone,” at the very least limit it to just your contacts.
The most important setting is that group one. If you don’t limit this, then an attacker can add you to a group without your knowledge and then send you messages and attachments. The risks of this kind of “malicious” cyber weapon have been highlightedbefore. The other settings limit the metadata that can be mined across WhatsApp. Understanding when you’re online and comparing this to others you may know is a powerful dataset—as is profile information and your profile photo—there’s no reason to share this indiscriminately.
The final WhatsApp security vulnerability is the most contentious and impacts iPhone users more than those on Android. Right now, the backup option offered by WhatsApp is to Apple’s or Google’s cloud platforms, and while Android users can opt for a local backup alternative, this isn’t the same on iPhone. These backups protect your chat histories if you lose your device, and also provide a mechanism to transfer chats to a new device.
When your chat history is backed up this way, you lose end-to-end encryption—your content can be accessed by Apple or Google, if required by law enforcement, for instance. On Android, you can use local backups and then move files to an external storage drive at home to keep them under your control. iPhone users have the option of iTunes backups, albeit that can’t isolate WhatsApp backups. But it’s a manual hassle. If you want to disable iCloud backups, you can still transfer chats to a new iPhone through Apple’s excellent direct transfer option.
If this is a concern to you—as it is to WhatsApp’s more security conscious iPhone users, then you can disable cloud backups under Settings—Chats—Chat Backup. This will be a step too far for most users, as it doesn’t represent an everyday security risk in the way the other three settings might. But a cloud backup does invalidate the locked down benefits of end-to-end encryption, and so it’s worth bearing in mind.
WhatsApp is not as secure as the likes of Signal and Wickr, and when it comes to multiple device options and backup encryption it falls short of Apple’s iMessage, but it is well suited to most messaging requirements and its security for everyday use is just fine. WhatsApp’s huge user-base ensures that almost everyone you know will have it installed, and that makes it the best alternative to the woefully unsecured SMS standard on all our phones. And if you change the settings as recommended above, you’ll go a long way to making WhatsApp much, much safer.
All Rights Reserved for Editors’ Picksforbes.com