Two-factor authentication is generally seen as the safest bet for protecting your Gmail account. But a harrowing tale from indie developer Grant Blakeman, whose Instagram was hacked through Gmail, reveals how not even two-factor authentication can beat every security threat.
Writing on Ello, Blakeman describes how hackers gained access to his Instagram account through his Gmail. Even though he had two-factor turned on, the hackers were able to reset his Instagram password through Gmail and take control of his account (which has since been restored). So how did they do it? Blakeman says that Wired's Mat Honan, himself a veteran of an epic hack, helped him by suggesting he check with his mobile phone provider.
It turns out his number had been forwarded to a different number — which is how the hackers gained access:
The attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.
After the post appeared on Hacker News, more details emerged about how easy it is to bypass security questions through mobile phone providers. As commenter jasonisalive — who works for a provider — put it, service reps often receive commissions based on customer satisfaction, creating "a constant tension between providing a good customer experience and protecting security and privacy."
Which means a choice between upholding privacy standards and pissing off his customers. "So where do you draw the line between customer support and customer security without either enraging real customers or allowing people to illegally access customer accounts?," asked another reader.
Luckily, Blakeman had the wherewithal and knowledge to investigate and ultimately restore his accounts. But his story is a cautionary one: No matter how bulletproof two-factor authentication seems, no security system is perfect. [Hacker News]