I don’t normally cover WhatsApp, but this announcement is important. WhatsApp has announced several new security features, one of them they are calling “Device Verification” designed to combat account takeover (ATO) attacks.
“Device Verification” is intended to prevent malware from using stolen authentication keys to impersonate accounts. Attackers’ account-hijacking attempts will automatically be blocked by undetectable back-end checks using three new parameters:
- A security token stored on the device,
- A nonce used to identify if the client is connecting to retrieve a message from WhatsApp’s servers, and
- An authentication challenge that will asynchronously ping the user’s device
Furthermore, “Account Protect” will act as a double-check when WhatsApp accounts are being linked to new devices, alerting users of unauthorized account transfer attempts.
Lastly, “Automatic Security Codes” is a new cryptographic security feature that uses key transparency and the Auditable Key Directory (AKD) to allow WhatsApp clients to validate user encryption keys automatically and to confirm if end-to-end encryption is enabled.
I have two comments on this. The first is from George McGregor, VP, Approov:
“The announcement of integration of device verification into WhatsApp provides a clear message to the industry about the dangers of stolen authentication keys being used by cloned and copied mobile apps.
“All mobile app developers should take steps to prevent keys being stolen and exploited and there are solutions which can make it easy to manage keys properly and implement device and app attestation at runtime.”
Willy Leichter, VP, Cyware follows up with this:
“It’s encouraging to see applications like WhatsApp and other application vendors implement protection features for the host device – not just their internal application. WhatsApp seems to realize that hijacked accounts are bad for their business, and they need to deal with ATO attacks targeting user devices.”
I for one hope that this move by Meta will be copied by others as that will make us all safer. The bottom line is that this is a great idea that is long overdue.
Related
This entry was posted on April 15, 2023 at 8:19 am and is filed under Commentary with tags Facebook. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
WhatsApp Comes Out With New Tools To Stop Account Takeover Attacks
I don’t normally cover WhatsApp, but this announcement is important. WhatsApp has announced several new security features, one of them they are calling “Device Verification” designed to combat account takeover (ATO) attacks.
“Device Verification” is intended to prevent malware from using stolen authentication keys to impersonate accounts. Attackers’ account-hijacking attempts will automatically be blocked by undetectable back-end checks using three new parameters:
Furthermore, “Account Protect” will act as a double-check when WhatsApp accounts are being linked to new devices, alerting users of unauthorized account transfer attempts.
Lastly, “Automatic Security Codes” is a new cryptographic security feature that uses key transparency and the Auditable Key Directory (AKD) to allow WhatsApp clients to validate user encryption keys automatically and to confirm if end-to-end encryption is enabled.
I have two comments on this. The first is from George McGregor, VP, Approov:
“The announcement of integration of device verification into WhatsApp provides a clear message to the industry about the dangers of stolen authentication keys being used by cloned and copied mobile apps.
“All mobile app developers should take steps to prevent keys being stolen and exploited and there are solutions which can make it easy to manage keys properly and implement device and app attestation at runtime.”
Willy Leichter, VP, Cyware follows up with this:
“It’s encouraging to see applications like WhatsApp and other application vendors implement protection features for the host device – not just their internal application. WhatsApp seems to realize that hijacked accounts are bad for their business, and they need to deal with ATO attacks targeting user devices.”
I for one hope that this move by Meta will be copied by others as that will make us all safer. The bottom line is that this is a great idea that is long overdue.
Share this:
Like this:
Related
This entry was posted on April 15, 2023 at 8:19 am and is filed under Commentary with tags Facebook. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.