[bubbleRefuge]

I think in certain countries there are easier ways to clone numbers and also to generate links to switch a whatsapp account to another phone. Attackers will then hijack the account and send out SOS status updates and messages to contacts asking for money. Public Key verify can help 2 parties to authenticate manually so to speak.

[abdullahkhalids]

When I left Canada after my PhD, I stopped paying for my pre-paid phone plan for my Canadian number. A couple of months later, someone tried to scam my cousin in Pakistan, using Whatsapp. The scammer

1. Acquired my Canadian number.

2. Identified it as "my" account, and downloaded a picture of my social media to use as a Whatsapp display picture.

3. Somehow, identified my cousin as a potential target. Not sure how they did it.

4. Located where roughly my cousin lived. Perhaps via social media check-ins or some other way.

5. Asked my cousin to meet in a park not too far from his house, because I was in trouble and needed money.

Thankfully, my cousin did not fall for the scam and contacted me via other means to verify.

[bsaul]

In the scenario you're describing, what would let whatsapp know it actually shouldn't register that new device in the public key repository ?

Either whatsapp knows the phone is hacking the account to a new number / device, in which case it should simply disable it, or it doesn't and then it will treat it exactly like a normal one.

[bubbleRefuge]

Well the pubic key would refresh and the other side could see that. I think whatsapp already sends public key refreshes anyway.