Your WhatsApp Phone Number is a Serious Security Liability

WhatsApp, the ubiquitous communication tool used for everything from family check-ins, party planning, unsanctioned work communications , and even the occasional cat meme. The app makes staying in touch incredibly easy. So easy in fact that WhatsApp is often used, whether purposefully or not, as a tool for corporate messaging and calling. For any business that has sensitive data to protect or keep private, there are many reasons why using WhatsApp for enterprise communication is a terrible idea. Today, we’ll cover a striking reason: WhatsApp’s reliance on phone numbers for identity dramatically increases security risks.

📱 Corporate Phone Plans and the Rise of Digital Applications

Corporate mobile phone plans started in the 1990s and in many countries are still quite common, wherein a company sets up a multi-line plan with a mobile provider and provides cell phones to customer-facing and management-level personnel. 

Organizations provide company phones to employees to achieve a variety of benefits:

• Cost-savings from volume discounts and lower expense administrative costs
• Improved productivity
• Auditability and security policy enforcement

Corporate mobile plans are commercially structured based on the number of lines, which corresponds to a list of assigned phone numbers. 

The problem is that mobile phones aren’t just phones anymore, they’re pocket supercomputers that are always connected and support a wide variety of digital applications. In many companies, WhatsApp is used as a semi-official means of communication, akin to a public phone number. However, since the app supports messaging and limited file sharing, it can be used as a means of communicating sensitive or private information.

Understanding WhatsApp’s Linkage to Phone Numbers

WhatsApp as a business was invented to hack the mobile phone operator commercial monopoly, and it has been wildly successful, so much so that in many parts of the world, SMS has essentially died and been replaced by WhatsApp messaging. Every year, there are hundreds of millions of app downloads for WhatsApp.

As a result, WhatsApp registration and identity is deeply tied to mobile phone numbers. This feature isn’t exclusive to WhatsApp–the same can be said of Telegram and Signal. While that may be a great feature for consumer users, it’s a real problem for organizations that use corporate mobile plans and repeatedly assign phones with the same numbers to successive users.

WhatsApp Use Creates Security Risks

WhatsApp is a consumer app, and is not typically sanctioned or managed officially within the organization, so the crossover of personal and professional use is inevitable. As a result, the vast majority of employees mix personal, corporate, and sometimes private business uses. This broad usage exposes the user to uncontrolled contacts. Remember that the scope of contacts for an individual may be quite large, easily in the hundreds. But beyond that are the massive numbers of contacts available in the WhatsApp ecosystem. The confusion from multiple generations of contacts attached a single phone number identity poses real risks of inadvertent data leakage, privacy violations, and susceptibility to malicious messages.

Confusion in Transition

When an employee receives a previously used phone number and utilizes WhatsApp, the potential for confusion is high. This in turn can set the stage of user error that exposes data inappropriately to outside parties. Confusion can arise from a profusion of communications related to a former employee, such as:

• Family members, friends, personal vendors, suppliers, and business contacts
• Business contacts confused about who they are corresponding with
• Digital service messages (Amazon, UberEats, etc.)
• Two Factor Authentication (2FA) messages for a previous users’ personal accounts

Security Risks

With so much confusion and chaos occurring in an inherited WhatsApp account, the new user might fall victim to inadvertent or malicious security or data privacy issues, such as:

• Leakage of sensitive or private corporate information to an unintended recipient
• Leakage of private information to the new owner of the corporate phone from a personal contact of a previous owner
• Leakage of corporate data into an unauthorized group chat
• Malicious contacts impersonating personal contacts, business contacts, or others

It’s Time to Get Serious about Secure Communication

Relying on consumer apps, even so-called “secure messaging apps” that have such a fundamental security failing is a seriously bad idea for organizations that value their data and financial well being. That’s why it’s best to adopt a secure collaboration suite that implements zero trust and zero knowledge principles. If you’re ready to upgrade from fast and loose to secure and delightful communications, learn more about Wire or try it for free.