WhatsApp Usernames Are Already Raising Impersonation Red Flags (techcrunch.com) 24
An anonymous reader quotes a report from TechCrunch: WhatsApp this week started rolling out username reservations ahead of the broader launch planned later this year. The feature -- which lets people find and message each other by handle instead of phone number -- is already raising impersonation concerns, drawing scrutiny from security experts and regulators in India, the app's largest market, with more than 500 million users. The rollout marks a shift in how people identify one another on WhatsApp. Instead of relying on phone numbers as the primary identifier, users will increasingly interact through platform-managed usernames, a change that Meta says improves privacy but that critics argue could create new opportunities for impersonation.
[...] Asked about how it protects against impersonation, Meta told TechCrunch it reserves usernames for public figures, government entities, and "some variations" of those names so only the legitimate owner can claim them. The company did not explain, however, how it decides which lookalike usernames get proactively reserved and which don't. The concerns have already reached regulators in India, where cyber fraud schemes frequently exploit messaging platforms to impersonate police, banks, and government officials. [...] Rachel Tobac, chief executive of SocialProof Security, called usernames a net privacy gain because they reduce the need to share phone numbers, which can expose users to SIM-swap attacks, phishing, and account takeovers. Still, she said, lookalike usernames still create opportunities for impersonation. "Ultimately, usernames are a great idea to avoid leaking your phone number to folks you don't know, but it's important to verify identity with the username function too," Tobac told TechCrunch. Her advice for most users: Pick a username that isn't easily guessable, so it's harder for attackers to find you, message you cold, or harass and spam you.
[...] The Mozilla Foundation said the introduction of usernames is likely to bring new tradeoffs. "Increased scams and impersonation from fake handles are potentially a big one," it told TechCrunch. "Checking a phone number can be a useful verification tool, but these harms are also permitted by the platform's fundamental design choices." Mozilla also flagged a broader interoperability question -- one worth logging if you're building on top of, or competing with, Meta's ecosystem. While letting users claim their existing Facebook and Instagram usernames may cut down on impersonation, it also shows how easily Meta can stitch identity together across its own apps, even as users still can't take that identity, or their contacts, to a rival platform. For now, WhatsApp says it is taking a gradual approach to the rollout. "We're taking our time and listening to feedback so that when it rolls out later this year we get it right," the company said in its FAQ.
[...] Asked about how it protects against impersonation, Meta told TechCrunch it reserves usernames for public figures, government entities, and "some variations" of those names so only the legitimate owner can claim them. The company did not explain, however, how it decides which lookalike usernames get proactively reserved and which don't. The concerns have already reached regulators in India, where cyber fraud schemes frequently exploit messaging platforms to impersonate police, banks, and government officials. [...] Rachel Tobac, chief executive of SocialProof Security, called usernames a net privacy gain because they reduce the need to share phone numbers, which can expose users to SIM-swap attacks, phishing, and account takeovers. Still, she said, lookalike usernames still create opportunities for impersonation. "Ultimately, usernames are a great idea to avoid leaking your phone number to folks you don't know, but it's important to verify identity with the username function too," Tobac told TechCrunch. Her advice for most users: Pick a username that isn't easily guessable, so it's harder for attackers to find you, message you cold, or harass and spam you.
[...] The Mozilla Foundation said the introduction of usernames is likely to bring new tradeoffs. "Increased scams and impersonation from fake handles are potentially a big one," it told TechCrunch. "Checking a phone number can be a useful verification tool, but these harms are also permitted by the platform's fundamental design choices." Mozilla also flagged a broader interoperability question -- one worth logging if you're building on top of, or competing with, Meta's ecosystem. While letting users claim their existing Facebook and Instagram usernames may cut down on impersonation, it also shows how easily Meta can stitch identity together across its own apps, even as users still can't take that identity, or their contacts, to a rival platform. For now, WhatsApp says it is taking a gradual approach to the rollout. "We're taking our time and listening to feedback so that when it rolls out later this year we get it right," the company said in its FAQ.
Re:Ya know... (Score:4)
Re:Ya know... (Score:5, Informative)
"That trick never works." (Score:4)
Boycotts are \the trick that does not work in this case, though you may not even have the option to boycott any more. Maybe Zuck will have to create shadow profiles for the residual humans who decline to play his game on his turf. How else can he fill in the holes in "the members' profiles" when they refer to people who aren't there in person. As if "in person" still has a meaning?
On the boycott topic, my second and final Amazon purchase was decades ago. The products (books) and services were mostly okay, but I saw what was being done with my personal data and it stank to high heaven and I wanted no part of it. So I stopped using all things Bezos but kept an eye on the development of the new corporate cancer. Can't see that my boycott has hurt Amazon any.
