StarHub still using default voicemail PINs exploitable by hackers | The New Paper
Singapore

StarHub still using default voicemail PINs exploitable by hackers

This article is more than 12 months old

The police warned last month that WhatsApp accounts could be hacked by crooks in a complex method that exploits a loophole involving default PINs for accessing voicemail.

StarHub is the only telco using such PINs for its existing customers, The Straits Times has learnt, although since 2018, voicemail is no longer provided for new mobile customers.

StarHub's spokesman said a small number of customers had asked for help from the telco after they lost access to their WhatsApp accounts because of the voicemail loophole.

The telco referred these customers to steps detailed by WhatsApp's help centre and advised them to reset their voicemail PIN as an extra safeguard.

They can change their four-digit default voicemail PIN to their own four- to seven-digit code by calling 1303.

"We are monitoring this development closely and we will, where necessary, take further action," said the spokesman.

He added that work is being done to eventually end the telco's voicemail service.

The police on June 2 said scammers had found a way to take over people's WhatsApp accounts and pose as a victim's friend and trick the person into parting with his money in a gold scam.

The accounts were hacked by exploiting a WhatsApp voice verification process and the default PINs used to access voicemail.

When contacted, WhatsApp would not say if it would stop using voice verification.

But it said it has rolled out awareness campaigns on social media by working with local personalities, as well as the police, to educate people on staying safe when using the messaging service.

To prevent WhatsApp accounts from being hacked, the police have advised people to enable a two-step verification process under "account" in their WhatsApp settings.

Consumers should also contact their telcos to change their voicemail account's default PIN or to deactivate voicemail.

The voicemail exploit could also be used to take over other types of online accounts.

Mr Feixiang He from cyber security firm Group-IB said that, for instance, tech giant Google has a "call me" option that allows people to get a one-time code through a phone call for purposes such as resetting their Gmail account password.

By using the default voicemail PIN method, hackers could steal this code from the victim's voicemail, if the victim has voicemail activated, never answers the phone and earlier told Google to send the code through a phone call.

How the voicemail hacking method works

The scammer tries to log into a victim's WhatsApp account on his own device and deliberately fails the verification process by keying in the wrong codes repeatedly.

When the verification fails too many times, WhatsApp calls the victim's phone number to provide a verification code in an audio message.

If the victim ignores the call or if his phone is not switched on, such as when he is asleep, the audio message is directed to the victim's voicemail.

The scammer accesses the victim's voicemail remotely by using the default voicemail PIN and steals the WhatsApp code to take over the victim's WhatsApp account.

This works only if the victim has enabled voicemail, has not changed the default voicemail PIN even after the telco has stopped using such codes, and did not set up a two-step verification process in WhatsApp.

COURT & CRIME