Isn't this flow what more ore less what you would expect? Could someone suggest what would be the appropriate alternative here?
- The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.
- Persons who lost their phones probably don't have a good fast way of proving their identity, as their identity is tied to their phone number in WhatsApp's model.
- Needing to quickly lock out spammers, thiefs or hackers is probably far more frequent than abuse of this feature.
- If abuse of this feature becomes a recurring problem, I'd expect WhatsApp to react and adjust the flow to place more burden on its user.
The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious. Backups are automated and separate. You can still easily re-create an account with the same number then.
The story might be "Apps should stop using SMS and phones numbers as the source of identity", and while I generally agree, most comments don't seem to be about this and WhatsApp is maybe _the_ one app whose success was based on this very idea.
As YetAnotherNick said, logout might be the better word to describe the impact here (plus, a fairly aggressive inactivity deletion period).
I agree with you in principle, but I still don’t understand how else to mitigate this: WhatsApp must get a lot of cases of stolen unprotected phones. The victim can ask their operator to lock the SIM card, but their WhatsApp account would still be out in the open.
With the continuous improvements in mobile OS security defaults, I’d expect this scenario to become less and less of a problem, but it must still be accounted for.
The process still goes through support ticketing, so I’d expect a spike to be noticed and stopped.
>Imagine an automated form of this where you can just mass deactivate antagonistic accounts
I wish I had this power for other social media sites, such as Twitter and Nextdoor. I'd just mass-deactivate ALL accounts. The world would be better off.
> The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious.
I've had plenty of times where I'm offline for a few weeks. Would cut it very close to having my entire account deleted.
This is trivial to mitigate with per-account rate limiting.
On top of that, if a specific account is targeted at the rate-limit, a flag could be put in place to let support disable the automation for that account.
With your suggested approach, the attacker is free to use the account to impersonate the victim until they get a new SIM card, which could easily take days or weeks.
This seems like a degredation compared to the current abuse potential which is mostly limited to logging you out.
I can't tell if you're being serious or sarcastic. It genuinely looks like the former but I have to assume it's sarcasm because I can't believe anyone would seriously post this..?
Years ago I bought my dad an Audible subscription, but because it was a gift I signed up with my email address and then changed it to my dad's address on his birthday. Somehow I ended up inside his Amazon account because I used his email address. I guess some of the backend logic is hard to get right the first time.
Another time I was talking to a credit union CTO who was dealing with someone blocking other people's account access by picking a random account number and making 3 bogus guesses to lock them out. At the time the credit union had a policy that required calling them to unblock... which was a PITA on weekends when people need money.
Speaking of Amazon's account process, I have a really annoying problem with theirs. Apparently I somehow managed to create two amazon accounts with the same email address, but different passwords. They have different order histories and addresses and everything, but the account name is identical. It sometimes makes it confusing to tell why an order I placed hasn't shown up.
Interestingly, I can't change the password on one account to the password of the other account. The attempt fails. Which is... somewhat concerning.
This was considered a feature back in the day; it was called MASE - Multiple Account, Same Email. I'm pretty sure you can just change the email on one of them to get out of that state.
You are not alone!!! I am in the exact same situation. I've told this to so many people and no one believes. I'm stunned I stumbled on this. Small world
I had a similar issue when I created two accounts on different regions using the same email address, then Amazon started operating in my country and they started redirecting one of the accounts to my country, leaving me with a mess of two accounts that would randomly connect to three different regions.
It was really annoying as I would login on my browser to one account normally, but when I ordered an Amazon stick, it came with a different account from a different region preinstalled and would complain I didn't signed up for Prime.
I ultimately fixed the issues by manually changing the email on each account to a different address, but it was very confusing until I figured out what was happening.
Oh well, not Amazon but I got stuck in the ecommerce of a large shop chain. I can't register because they tell me I already have an account. So I use that email to recover the password but I can't because the account must be activated. So I ask for an activation link but I can't because that account doesn't exist. I guess they have different databases or microservices taking care of different steps of the registration process and something crashed at the wrong time and my overall record is inconsistent. I gave up a couple of years ago. I buy from them when I go to one of their physical shops.
