As soon as I arrived in Lima last week, I did what countless travelers do every day: go to the cellphone store to get a SIM card with a local number. But this typically mundane ritual, no more exciting than exchanging your dollars for euros, soon turned unexpected—I hacked a criminal network.
When I was planning my trip, narcotics were the last things on my mind. In the sanguine days before Omicron, Peru felt like a dream, a dose of warmth and sunshine before heading home to the bleak New York winter. But minutes after I left the Movistar store, phone number in hand, I found my new holiday pastime: telling people they had the wrong number. I assumed that it’d be a minor annoyance, a few text messages before people passed the word around. But things got much stranger when I installed WhatsApp.
The problems started with a jarring home screen. Instead of the fresh slate of a new account, I was met with a list of dozens of groups that I apparently was already a member of. Even with my embarrassingly poor Spanish, terms like “Dark Web” stood out, and the sexually suggestive emojis required no translation. Then I started getting messages. And while most of you will never find yourself embroiled in a Peruvian crime ring, your digital life faces the exact same vulnerabilities.
WhatsApp is encrypted, so people felt secure to speak candidly. And they began to speak a lot about drugs, sex work, and other terms I didn’t want to translate. People told me about upcoming deliveries, mentioning places I had never heard of. I was in heaven, sitting beside a rooftop pool overlooking the beaches and cliffs of Miraflores, and having a panic attack.
I started playing out scenes from cheesy mob movies, the naive bystander who’s killed because he saw too much. So I deleted everything. Every message, every group. I even went through mental exercises to blur my own memories, forcing myself to forget. But people continued to reach out. And when I continued to explain they had the wrong person, they were insistent: “Delete the number!”
And that’s how I ended up giving cybersecurity advice to a crime ring. I promised to delete the account, to switch the number, but then I explained how they were already compromised. Like so many WhatsApp accounts, my predecessor’s didn’t have a PIN, the opt-in security feature that can block exactly what I did by accident, taking over another person’s account, and in effect another person’s world. I could get a new number, but without a PIN, whoever next got the number Movistar had loaned me would end up facing the exact same horrors.
As in nearly every country in South America, WhatsApp is Peru’s most popular communications platform. In some countries, the Facebook-owned app is so ubiquitous that it has effectively replaced texting, allowing users to circumvent phone company charges and reliably connect in areas with poor cell coverage. Another draw, of course, is security. But while encryption is indispensable, it’s not enough. End-to-end-encryption means Facebook and anyone who intercepts your messages can’t read the content of what you wrote. But they can know everything else. With WhatsApp, they know who your contacts are, what groups you belong to, and when and to whom you’re sending messages.
While WhatsApp has supported two-factor authentication since 2017, it has never been a default requirement. And no one knows exactly how many of WhatsApp’s 2 billion accounts are unsecured. WhatsApp should make PINs mandatory, or at least the default. But it’s far from alone. Not only do encrypted messenger platforms like Signal have similar vulnerabilities, but many others do too. Even after I deleted WhatApp, I continued to receive a flurry of texts from banks and payment apps, all looking to confirm someone else’s identity.
This is the pattern of modern cybersecurity. At a moment when we know just how easy it is to hack email accounts, when passwords and ID numbers are compromised every day, our cellphones have become our ultimate source of digital identity. But they’re very, very vulnerable. With a couple of missed payments or someone spoofing your identity, your digital life—which is to say, much of your life—could end up in the hands of the next person to pick up that phone number, and they may not be as eager to delete what they find.
Using compromised WhatsApp accounts, fraudsters have tricked targets into forking over huge sums of money by impersonating friends and loved ones. One bank, Santander, reported a 532 percent increase in WhatsApp fraud cases connected to the messaging platform. And people’s willingness to send sensitive data over WhatsApp leaves the platform ripe for abuse as a blackmail platform. It made global headlines when Jeff Bezos found himself targeted by a plot to extort him for his steamy texts and photos, but you don’t need to be a billionaire to become a target.
The threat goes beyond hackers and accidental onlookers. WhatsApp, Apple, and other encrypted platforms are increasingly handing your chat history over to law enforcement. With a simple subpoena (which is much easier for police to get than a warrant), they can get much of your account information. With a full warrant, the platforms can provide records on every aspect of your digital network (apart from the message itself). They can record who we communicate with, how often, the groups we're part of, and the identity of every member, along with your full contacts list. Even worse, WhatsApp can do this in nearly real time, transforming a “privacy-protective platform” into a government tracking tool.
For developers, the takeaway is clear: Never rely on a phone number alone. For users, the lesson is evergreen, regardless of the technology: You never truly know who will read what you write, even if it’s only a bumbling tourist.
I Accidentally Hacked a Peruvian Crime Ring
(May require free registration to view)
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.