Instagram to Introduce Non-SMS Two-Factor Authentication to Prevent SIM Hacking

Discussion in 'iOS Blog Discussion' started by MacRumors, Jul 17, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Instagram is planning to introduce a new two-factor authentication method that will not require a user's phone number and will instead work with authentication apps like Google Authenticator, reports TechCrunch.

    Authentication apps are a safer two-factor option than the phone number method, which can be bypassed through SIM hacking, as outlined earlier today by VICE's Motherboard.

    [​IMG]
    Image via TechCrunch​

    SIM hacking involves hijacking a person's phone number by manipulating cellular service support staff and claiming a SIM card has been lost.

    Creating a new SIM associated with the phone number allows it to be stolen, and if that phone number is associated with a social networking account, as it would be with Instagram's current two-factor authentication method, the results can be devastating.

    In Motherboard's article, for example, SIM hacking is used to steal Instagram accounts, which can be lucrative when highly desired usernames are poached.

    Instagram is especially vulnerable to this kind of attack because right now, when you turn on Instagram's two-factor authentication, account codes and password reset requests are sent via your phone number.

    Instagram has already been testing the new two-factor authentication method, with screenshots and details baked into the code for the Instagram Android app. This code was discovered by a TechCrunch tipster, who also shared screenshots.

    An Instagram spokesperson confirmed the screenshots are legitimate and said Instagram is "continuing to improve the security of Instagram accounts, including strengthening 2-factor authentication."

    It is not yet clear when Instagram plans to roll out the new two-factor authentication method, but it could come soon as it appears to be nearly finished based on the screenshots.

    Article Link: Instagram to Introduce Non-SMS Two-Factor Authentication to Prevent SIM Hacking
     
  2. OldSchoolMacGuy macrumors 601

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #2
    SIM hacking is quite a lot of work to get access to someones Instagram account but I suppose if it's that of a celebrity with millions of followers, they could do some damage and it may be worth it.
     
  3. velocityg4 macrumors 601

    velocityg4

    Joined:
    Dec 19, 2004
    Location:
    Georgia
    #3
    I’d rather an option for all services to have no two factor authentication. It’s a real bother for those who take the time to use a password manager to generate strong, unique passwords. Then store said passwords in an encrypted vault protected by one strong password.

    At least create a standard for two factor authentication. So our password managers can automatically receive and fill the code.

    As it stands. Two factor just increases login time.
     
  4. hank moody macrumors 6502a

    hank moody

    Joined:
    Jan 18, 2015
    #4
    Please, just stop promoting google auth.
    There are plenty of BETTER and open source apps out there to talk about.
     
  5. acorntoy macrumors 65816

    Joined:
    May 25, 2010
    #5
    I find it hilarious when im logging into iCloud on my Mac and it asks me for two factor, and then sends the code to the freakin laptop cause it’s already authorized. I would love to see a standardized two factor login.
     
  6. Chaka Jon macrumors regular

    Chaka Jon

    Joined:
    Sep 10, 2014
    Location:
    San Francisco
  7. Smcaskil macrumors newbie

    Joined:
    Jul 17, 2018
    #7
    These apps are just distractions to me. They are generally fun to scroll and get a chuckle or see something interesting. But if they are unable to secure their systems, and instead start to make me have to download another app to use their app, and click multiple times to get into an app that is at best a fun diversion, then I will just delete my account and the app and move on.
     
  8. effort macrumors member

    effort

    Joined:
    Sep 16, 2016
    Location:
    Los Angeles
    #8
    I actually had my Instagram account hacked via SIM hacking. He threatened it if I didn’t hand over my Instagram handle.. and it happened. So, even if you’re not a celebrity as long as it’s something the hack wants, in my case an Instagram handle (@effort), it can still happen.

    I reached out to Instagram regarding the incident but their customer service is pretty much non existent.
     
  9. mariusignorello macrumors 65816

    Joined:
    Jun 9, 2013
    #9
    1Password handles TFA with One-Time Passcodes if you use their app.
     
  10. thisisnotmyname macrumors 68000

    thisisnotmyname

    Joined:
    Oct 22, 2014
    Location:
    known but velocity indeterminate
    #10
    The Vice article today was pretty good. It's not difficult at all when you have a T-Mobile employee you can bribe for $100 and then can sell off prized insta handles for $1000+ (in the article they stole @rainbow from some random person who had it).
    --- Post Merged, Jul 17, 2018 ---
    I hope this brings an end to every service under the sun wanting my phone number. No, I don't want you to have my phone number. There are other methods to produce a second factor.
     
  11. 1080p macrumors 68030

    1080p

    Joined:
    Mar 17, 2010
    Location:
    Planet Earth
    #11
    I hate the fact that Apple cannot do anything to for someone locked out of 2 factor authentication when they have no other "trusted Apple devices" and they have changed their phone number and cannot receive the SMS.
     
  12. ovo6 macrumors 6502a

    Joined:
    Sep 10, 2015
  13. OldSchoolMacGuy macrumors 601

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #13
    iCloud 2-factor is tied to the device, not the phone number generally. To verify from a new device you have to approve from a previously verified device.
     
  14. Mr. Heckles macrumors 6502

    Mr. Heckles

    Joined:
    Mar 20, 2018
    Location:
    Around
    #14

    Then don’t use it. No one is forcing you to use it.

    I agree they need to be a standard. I saw one and it was 7 digits, and a 20 second timer on the one time password.


    what others ones do you recommend? I’m not a fan of Authy and Duo is ok, but it’s just ok.


    it’s sad when my Instagram account is going to be more secured then my banking account. I hate that my cell number is connected to my bank account and used for 2 step verification.
     
  15. bozzykid macrumors 68020

    Joined:
    Aug 11, 2009
    #15
    Having unique/strong passwords is not enough. There is no reason you shouldn't have strong passwords and use two factor auth. And most of these services don't yet require two factor auth but the day is coming where they will.
     
  16. neurophysicist macrumors member

    Joined:
    Jul 20, 2011
    Location:
    Dagobah
    #16
    So if I understand correctly:
    • The exploit is that password reset requests for some services (apparently Instagram) are sent via SMS? So this would not apply to Apple and Google for example, correct? (I believe password reset requests in those cases require reseting via email).
    • Off the top of my head, don't most services require password reset requests to go through email? I'm not even aware of any where I had to use SMS.
     

Share This Page