Instagram’s strongest 2FA settings fails to protect us from potential hackers

Instagram 2FA Security

Have you not upgraded your website to HTTPS yet? Upgrade NOW.

Google with its Chrome 68 update to show all HTTP websites as NOT SECURE. Avoid Google's penalty by installing an SSL Certificate. Get a DigiCert Standard SSL and secure your website at just $157/year. BUY NOW

ADVERTISEMENT
DAILY BRIEF
Get daily updates straight in your inbox.

As a wave of weirdly patterned hacks hits at least 100 users within the first week of August, we realize that even Instagram’s 2FA security system isn’t enough to protect us from potential hackers. Many of the users have complained of bizarre hacks which raises pertinent questions about the app’s security settings.

Some users have identified the same pattern used over and over again. A fitness blogger recounts that one evening she suddenly notices that she has been logged out of her own account. On logging in she gets a message saying that her username doesn’t exist. She realizes that not just her username and profile picture but her associated email ID and phone number has also been changed. The similar problem is faced by an IT professional who handles the Instagram account of his IT firm.

Mashable reports that 275 people have contacted them to address the issue of a similar hack. However, their 2FA security wasn’t updated, so it can be still addressed as a fault. But it confirms that at least 4 people have reported hacking despite having enabled the 2FA system. On contacting Instagram, they promised to upgrade their 2FA security but there is no clue what exactly they are going to do till now.

So until Instagram comes up with an update, the users have to rely on the SMS-based security which isn’t as secured as app-based authentication methods. While SMS-based 2FA is more effective than none at all, it may not be enough to protect your Instagram account from determined cybercriminals.

Though a general pattern could be traced in the hacking, it couldn’t yet be concluded how the hackings are occurring. In the past, hackers have hijacked Instagram users’ SIMs in order to gain entry into 2FA-protected accounts. But that doesn’t appear to be what’s happening in these cases, in which users describe their 2FA settings being bypassed, changed, or disabled without their knowledge.

Two-factor authentication obviously does help, but it’s not foolproof. – Stuart Madnick, an information technology professor at MIT’s Sloan School of Management

One major loophole is the flaw in the routing protocols used by telecom companies, called the Signalling System 7(SS7) protocol, that enables hackers to redirect 2FA authentication SMS from the recipient.

Whether or not this is happening due to Instagram’s negligence, it is impossible to say for sure without the company weighing indirectly. Instagram has declined every request to comment on this issue and is being clearly distraught about the lack of security. But the wave of recent hacks, which have caused hundreds to lose access to their accounts, highlight the fact that security is a growing concern for the service.

Instagram's strongest 2FA settings fails to protect us from potential hackers