TJ Sayers, NCC recommends Two-Factor Authentication for Tik Tok, WhatsApp security
Accounts without two factor authentications could be vulnerable to accidental logins by third parties – and sim swapping hacks says TJ Sayers, Cyber Threat Intelligence Manager at CIS Center for Internet Security.
A tik tok user recounts how the platform sent her a login code via SMS where she scrolled a couple of videos on the “for you” page, and then forgot about her account after not using it for a while.
A couple of weeks later, when I next logged into my account, my profile name was different, I had posted five cat videos, and was friends with someone called “Cookies Galaxy”. It appeared she logged into someone else’s account.
“It’s kind of a circumstantial thing where someone will get a new number and move on from an old phone number, and the cellular provider relocates that number to somebody.”
I had access to the personal information of the account holder (who appeared to have been inactive since 2020), including a list of comments they had made, every single one of their likes, their direct messages, and their email address.
“It sounds like what happened to you is maybe the person’s account you got into didn’t have any other additional step for authentication (besides their phone number) when they created their account,” he further explained, “so you were able to use the number and log into the account”.
While my switch happened unintentionally, malicious attempts to take over phone numbers have boomed with the rise in popularity of cryptocurrencies in 2019, according to the cyber expert. Hackers have increasingly tried to gain access to and lock users out of their phones to take control of important banking accounts, including digital wallets.
“Some people are actively trying to compromise phone numbers and email addresses in order to gain access to accounts for other nefarious purposes,” said Sayers.
There are two ways of taking over someone else’s number, or “SIM swapping”. Hard swapping entails taking control of a person’s physical SIM card, while the soft version implies calling the phone provider and impersonating the owner of the number by using information, such as the person’s date of birth or address, openly available on the Internet.
“People don’t even think that when they post social media stuff, it could be used by an attacker,” said Sayers, adding, “what [scammers] will do is socially engineer that customer service agent into transferring your number to their device”.
But one can secure online account given how easy it is to hack into accounts of other people. While a pin code is enough to avoid hard SIM swapping, preventing soft swapping takes more effort.
Asking your provider to set up a two-step code with a passphrase or a specific number is one way to do that. To avoid having your social media taken over, you can also use an app’s “registration lock,” which can link your account to non-phone number-based identifiers.
For TikTok, the most straightforward solution is to avoid signing up with your phone number. In addition, you can also set up two-factor authentication (2FA), an extra pin generated on the spot, on top of your regular password. TikTok is still trialing this, but 2FA is already in use at other social media companies, such as Instagram.
Still, experts recommend refraining from using 2FA with text messages, as inadvertent swapping can still occur. “Once that happens, (scammers) can go and reset all of your accounts, because they’ll get all of your two-factor authentication codes,” said Sayers.
And doubling down, the Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has advised WhatsApp users to enable Two-Factor Authentication to avoid account takeover by hackers.
In an advisory this week, NCC-CSIRT stated that WhatsApp, a service owned by Meta, is gradually turning into a top target for scammers and hackers who are constantly looking for ways to access users’ accounts without their consent.
The CSIRT described two-factor authentication as an identity and access management security method that requires two forms of identification to access resources and data.
According to the advisory, “In the world of messaging Apps, one of the most popular and recognizable is WhatsApp. WhatsApp is 100 per cent free to use, has a great mobile app, and supports audio and video calls. Whether you rely on WhatsApp for all your messaging needs or just use it from time to time, it is recommended to set it up with two-factor authentication. With this enabled, you will need to enter a custom PIN every time you log in to WhatsApp from a new device, adding an extra layer of security to your account.
” Two-factor authentication gives businesses or people the ability to monitor and help safeguard their most vulnerable information and networks. The two-factor authentication is important because it prevents cybercriminals from stealing, destroying, or accessing your internal data records for their use.
“WhatsApp provides two-factor authentication so you can further secure your account using a PIN. It is an optional feature that adds more security to your WhatsApp account, so it is recommended that everyone installs 2FA.”
The CSIRT highlighted ten steps for enabling 2FA on WhatsApp, which include the following steps:
Open WhatsApp, Tap Settings, Tap Account, Tap Two-Step Verification, Tap Enable, Enter the Six-Digit PIN you wish to use, Tap Next, then enter it a second time to confirm it, Tap Next, add an email address for extra security (this step is optional but it is an extra way to retrieve your account if you forget your Pin) and then Tap Next.
For those concerned that their PIN might have been compromised or is easy to guess, they can change their WhatsApp PIN or email address by tapping settings.
Two-Step Verification, tapping Change PIN or Change Email Address, entering a new PIN or email address, and then tapping ‘next’ to effect the necessary changes.
The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.
This advisory of NCC may not be unconnected with the alleged audio trending online and published by an online newspaper, Peoples Gazette on Saturday in which Obi was said to parley with Bishop David Oyedepo and quoted to have described the 2023 presidential election as a ‘religious war’.
The Labour Party Presidential candidate Peter Obi has denied the audio conversation threatening a court action against the folks behind it.
