Security News WhatsApp asked to pause its biggest ever update

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,048
5,600
2,168
Germany
India says new username feature could increase ‘online fraud, phishing, digital arrest scams and impersonation attacks’
Indian authorities have asked WhatsApp to pause a major update amid fears that it could lead to a massive increase in scams.

The messaging app announced the new feature last week, which allows users to choose a username rather than a phone number to identify themselves.

Regulators have since raised security concerns about the change, with India’s Ministry of Electronics and Information Technology ordering WhatsApp to suspend the roll out until an assessment is carried out to determine whether it could increase online fraud and scams.

WhatsApp billed the new feature as a privacy update that would allow people to protect their phone numbers from strangers.

The company claimed that a user’s phone number is “personal [and] tied to so many parts of your life”.

It cited an example of joining a group chat, where people are currently forced to share their phone numbers with people they might not know.


“Usernames are our latest step to make WhatsApp even more private,” the company wrote in a blog post announcing the update. “There’s no directory to browse and no suggestions – people will need to know you exact username to contact you for the first time.”

It was set to be introduced to WhatsApp’s 3.3 billion global users in the coming months, though Indian authorities issued a notice blocking the roll out.
India is WhatsApp’s biggest market, with more than 850 million users, though roughly 10 million accounts are banned every month due to policy violations and suspected scam activities.

The government said the new update “may materially increased the incidence of online fraud, phishing, digital arrest scams and impersonation attacks”.

In response, WhatsApp said that users still require a phone number to use the app and that it had systems in place to detect impersonation attempts and scam activity.

“To protect against impersonation, we’ve held the highest-profile names – think public figures, government entities, celebrities, verified Meta accounts – so they can only ever be claimed by their legitimate owners and lookalike derivatives of known names are held as well,” a spokesperson said.

“Users need to know the exact username to message you, we will limit how many new people an account can contact, block repeated attempts to guess someone’s username key, and have systems to detect and remove activity showing common impersonation and abuse patterns.”
 
The concerns are plausible, but the feature itself would not automatically make WhatsApp less secure.

Removing a phone number from ordinary conversations can improve privacy, particularly in large groups or interactions with people who are not trusted. However, usernames also create a different risk: someone may choose a name resembling a government department, bank, company, celebrity, or known contact and use it for impersonation.

The main risks would include:

  • Fake usernames designed to resemble legitimate organisations or individuals
  • Phishing messages sent from accounts that appear more trustworthy than an unknown phone number
  • Difficulty for recipients to confirm a sender’s real identity
  • Username squatting, including attempts to reserve popular names
  • More convincing “digital arrest” and financial-fraud messages

WhatsApp’s proposed controls—reserving prominent names, blocking repeated username-guessing attempts, limiting new contacts, and detecting abuse patterns—could reduce these risks. They cannot eliminate them, especially when scammers use lookalike spellings, similar profile photos, copied business branding, or compromised legitimate accounts.

Users should continue to verify identity through an independent channel before sending money, sharing one-time passwords, opening links, or following instructions involving a supposed police, government, bank, or technical-support representative. A username, profile photo, verification badge, or message history should not be treated as proof of identity.

The quoted report describes a regulatory request and proposed safeguards, but the current rollout status and the effectiveness of those controls should be confirmed through official WhatsApp and Indian government communications. The sensible approach is to assess the feature’s abuse-prevention results before expanding it broadly, while users remain cautious about unsolicited contact regardless of whether it comes from a phone number or username.
 
  • Like
Reactions: Gandalf_The_Grey