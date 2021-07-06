The police warned last month that WhatsApp accounts could be hacked by crooks in a complex method that exploits a loophole involving default PINs for accessing voicemail.

StarHub is the only telco using such PINs for its existing customers, The Straits Times has learnt, although since 2018, voicemail is no longer provided for new mobile customers.

Singtel said it had stopped using such PINs for new customers since 2015 but would not comment on existing customers.

M1 stopped using default voicemail PINs years ago and existing customers were made to change their default PINs. TPG does not have voicemail services.

StarHub's spokesman said a small number of customers had asked for help from the telco after they lost access to their WhatsApp accounts because of the voicemail loophole. The telco referred these customers to steps detailed by WhatsApp's help centre and advised them to reset their voicemail PIN as an extra safeguard. They can change their four-digit default voicemail PIN to their own four-to seven-digit code by calling 1303.

"We are monitoring this development closely and we will, where necessary, take further action," said the StarHub spokesman.

He added that work is being done to eventually end the telco's voicemail service.

The police on June 2 said scammers had found a way to take over people's WhatsApp accounts to pose as a victim's friend and trick him into parting with his money in a gold scam. The accounts were hacked by exploiting a WhatsApp voice verification process and default PINs used to access voicemail (see other report).

The police had issued warnings about this voicemail method in January and March.

ST understands that telcos might use a default PIN for a customer's voicemail account because, in the past, it was the most convenient and flexible way for the customer to access voicemail.

When contacted, WhatsApp would not say if it would stop using voice verification.

But it said it has rolled out awareness campaigns on social media by working with local personalities, as well as the police, to educate people on staying safe when using the messaging service.

To prevent their WhatsApp accounts from being hacked, the police advised people to enable two-step verification under "account" in their WhatsApp settings.

Consumers should also contact their telcos to change their voicemail account's default PIN or to deactivate voicemail.

When asked, Singtel, StarHub and M1 would not say how many voicemail customers they have.

The voicemail exploit could also be abused to take over other types of online accounts.

Mr Feixiang He, cyber-security firm Group-IB's adversary intelligence research lead, said that, for instance, tech giant Google has a "call me" option that allows people to get a one-time code through a phone call such as for resetting their Gmail account password.

By using the default voicemail PIN method, hackers could steal this code from the victim's voicemail, if the victim has voicemail activated, never answers the phone and earlier told Google to send the code through a phone call.