There has been a rise in the number of people targeted by the WhatsApp OTP scam. The attack is pretty simple but effective. Someone downloads and installs WhatsApp on their own device registers using your own mobile number, the OTP SMS is sent to your phone, the person (bad actor) will then contact you via WhatsApp claiming they sent the message to your phone by mistake or using some similar trick, you give them the OTP, the person then proceeds to hijack your account.
WhatsApp currently doesn’t support multiple devices. This means when your account is hijacked you will be kicked out and the attacker will now be using your account in the interim. They can actually leverage the attack to do further damage, for example, they can proceed to hijack your friend’s WhatsApp accounts or steal your OTP credentials where these are sent via WhatsApp.
Two factor authentication defeats such attacks
WhatsApp does provide two-factor authentication which would frustrate these sort of attacks and all you need to do is activate it. Two-factor authentication offers an extra layer of security. In addition to an OTP, you will need to enter a 6 digit PIN whenever you change devices or reinstall WhatsApp. This means that those attackers who try to gain access to your account using just the OTP will be stopped dead in their tracks unless you foolishly give them your PIN too.
How to turn on 2FA on WhatsApp
The steps are pretty simple:
- Click on the three dots at the top right corner of WhatsApp
- Go to WhatsApp Settings
- Tap on Account
- Then tap Two-step verification
- Tap on the green Enable button
- Enter a six-digit PIN of your choice. Make sure it’s a number you will remember but the number is random. Do not use 123456 or 654321, please.
- and confirm it by entering it again on the next screen.
- Enter your email on the next screen. While WhatsApp claims this is optional, it’s really not an option in my book nor should it be optional to you.
- Confirm the email address and tap Save and then tap Done.
- You can always change your email address by following the first five steps above
That’s it, you are safe. I am assuming you didn’t enter 123456 or some stupid passcode of course. Now next time you reinstall WhatsApp you will have to enter the six-digit code you provided above. If you don’t you will not be able to sign in.
You can of course use your email to recover the six-digit PIN code in the event that you forget it. That’s why you shouldn’t skip entering that email. I have a good memory myself but I have been known to forget the occasional password and even a PIN.
To make sure you don’t forget your password WhatsApp has a neat trick. Once in a while you will be asked to enter your PIN just as you are about to use WhatsApp.