- Forum posts: 2
Sep 22, 2019, 1:59:48 AM via Website
Sep 22, 2019 1:59:48 AM via Website
A friend, who does not have 2FT activated, was tricked to read a Whatsapp confirmation PIN received over his phone via SMS and an attacker took over his whatsapp account ( probably using whatsapp in a mobile phone without a SIM card but connected to a WIFI network), and immediately started to ask for money to his contacts including me. Somehow the attacker managed to uninstall the app from my friend's mobile phone too. When I suggested him to re-install the app, and check the Whatsapp Web option "Log Out From All Accounts" option, to try to kick the attacker out, my friend had already contacted the mobile phone carrier helpdesk to block the number, and he is activating his number in a new SIM card, but I am afraid that will not stop the ongoing attack to his whatsapp number...
Anyway, some 2 hours later I did a test and the attacker still holds the Whatsapp session under my friend's mobile number. I asked how much money he needed to be transferred and there was an answer, obviously not from my friend...
So, my question, Is there any easy way out of this loophole? What is the easiest way to guarantee the attacker will be isolated? Wait for the mobile phone operator to reinstate the line in his new SIM card chip and activate 2FT? The hacker can already have done that using the whatsapp app validated when my friend told him the PIN over the phone... as far as I can remember, there is no SMS confirmation to activate 2FT , in case Whatsapp is already running in a phone that has been validated by the PIN received via SMS, which is soething the attacker has already achieve. If the hacker is connected via WIFI and has a working Whatsapp applicaton running, he probably already activated 2FT ... and my friend won't even be able to gain access to his whatsapp account again, not to mention, block an ongoing session.
Any suggestions to help deal with the scenario described are Welcome!
I tried to google this but it seems all Whatsapp Security measures and articles do not take in account a simple Con via a phone call... The Con was about a confirmation of an Ad posted to sell a car online, and the attacker presented himself as an employee of the Ads website.