Protecting WhatsApp accounts
The Ministry of Justice (MoJ) permits the use of WhatsApp for text messaging, voice and video calls. You should avoid using it for business tasks involving personal or sensitive data.
You should always keep WhatsApp account details safe and secure. Accounts link with specific devices. When you register your device with a WhatsApp account, that provides some protection. Only the registered device can send or receive messages associated with you.
Unfortunately, device registration is a tempting target for attackers. It is a way for potential compromise of user data. Compromises affect backups of conversations, and contact lists.
A compromised account might also attack other people. An attacker might pretend to be a user, and so target other contacts. They might make their way to compromise a high-value target.
An example scenario might be an attack on the WhatsApp account of a family member of an MoJ employee. The attacker compromises the family member’s WhatsApp account. They then pretend to be the family member. They contact the MoJ employee through the contact list. The employee trusts the message: it seems to come from the family member.
How a WhatsApp attack works
Note: This document does not provide full details of how to attack a WhatsApp account. We provide enough information to understand helpful protective steps.
Registering a device with a WhatsApp account uses an authentication code (a PIN code). The attacker tricks the victim into revealing the device registration code. They then deregister the victim’s device from the WhatsApp account. Next, they register the attacker’s device with the WhatsApp account.
The key point is the authentication code. It’s very important to keep this secret, like a password.
Recovering and protecting your WhatsApp account
You can often recover a compromised WhatsApp account. A good way is to use your device telephone number. Use the app to ask for a 6-digit SMS verification code. When the code gets to your phone, enter it into the app. After re-authenticating your phone, the attacker is automatically disconnected. They cannot reconnect without a fresh authentication code.
While recovering an account, you might have to provide a two-step verification PIN. If you don’t have this code, it suggests the attacker enabled two-step verification. Without the code, you must wait 7 days before you can sign in to WhatsApp. But the attacker is disconnected from the account immediately when the code is sent. Although you can’t get into your account for a week, the attacker cannot get into your account at all.
When you reconnect into your WhatsApp account, check for any unknown devices. Do this by checking Linked Devices in the WhatsApp settings menu.
Always enable two-step verification on your account. Any future attempt to register a device needs a PIN to enable the app. Do this by going into the Settings then Account menu on the app. Select the Two-step verification option.
If there’s something suspicious about your MoJ account, or the messages in the account, contact the MoJ Security team. Ask for help as soon as possible.
Always follow MoJ policy about applications for official business or storing business-related information. Don’t use unapproved applications for MoJ official business. Don’t use unapproved applications for storing MoJ business-related data. Always use approved applications and storage tools.
WhatsApp account do’s and dont’s
Do ask Security team for help if you think your WhatsApp account has been compromised.
Do enable two-step verification on your account. Do this by going into the Settings then Account menu on the app. Select the Two-step verification option.
Do tell everyone on your contact list if you think your WhatsApp account has been compromised.
Do check the list of linked devices at regular intervals. Look for unknown or unexpected devices. Do this by checking Linked Devices in the WhatsApp settings menu.
Do not share a WhatsApp one time passcode, password, or authentication code with anyone.
Do not use unapproved or unauthorised applications for work purposes.
Do not use personal accounts for work purposes.
Contact details
For any further questions or advice relating to security, contact: security@justice.gov.uk.
Feedback
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.