It has been long established that two-factor authentication through SMS is vulnerable to attacks. Hackers can use your phone number to reset your passwords and ultimately get access to your online accounts. This access is then sold on the dark web in bulk. While several major companies offer 2FA through security apps like Google Authenticator, Instagram accounts remained dependent on text messages.
The company has now announced that it is finally building a better 2FA system that will work with security apps. These apps are installed on your phone and generate special codes for access to your accounts. Since these codes cannot be accessed from a different phone even if a number has been reassigned to a different SIM, this method has largely remained a secure way of authenticating users.
“We’re continuing to improve the security of Instagram accounts, including strengthening 2-factor authentication," an Instagram spokesperson told TechCrunch confirming that it indeed is working on a non-SMS 2FA feature.
Instagram is super late to offer a non-SMS 2FA system despite platform-wide abuses
Instagram may have enabled everyone to turn into a celebrity but that also means that criminals are looking to get to those highly popular accounts - especially the ones with short or catchy account handles.
After criminals manage to SIM swap or SIM hijack (the scam that T-Mobile warned - and then denied - all of its subscribers about), they can take over any accounts despite users believing that two-factor authentication would save them.
These accounts are then put for sale for as low as $500 and as high as $40,000. According to a recent Motherboard report, Instagram account @t went for $40,000 worth of Bitcoin.
“Any type of number can be ported,” Roel Schouwenberg, the director of intelligence and research at Celsus Advisory Group, told the publication. “A determined and resourced criminal actor will be able to get at least temporary access to a number, which is often enough to successfully complete a heist.”
This easy access to SIM swapping has turned your phone number into a master key that can be easily accessed and temporarily taken control of. While Instagram, which took its sweet time to even offer this kind of 2FA, works on delivering better security options, take your time and set up a security app like Google Authenticator or Duo to protect your other accounts.
- If you are still not ready to remove your number and set up a security app, head over to Motherboard and read what hackers can do with this access - your account handle doesn't have to be "high-end" to attract their attention.
