SINGAPORE – StarHub is the only telco here still offering default voicemail PINs that are vulnerable to hackers.

The police had warned last month that WhatsApp accounts could be hacked by crooks using a complex method that exploits default PINs for accessing voicemail.

StarHub is now the only telco using such PINs for new and existing customers, The Straits Times has learnt.

Singtel said it has not been using default PINs for new customers since 2015 but would not comment on existing customers.

M1 stopped using such voicemail PINs years ago and existing customers were made to change their default PINs. TPG does not have voicemail services.

StarHub’s spokesman said “a small number” of customers had asked for help after they lost access to their WhatsApp accounts because of the voicemail loophole.

The telco referred these customers to steps detailed by WhatsApp’s help centre and advised them to reset their voicemail PIN as an extra safeguard. They can change their four-digit default voicemail PIN to their own four- to seven-digit code by calling 1303.

“We are monitoring this development closely and we will, where necessary, take further action to protect our customers’ interests,” said the StarHub spokesman.

The police said on June 2 that scammers had found a way to take over people’s WhatsApp accounts to pose as a friend and trick them into parting with money in a gold scam.

The accounts were hacked by exploiting a WhatsApp voice verification process and default PINs used to access voicemail.

The police had earlier issued warnings about this voicemail method in January and March.

When contacted, WhatsApp would not say if it would stop using voice verification.

But it said it had rolled out awareness campaigns on social media by working with local personalities, as well as the police, to educate people on staying safe when using the messaging service.

To prevent their WhatsApp accounts from being hacked, the police advised people to enable two-step verification under “account” in their WhatsApp settings.

Consumers should also contact their telcos to change their voicemail account’s default PIN or to deactivate voicemail.

When asked, Singtel, StarHub and M1 would not say how many voicemail customers they have.

But StarHub said most new and existing mobile subscribers do not activate voicemail, so feedback and requests on the service “remain low”. It advises customers to activate voicemail only if needed.

TPG said voicemail is “a function that is no longer used by many users, especially when they can now just simply leave a message via various messaging platforms”.

So, the telco decided not to include voicemail when it started offering mobile services. It began commercial services here last year.

The voicemail loophole can be abused to also take over other types of online accounts.

Mr Feixiang He from cyber-security firm Group-IB said that, for instance, tech giant Google has a “call me” option that allows people to get a one-time code through a phone call such as for resetting their Gmail account password.

By using the default voicemail PIN method, hackers could steal this code from the victim’s voicemail, if the victim has told Google to send the code through a phone call, has voicemail activated, and does not answer the phone.

Mr He, Group-IB’s adversary intelligence research lead, said hackers who access a victim’s voicemail can also customise the voicemail greeting to pose as the victim to trick others into thinking they are speaking to the victim.

For example, the hackers may record a greeting message as: “Yes, yes, I made the transactions. Thank you”. The hackers may then use the victim’s credit card, stolen earlier, for transactions likely to raise suspicions.

But when bank staff call the victim’s phone for verification, and the voicemail greeting kicks in with the hacker’s message, the bank may be tricked into thinking the suspicious payments were made by the victim.

Mr He said the voicemail hacking method has been around for a while. In 2018, it was demonstrated how WhatsApp and payment service PayPal accounts could be hacked through a similar voicemail tactic.

“Since then, service providers have been gradually moving to alternatives,” he added, such as digital tokens or authentication apps, which do not require using voice calls or SMS to deliver PINs for multi-factor authentication.

How the voicemail hacking method works

The scammer tries to log into a victim’s WhatsApp account and deliberately fails the verification process by keying in the wrong codes repeatedly.

When the verification fails too many times, WhatsApp calls the victim’s phone number to provide a verification code in an audio message.

If the phone is not switched on, or if the victims does not answer, such as when asleep, the audio message is directed to the victim’s voicemail.

The scammer then accesses the victim’s voicemail remotely by using the default PIN and steals the code to take over the victim’s WhatsApp account.

This works only if the victim has enabled voicemail, has not changed the default voicemail PIN even after the telco has stopped using such codes, and did not set up two-step verification in WhatsApp. A possible variant exploits easy-to-guess PINs.