[yokto]

Isn't this flow what more ore less what you would expect? Could someone suggest what would be the appropriate alternative here?

- The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.

- Persons who lost their phones probably don't have a good fast way of proving their identity, as their identity is tied to their phone number in WhatsApp's model.

- Needing to quickly lock out spammers, thiefs or hackers is probably far more frequent than abuse of this feature.

- If abuse of this feature becomes a recurring problem, I'd expect WhatsApp to react and adjust the flow to place more burden on its user.

The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious. Backups are automated and separate. You can still easily re-create an account with the same number then.

The story might be "Apps should stop using SMS and phones numbers as the source of identity", and while I generally agree, most comments don't seem to be about this and WhatsApp is maybe _the_ one app whose success was based on this very idea.

[hackernewds]

What! This is terrible. No other unrelated entity should be able to impact another account they don't own, no less deactivate it!

Imagine an automated form of this where you can just mass deactivate antagonistic accounts

[yokto]

As YetAnotherNick said, logout might be the better word to describe the impact here (plus, a fairly aggressive inactivity deletion period).

I agree with you in principle, but I still don’t understand how else to mitigate this: WhatsApp must get a lot of cases of stolen unprotected phones. The victim can ask their operator to lock the SIM card, but their WhatsApp account would still be out in the open.

With the continuous improvements in mobile OS security defaults, I’d expect this scenario to become less and less of a problem, but it must still be accounted for.

The process still goes through support ticketing, so I’d expect a spike to be noticed and stopped.

[lxgr]

> The victim can ask their operator to lock the SIM card, but their WhatsApp account would still be out in the open.

Can't the legitimate owner recover the account once they get a replacement SIM?

[yokto]

Whoops, my comment isn't very clear, sorry. I meant: "but their account would still be active and in the hands of the thief, if there is no way to quickly deactivate it, e.g. before receiving a new SIM card from their operator that would enable you to prove your identity to WhatsApp."

[sb8244]

How long would this be open vs shutting it down using the email method?

[lxgr]

Do you mean how long is account recovery by the SIM/number owner possible, or how long can the phone thief continue using the WhatsApp account if the owner doesn't recover?

[sb8244]

Maybe I misunderstood the comment you and parent comment were making. I interpreted it as "they can recover it via SIM, so the lockout method isn't needed".

My point to that is that it is true, but the lockout would prevent a thief from using it until the new SIM is received. Versus a thief having access until the new SIM is received.

I use telegram instead of Whatsapp, but I would hate for anyone to have any time at all on my account. I'd prefer to immediately lock the whole thing down and figure it out once I have everything sorted.

[YetAnotherNick]

Logout is the better word than deactivation in this scenario.

[guiambros]

Since when logout comes with a "we'll delete your account if you don't log back in in 30 days"?

This is just an atrocious flow. A better approach would be a "temporary emergency block", and then give the user a week to sort it out, otherwise the account is automatically reinstated.

[ruszki]

While 30 days sounds extreme, I’ve got plenty of warnings in the past 25 years from sites which wanted, and did delete my account because I didn’t visit their site in a specified timeframe, like half a year, or a year.

[pmontra]

I got one from Discord a few days ago. I didn't check if it was real or phishing, and I didn't check my password manager. I can't remember why I would have created a discord account so I'll let it go. Maybe I was self squatting.

[rcheu]

The 30 days thing is likely from GDPR requirements. You cannot keep user data longer than that after they request deletion.

[midoridensha]

>Imagine an automated form of this where you can just mass deactivate antagonistic accounts

I wish I had this power for other social media sites, such as Twitter and Nextdoor. I'd just mass-deactivate ALL accounts. The world would be better off.

[post-it]

> Imagine an automated form of this where you can just mass deactivate antagonistic accounts

Then imagine it. What would be the ramifications?

[grepfru_it]

Brb automating a denial of service attack

[hot_gril]

I imagine WhatsApp would limit this capability or otherwise fix the issue if someone started abusing it.

[dylan604]

how many accounts would need to be affected to be considered abused?

[hot_gril]

Probably more than 1 and less than 1000.

[lxgr]

> The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.

When traveling and using another SIM, it's not always that easy.

[tjbiddle]

> The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious.

I've had plenty of times where I'm offline for a few weeks. Would cut it very close to having my entire account deleted.

I'd like a period where I'm offline for months.

[asd88]

> The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.

Unless I spin up simple automation to deactivate your account every hour.

[yokto]

This is trivial to mitigate with per-account rate limiting.

On top of that, if a specific account is targeted at the rate-limit, a flag could be put in place to let support disable the automation for that account.

[dotancohen]

And once that happens, I then steal the target's phone.

If we're talking about deactivating someone's account via email, we are already talking about a targeted attack.

[yokto]

I'm not sure how relevant that threat model is (OS level security would probably be enabled for people susceptible to be targeted in such a way. Support could advise to do it before toggling the flag, etc.), but anyway the hypothetical flag would only be about making sure the automation doesn't happen and the ticket goes to support. Support can then manually handle the rare edge case and place more burden on the person attempting to deactivate the account.

[whyoh]

>Could someone suggest what would be the appropriate alternative here?

1. Identify to your carrier and get a new SIM, deactivate the old one. 2. Put the SIM in another phone and take back your WhatsApp account.

Isn't this the standard recovery method for apps that rely on your phone number?

Getting a new SIM takes longer than sending an email, but at least you don't have this easy abuse potential.

[yokto]

What is the abuse your referring to?

With your suggested approach, the attacker is free to use the account to impersonate the victim until they get a new SIM card, which could easily take days or weeks.

This seems like a degredation compared to the current abuse potential which is mostly limited to logging you out.

[whyoh]

>This seems like a degredation compared to the current abuse potential which is mostly limited to logging you out.

I think it depends on who you ask. IIRC there was a stat that showed a substantial % of people only use WhatsApp rarely and they might not notice the deactivation and/or miss the 30 days deadline, getting their accounts deleted.

[EGreg]

Expected, eh?

Give us your number, we’ll all take turns deactivating it every day. Then see how fun it is

[mvdtnz]

I can't tell if you're being serious or sarcastic. It genuinely looks like the former but I have to assume it's sarcasm because I can't believe anyone would seriously post this..?

[gchamonlive]

This combined with using a secondary SMS for daily use means a quick and easy way to protect your account. I also agree this is a win.

[ric2b]

But if someone has your phone or number they can just re-activate it immediately...