(Maybe I just have to wait longer? My first corporate boycott target was Exxon. Never managed to bankrupt them as I planned so deviously, but it sure feels like Exxon has fallen far from it's glory days. Is an ugly acquisition in Exxon's future? Oh I hope it's Chinese or Brazilian!)
Back to Zuckerland and a sort of disclaimer: My identity on Facebook was assassinated a few years ago. I had already looked at WhatsApp and Instagram and decided not to use them, but I had cured my Facebook problem with a timer. Actually two of them. The first one went off at four minutes and then I had one minute to get off of Facebook before the second one buzzed. That was my daily allotment for the last few years before my Facebook identity was murdered for reasons that Facebook declined to tell me about. I declined to "prove" myself to Facebook's satisfaction, even if that was possible without knowing my hideous crime, but I did exercise the option to download Facebook's dossier on me and I spent a while searching for any reason, but never even found a candidate. I have a theory it was politically motivated, but only Zuck knows. If Zuck has his way "only Zuck knows" may become the law of the land for the entire universe. "Domination!"
Re:"That trick never works." (Score:4, Interesting)
My Facebook account was assassinated a few years back for posting "#NEVERAGAIN" and a link to the British Holocaust Memorial Day Trust on May 6. Reason eventually given: the link to a HOLOCAUST REMEMBRANCE PAGE was supposedly "glorifying violent individuals or organizations."
That's right. Nazi Trash Filth Zuckerberg decided that saying "#NEVERAGAIN" about the Holocaust was somehow "glorifying" violent individuals or organizations...
Re: (Score:2)
Second: let's be honest, they did you a favour.
Re:"That trick never works." (Score:4)
YOU might think of it as a boycott, but I think of it as "self-protection". I avoid Musk's products for self protection...that I also hope it harms him at least a trifle is a minor additional bonus...and it doesn't matter if it doesn't.
Re: (Score:2)
But would you really avoid Starlink if that was your only choice for Internet access?
Names don't work for a global society. (Score:3)
Re: (Score:3)
I'm Not Sure.
Re: (Score:2)
Re: (Score:2)
Perhaps tattooed on your forehead at birth.
Dark Angel.
Twelve Monkeys.
Re: (Score:2)
I think it was actually a reference to Revelations, though IIRC, that was supposed to be a mark both on the forehead and on the wrist.
Re: (Score:2)
Too many collisions, clearly we should go to a serial number system. Possibly encoded in a bar code. Perhaps tattooed on your forehead at birth.
Prescient ad for a now-dead bank: Washington Mutual: Head Scan [youtu.be]
Re: (Score:2)
Perhaps tattooed on your forehead at birth.
That's a bit harsh. Can't we just encode it into a small chip which we could insert into a device we keep with us at all times? We could give it a clever name like Subscriber Identity Module. Ooooh I know, we'll also create an electronic variant that allows us to provision it via QR code to make it easier to move between devices.
Cry me a river (Score:3)
So john.doe.32@yahoo and john.doe.33@yahoo can be confused? Save the handle in your address book, if you aren't sure you can remember it correctly. It's not the provider's job to force users to choose distinct names. The hamming distance between valid phone numbers is also smaller than many people assume.
"Identification" is the problem in the first place (Score:2)
And 'Names' make it worse than 'Numbers.'
Trying to pretend the words on your account somehow mean that's who you are is the problem. This idea that if someone has "Michael Jackson" next to their post then its the actual famous person talking isn't something that can work.
It's better if that name next to people's posts is known to be just 'self-selected words.' Nobody will be fooled into thinking it's Michael Jackson, if there are 5000 different accounts claiming they are Michael Jackson.
Actual 'authenti
I'm going to reserve "Dan Sullivan" (Score:1)
said both Dan Sullivans [pbs.org].
If the true problem was phone number privacy (Score:1)
then the solution is a number consisting of octal digits [wikipedia.org].
Wrong guy took mine (Score:3)
My facebook id has been spaceman375 for over 10 years (tho I haven't logged in again after the 1st 3 months.) I can't get it on my whatsapp account because some guy used it for his instagram account. I have 2 email accounts that are spaceman375, one from last century. It's my login on many websites, and yet somehow somebody else gets to take it. [expletive]
Okay, I'll stop bitching now. Must be the heat...
Re: (Score:2)
And what about all real name collisions like Don Johnson? Or this Michael Rowe who does software, is typically known by this first name abbreviation and can't take the name MikeRoweSoft anywhere...?
Re: (Score:2)
Yeah turns out that with 8 billion people in the world a significant portion of them come up with something like "spaceman". That's the price of picking an ID that is also popular music, a movie, a name given to a profession...
Me I haven't been able to use my actual nickname anywhere, even here on Slashdot it was taken by someone. Joke's on them though I got the domain name. Someone with my nickname tried to buy it off me a while back but fuck em it's MINE.
Asking for friends... (Score:2)