As a wave of weirdly patterned hacks hits at least 100 users within the first week of August, we realize that even Instagram’s 2FA security system isn’t enough to protect us from potential hackers. Many of the users have complained of bizarre hacks which raises pertinent questions about the app’s security settings.
Some users have identified the same pattern used over and over again. A fitness blogger recounts that one evening she suddenly notices that she has been logged out of her own account. On logging in she gets a message saying that her username doesn’t exist. She realizes that not just her username and profile picture but her associated email ID and phone number has also been changed. The similar problem is faced by an IT professional who handles the Instagram account of his IT firm.
Mashable reports that 275 people have contacted them to address the issue of a similar hack. However, their 2FA security wasn’t updated, so it can be still addressed as a fault. But it confirms that at least 4 people have reported hacking despite having enabled the 2FA system. On contacting Instagram, they promised to upgrade their 2FA security but there is no clue what exactly they are going to do till now.
So until Instagram comes up with an update, the users have to rely on the SMS-based security which isn’t as secured as app-based authentication methods. While SMS-based 2FA is more effective than none at all, it may not be enough to protect your Instagram account from determined cybercriminals.
Though a general pattern could be traced in the hacking, it couldn’t yet be concluded how the hackings are occurring. In the past, hackers have hijacked Instagram users’ SIMs in order to gain entry into 2FA-protected accounts. But that doesn’t appear to be what’s happening in these cases, in which users describe their 2FA settings being bypassed, changed, or disabled without their knowledge.
Two-factor authentication obviously does help, but it’s not foolproof. – Stuart Madnick, an information technology professor at MIT’s Sloan School of Management
One major loophole is the flaw in the routing protocols used by telecom companies, called the Signalling System 7(SS7) protocol, that enables hackers to redirect 2FA authentication SMS from the recipient.
Whether or not this is happening due to Instagram’s negligence, it is impossible to say for sure without the company weighing indirectly. Instagram has declined every request to comment on this issue and is being clearly distraught about the lack of security. But the wave of recent hacks, which have caused hundreds to lose access to their accounts, highlight the fact that security is a growing concern for the service.