Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that will prevent malware running on users’ mobile devices from affecting their accounts.
“Mobile device malware is one of the biggest threats to people’s privacy and security today, as it can take advantage of the phone without the user’s permission and use WhatsApp to send unwanted messages,” said Meta. The company that owns it said in a statement.
This security measure, called Device Verification, is designed to help prevent account takeover (ATO) attacks by blocking the attacker’s connection and allowing the target to use the app without interruption. increase.
The goal is to stop attackers from using malware to steal authentication keys, take over victim accounts, and disseminate spam and phishing links under spoofing.
It introduces a security token stored locally on the device, a cryptographic nonce that identifies whether the WhatsApp client is contacting the server to retrieve incoming messages, and an authentication challenge that acts as an “invisible ping”. It is realized by “From the server to the user’s device.
A client must send a security token each time it connects to a server. The security token is refreshed each time you fetch offline messages from the server.
An authentication challenge is considered a failure if the client responds to a challenge from another device. This indicates an anomalous connection originating from an attacker. This will block the connection.
If there is no response from the client, the process is retried “a few more times” and then the connection is blocked if the client still does not respond.
WhatsApp said Device Verification is rolling out to all Android users and is in the process of rolling out to iOS users.
The feature is part of a broader set of new extensions designed to authenticate and verify a user’s identity, including displaying alerts when trying to transfer a WhatsApp account from one device to another. department.
Also, the “Key Transparency” feature launched by WhatsApp will automatically check if chats are end-to-end encrypted, without requiring any additional action from the user.
To that end, we are implementing a new Auditable Key Directory (AKD) based on existing protocols such as CONIKS and SEEMless to allow users to verify the security of their conversations.
“AKD will enable WhatsApp clients to automatically verify that a user’s encryption key is genuine, making audit proof of directory correctness verifiable by anyone,” the company said. increase.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!
Save my seat!
Verification currently requires chat users to either send a security code (which exists as a QR code and a 60-digit number) to the other participant via SMS or email, or scan the QR code and manually compare it. I have. The parties are physically adjacent.
A security code is nothing but a unique hash of a public/private key pair generated to facilitate end-to-end encrypted messaging. It can change if the user switches devices or reinstalls WhatsApp.
Key Transparency streamlines the verification process by utilizing an automated flow that maintains a record of public key changes in a directory, allowing clients to check it.
WhatsApp already hosts and operates an auditable key directory for all its users, and plans to roll out this feature in the coming months. It’s an important mechanism that allows us to quickly verify encrypted personal conversations,” the company added.
