How Hackers Reportedly Side-Stepped Google's Two-Factor Authentication

How Hackers Reportedly Side-Stepped Google's Two-Factor Authentication

Two-factor authentication is generally seen as the safest bet for protecting your Gmail account. But a harrowing tale from indie developer Grant Blakeman, whose Instagram was hacked through Gmail, reveals how not even two-factor authentication can beat every security threat.

Writing on Ello, Blakeman describes how hackers gained access to his Instagram account through his Gmail. Even though he had two-factor turned on, the hackers were able to reset his Instagram password through Gmail and take control of his account (which has since been restored). So how did they do it? Blakeman says that Wired's Mat Honan, himself a veteran of an epic hack, helped him by suggesting he check with his mobile phone provider.

It turns out his number had been forwarded to a different number -- which is how the hackers gained access:

The attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.

After the post appeared on Hacker News, more details emerged about how easy it is to bypass security questions through mobile phone providers. As commenter jasonisalive -- who works for a provider -- put it, service reps often receive commissions based on customer satisfaction, creating "a constant tension between providing a good customer experience and protecting security and privacy."

Which means a choice between upholding privacy standards and pissing off his customers. "So where do you draw the line between customer support and customer security without either enraging real customers or allowing people to illegally access customer accounts?," asked another reader.

Luckily, Blakeman had the wherewithal and knowledge to investigate and ultimately restore his accounts. But his story is a cautionary one: No matter how bulletproof two-factor authentication seems, no security system is perfect. [Hacker News]

WATCH MORE: Tech News


Comments

    Aw crap. Here is was thinking this kind of scenario was unlikely to happen since not one of the mobile carriers I have worked for/ subscribed to have necessarily made it easy for me to talk about my account details- asking me questions like when did I pay my last bill and how much did I pay, etc

Join the discussion!

Trending Stories Right Now