Saturday, November 01, 2014

Google's BulletProof Two-Factor Authentication Bypassed To Hack Into An Instagram Account.

Even though it is not due to any fault on the Google side, two factor authentication has been hacked using a cell phone carrier. (Yet Google should have a better way to resolve issues like these.).

It looks like pretty simple to hack, Provided that the hackers have your phone number and the email address.
Call the phone company, tell your phone is in the drink and to forward your phone number to a new number.
Then issues password change at Google, the authentication is sent to the new phone # and viola, password is changed and hackers have access to your Google account. Google and anything else connected to the Google account could be changed from this point onward.
It all came to light when a developer, Grant Blakeman, informed about his Instagram account getting hacked via Gmail, which in turn was protected by two-factor authentication. He posted his ordeal on ello | GB, and we are not very happy about the incident nor the takeaway. But one thing we took away is is that he is still using Google two factor authentication, but using an app instead of text to receive the authentication code. WIth all the faults, it is still better to use two factor authentication.

As for instagram (read below), if you do not have friends at high places, and if your account is hacked, you are hosed.

Resolution and Learned Lessons, from Grant Blakeman
Cell Phones 
As you might imagine, my cell phone provider was fairly non-plussed about the ordeal. They assured me I wouldn't be responsible for any charges to my account I didn't authorize, but also assured me that no one but me could make changes to my account. Ironic, I know. 
The takeaway: It is possible to add a voice authorization code to your account that the CSR is supposed to prompt from you to ensure changes can only be made to the account by you. I added that code and you should too. It's likely it may not have helped, but it's something. 
This one is still a black box to me. I can't find a way to report the incident to Google, and my cynicism tells me they deal with this kind of stuff enough that they wouldn't provide me with much information or resolution even if I could. I've since re-enabled two-factor auth, and I use an app to retrieve the authorization codes instead of texts. 
The takeaway: My Instagram account was tied to an email that was basically my name. That was probably a mistake. I have other public email addresses, so I'm not sure how someone would have known it was my Gmail account they should go after, but it probably wasn't hard to figure out. I've since moved all important accounts that allow password reset emails to a different address that does not contain my name, you might want to consider doing that too. 
Initially Instagram's support sent me an email saying that they could not verify that I had ever owned the @gb account in the first place (despite the fact that they had made me a Suggested User to Follow for a time) and would not be able to take any further action. Bummer. 
Thankfully, some friends in high places did some digging and prodding and an Instagram team member got in touch with me personally and worked to restore my username and account. In the end, I really appreciate their effort and kindness.

No comments: