Viber pins are great … that is, if you are a scammer.
At 2:00 AM, day before yesterday my cousin received a phone call from a scammer with a story saying that he had his number before and he asked him to click a google prompt. He mentioned what number to click and my cousin clicked it. Now, since this number is part of the two step verification process of gmail the scammer got a very high level of trust from google.
Their likely was a second hack that took place for viber access but my cousin does not remember the exact details of how everything went down. It can be assumed that he took viber access in the same phone call and this is how he was able to reach the viber pin stage as you can only reach this area after entering the viber OTP.
The scammer then proceeded to report the phone as lost and did a factory reset on his phone where he lost the logs of this taking place along with the main number he got the call from. The scammer got access to the viber account and set a “Viber pin”.
Viber pins
Viber pins are the two-step verification viber implemented. Except it is not great when the owner of the number cannot get in once the pin is set.
Telegram has had two-step verification since April 8, 2015. Viber did not have this feature until two years ago. (~2022 / 2021). Telegrams implementation relies on email just like viber, however Viber relies on email more than the number. And this is where the problem occurs.
Maybe viber thought it was smarter to do this…
Despite my cousin entering the correct OTP for Viber, viber would not let him in because the scammer has a pin set on the account. This is not good. Obviousely the owner of the number should be able to reset the pin. And this is not just my opinion, but it is because Viber and Telegram are logged in and signed up through mobile phones and not emails, so it is only natural that whoever proves the ownership of the number should be the higher authority.
Telegrams cloud passwords
The main difference between viber and telegram when it comes to this sort of two-step verification is that telegram allows the user to reset the account as long as they prove ownership of the number (OTP). This is impossible in Viber.
It was explained to me, and my cousin by the Police cybercrime department that this is a very common practice of the scammers right now, and they have to officially contact viber with relevant documents to get the account back and viber deactivates the account within 15 minutes to 48 hours.
The same hack but in telegram
The following never happened, but it is a hypothetical situation if the scammer was targeting telegram instead of viber.
When my cousin realizes he is hacked he would have to enter the cloud password to get in. But it was not him who set the cloud password, so he would not know it. In this case he can reset the account as telegram can verify that he owns the number.
The purpose of the scam is to message people asking for money transfers. But the reseting of the telegram account will log him out and delete the account, and the scammer would now need to get the OTP again from my cousin and at this point it cant happen as my cousin is well-aware of the scam.