Users of popular messaging apps WhatsApp, Facebook Messenger, and Viber are unknowingly leaving themselves exposed to fraud and hacking, according to a new study.
Researchers found the majority of users are vulnerable to malicious attacks because they either don’t know about or aren’t using the proper security features.
In a study, only 14 percent of participants successfully enabled the full security function that would protect their messages.
‘It is possible that a malicious third party or man-in-the middle attacker can eavesdrop on their conversations,’ said Brigham Young University computer science PhD student Elham Vaziripour, who led the recent study.
Facebook messenger doesn’t offer automatic encryption but allows users to set it up themselves.
WhatsApp and Viber, however, both tout their end-to-end encryption is automatic and makes it so even they can’t access your messages, which leads many users to believe their conversations are secure.
But that’s not the case – to truly encrypt messages, all three apps require what’s called an ‘authentication ceremony.’
The process allows users to confirm the identify of their intended conversation partner and makes sure no other third party can trick you into revealing the contents of your messages.
Without doing so, Daniel Zappala, a computer science professor who worked on the study, told DailyMail.com that ‘a clever hacker could make you think that you are encrypting your messages to your partner (let’s call her Alice), when in reality, you are encrypting your messages for an intruder (let’s call her Trudy).’
‘Trudy decrypts your messages, so she can read them, and then re-encrypts the messages to send them to Alice.’
‘Alice thinks she got the messages directly from you, when in reality, Trudy was in the middle of the conversation and able to read it all.’
‘This could be done by the service provider or by a hacker who is able to get into the middle of your conversation (such as at a wireless hotspot) and is known as a “man-in-the-middle” attack in the security community.’
When users perform the authentication ceremony, they are essentially comparing ‘keys’ to see the secured conversation to make sure they match.
Yet most users are completely unaware such action is necessary to keep their messages private, as the manual process is ‘somewhat hidden behind a few clicks in the user interface,’ according to Zappala.