Holy crap I did this this on accident when I tried signing up for an Alexa skill in the Alexa app and accidentally created a new account with same Amazon.com email address, then got flagged for suspicious activity cause I was on a VPN and got blacklisted. It took so many calls for customer support to acknowledge there was even an issue and they still told me to just use a different email in the end. I was passed and just made a new Amazon account with the original email address, but simply added a period in the middle and still use it while locked out of the other original account. It’s bonkers lol
I have no idea if this would work and don't want to risk messing it up for myself, but have you tried changing (one of) the account emails?
On the website go to the Your Account page ("Account & Lists" dropdown -> "Your Account" section -> "Account" link, which goes to https://www.amazon.com/gp/css/homepage.html ) and click "Login & security" to get to it. Same place you'd update your password/etc.
I've done this, but I was pretty sure I managed to have both accounts with the same password at that point in time. On the plus side, you can change email addresses, so now I have amazon@ and amazon2@ and all is sensible again.
Someone with my name bought a new iPhone in Bismarck, ND last week. They gave AT&T my iCloud email address which is firstname.lastname. An honest mistake, I guess.
AT&T dutifully asked 'me' to confirm my email address. I did not.
Aaaand... now I still get all of his account email. So what's the point.
I've been struggling with this for years - but with a fun twist. My gmail address is first.last, and someone in the UK keeps using it - but they do not have remotely the same first name, and they don't spell their last name the same as I do (the single-L in my username here is a less common deviation, their surname is the more common variant).
Years. I've closed netflix accounts, I've sent them sms from their telco's webtext portal asking them to stop, and still there's a koneill out there who is very, very confused about why his email doesn't work. I know where he lives, I know what pizza he ordered, I know his name, his phone number, I just don't know his email address. And apparently, neither does he.
The number of services that fail at email validation (or keep sending you reminders, forever, that you haven't validated), blows my mind. For such a simple process, that seems to exist on every single service I (and koneill) sign up for, it has a surprisingly low rate of successful implementations.
My gmail address is lastname@gmail.com. Not a particularly common last name, and I thought it lucky when I got that address early on. I've since come to view it as mostly a curse.
I get email invoice every time Orkin goes out to spray a house in North Carolina. No option to say "this isn't me", and I've given up calling to tell them after multiple cycles.
The elderly German couple that would email their train itinerary so that their cousin could pick them up at the station. I would politely reply that I am not their cousin, and consequently their cousin would not be at the station. And six months later we start again.
Someone in Canada with first initial + last name that results in my last name kept getting wired money, and I would get in email with instructions. Of course no "not me" option. I haven't seen one of those in a while, hopefully he figured it out.
And so many more stories of people with my last name or close to it happily sending me their email... But I've had the address for practically forever, and really don't want to let it go.
Given there's a couple peeps who can't figure out their email address, I do my best to click on 'not me' or just ignore the confirmations intended for other people. But if I get mail for others that should have been confirmed, I mark it spam, because it is. Sometimes that includes an unsubscribe, which sometimes works.
Hey just fyi: they’re not doing it for the purpose of locking people out. They’re doing a distributed account breakin. Doesn’t matter to the thief who’s money they steal, so just try “password” on everyone’s account until you get in.
Years ago I started a Netflix trial account while with the family at my mom's place. I intended it to be for her, and called it 'grandma <her name>'. I ended up paying for it (she never has, directly). But apart from when we're around she barely used it and got back to linear TV (though via internet). Meanwhile, my wife and kids love it and it is among our streaming portfolio (for lack of a better term). So basically it is a Netflix account on someone else's name, though a family member. She kept getting these emails that someone logged in to her account, and every time I answered to her 'yeah that was one of us'. Eventually I changed the email address of the account to my own, and now I keep getting called 'grandma <her name>'. And you know when she watches Netflix? When we're around (well, my kids do then). Now the other day my wife got some kind of confirmation error that this was our account, and ever since the writing's been on the wall that we'll get into trouble on this. Btw, we can only pay for it via gift cards or manual bank transfer. The automated system does not work, and every time it gets our card denied. Honestly, it is an abysmal customer service (my wife tried to sort it out on various occasions w/them; still broken).
Netflix added a way to export your profile's watch history etc to a separate account...
(this is the only reason I could think of why you wouldn't just make a new Netflix acct. lol)
I kind of enjoy these stories since I'm in the inverse situation. I have a firstlast@gmail.com address with my real name, which is pretty unique. I feel a bit annoyed and paranoid sometimes that, since my name is unusual, a Google search will bring up a ton of personal information that I'd really rather be a bit harder to find. But at least I don't get a ton of emails meant for random strangers who put the wrong email somewhere!
I know periods don't count, supposedly, but I still get emails for someone with the same name as mine. My email is first.last, theirs is firstlast. I wonder how much of my stuff they get erroneously?
You are correct that the period doesn’t count. Both email addresses belong to the same account. A possible explanation is that they have entered your email as a mistake.
Instacart has some sort of similar issue, signed up under my email, changed the email address to my wife, support requests get sent to both of our addresses.
Too bad it didn't work for the entire meta user base. We could free the world. It would be like independence day when they uploaded the virus to kill the mothership.
I get why one would feel this way if this was one of Meta’s social media apps, but WhatsApp is one of the biggest messaging apps used in so many countries and perhaps also helped kill the telecoms companies paid sms plans to force cheaper sms msging rates, if anything WhatsApp is perhaps the best value Meta has provided to the world, bringing the world closer.
Yes but the original founders did that. Zuckerberg took it from them and immediately lied about data sharing, there's a reason why the founders left in disgust
Another very annoying one is when doing forgot password changes the password and emails you a copy, so some funny guy can just go and keep doing forgot password and it force changes your password.
This happens on non-government systems too. The only system I've experienced this has been a financial institution's system. Frustrating as it meant I had to make the trip into one of their branches to get it reset.
Apple e.g. Even when 2fa is activated, and no successful login happened, they will deactivate my account and force me to change my password :/. I had to change my email that I use to login to Apple.
There's this insurance aggregator website in my country, where if you ever enter your phone number into their website, without any verification of that number, you get put on some list that elicits 5 calls a day from them trying to sell you insurance. It's crazy.
Several friends of mine had their WhatsApp completely hacked. Basically, hacker would spam recovery, which results in a phone call to the victim. If the victim doesn’t pick up the phone, the recovery code goes to voicemail. Hacker accesses voice mail (password protected yes, but for lots of people it’s a birth year, 1234, 0000, or last 4 digits of their phone), and voila they have access to your WhatsApp. They can’t see your messages but can see all the groups you’re in and message those.
Completely preventable by having WhatsApp 2FA enabled.
Had this done to me BUT luckily WhatsApp has a “pin” feature, which prevented hackers getting any further. Not as secure maybe as a 2factor but saved my day. Highly recommend.
I wonder if it would be possible for someone who is really good at getting media stories placed - buy a bunch of put options and sell just after the story breaks - could this be a profitable tradable event?
Meta is such a big company I'd be surprised if the cost of the options premiums were less than the value that could be harvested... but maybe..?
Readit News
- The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.
- Persons who lost their phones probably don't have a good fast way of proving their identity, as their identity is tied to their phone number in WhatsApp's model.
- Needing to quickly lock out spammers, thiefs or hackers is probably far more frequent than abuse of this feature.
- If abuse of this feature becomes a recurring problem, I'd expect WhatsApp to react and adjust the flow to place more burden on its user.
The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious. Backups are automated and separate. You can still easily re-create an account with the same number then.
The story might be "Apps should stop using SMS and phones numbers as the source of identity", and while I generally agree, most comments don't seem to be about this and WhatsApp is maybe _the_ one app whose success was based on this very idea.
Imagine an automated form of this where you can just mass deactivate antagonistic accounts
I agree with you in principle, but I still don’t understand how else to mitigate this: WhatsApp must get a lot of cases of stolen unprotected phones. The victim can ask their operator to lock the SIM card, but their WhatsApp account would still be out in the open.
With the continuous improvements in mobile OS security defaults, I’d expect this scenario to become less and less of a problem, but it must still be accounted for.
The process still goes through support ticketing, so I’d expect a spike to be noticed and stopped.
I wish I had this power for other social media sites, such as Twitter and Nextdoor. I'd just mass-deactivate ALL accounts. The world would be better off.
Then imagine it. What would be the ramifications?
When traveling and using another SIM, it's not always that easy.
I've had plenty of times where I'm offline for a few weeks. Would cut it very close to having my entire account deleted.
I'd like a period where I'm offline for months.
Unless I spin up simple automation to deactivate your account every hour.
On top of that, if a specific account is targeted at the rate-limit, a flag could be put in place to let support disable the automation for that account.
1. Identify to your carrier and get a new SIM, deactivate the old one. 2. Put the SIM in another phone and take back your WhatsApp account.
Isn't this the standard recovery method for apps that rely on your phone number?
Getting a new SIM takes longer than sending an email, but at least you don't have this easy abuse potential.
With your suggested approach, the attacker is free to use the account to impersonate the victim until they get a new SIM card, which could easily take days or weeks.
This seems like a degredation compared to the current abuse potential which is mostly limited to logging you out.
Give us your number, we’ll all take turns deactivating it every day. Then see how fun it is
Dead Comment
Dead Comment
Another time I was talking to a credit union CTO who was dealing with someone blocking other people's account access by picking a random account number and making 3 bogus guesses to lock them out. At the time the credit union had a policy that required calling them to unblock... which was a PITA on weekends when people need money.
Interestingly, I can't change the password on one account to the password of the other account. The attempt fails. Which is... somewhat concerning.
It was really annoying as I would login on my browser to one account normally, but when I ordered an Amazon stick, it came with a different account from a different region preinstalled and would complain I didn't signed up for Prime.
I ultimately fixed the issues by manually changing the email on each account to a different address, but it was very confusing until I figured out what was happening.
On the website go to the Your Account page ("Account & Lists" dropdown -> "Your Account" section -> "Account" link, which goes to https://www.amazon.com/gp/css/homepage.html ) and click "Login & security" to get to it. Same place you'd update your password/etc.
AT&T dutifully asked 'me' to confirm my email address. I did not.
Aaaand... now I still get all of his account email. So what's the point.
Years. I've closed netflix accounts, I've sent them sms from their telco's webtext portal asking them to stop, and still there's a koneill out there who is very, very confused about why his email doesn't work. I know where he lives, I know what pizza he ordered, I know his name, his phone number, I just don't know his email address. And apparently, neither does he.
The number of services that fail at email validation (or keep sending you reminders, forever, that you haven't validated), blows my mind. For such a simple process, that seems to exist on every single service I (and koneill) sign up for, it has a surprisingly low rate of successful implementations.
I get email invoice every time Orkin goes out to spray a house in North Carolina. No option to say "this isn't me", and I've given up calling to tell them after multiple cycles.
The elderly German couple that would email their train itinerary so that their cousin could pick them up at the station. I would politely reply that I am not their cousin, and consequently their cousin would not be at the station. And six months later we start again.
Someone in Canada with first initial + last name that results in my last name kept getting wired money, and I would get in email with instructions. Of course no "not me" option. I haven't seen one of those in a while, hopefully he figured it out.
And so many more stories of people with my last name or close to it happily sending me their email... But I've had the address for practically forever, and really don't want to let it go.
I know periods don't count, supposedly, but I still get emails for someone with the same name as mine. My email is first.last, theirs is firstlast. I wonder how much of my stuff they get erroneously?
Theirs is probably 'firstlaast' or something - i.e. some typo unrelated to their decision not to separate by '.'.
https://www.flyertalk.com/forum/travel-technology/952359-tho...
An appalling requirement
Dead Comment
Deleted Comment
I would wish it on my worst enemies. And I can...
Completely preventable by having WhatsApp 2FA enabled.
Meta is such a big company I'd be surprised if the cost of the options premiums were less than the value that could be harvested... but maybe..?
is it illegal? also