Hackers can steal your phone number by reassigning it to a different SIM card, use it to reset your passwords, steal your Instagram and other accounts and sell them for bitcoin. As detailed in a harrowing Motherboard article today, Instagram accounts are especially vulnerable because the app only offers two-factor authentication through SMS that delivers a password reset or login code via text message.
But now Instagram has confirmed to TechCrunch that it’s building a non-SMS two-factor authentication system that works with security apps like Google Authenticator or Duo. They generate a special code that you need to log in that can’t be generated on a different phone in case your number is ported to a hacker’s SIM card.
Buried in the Instagram Android app’s APK code is a prototype of the upgraded 2FA feature, discovered by frequent TechCrunch tipster Jane Manchun Wong. Her work has led to confirmed TechCrunch scoops on Instagram Video Calling, Usage Insights, soundtracks for Stories and more.
When presented with the screenshots, an Instagram spokesperson told TechCrunch that yes, it is working on the non-SMS 2FA feature, saying, “We’re continuing to improve the security of Instagram accounts, including strengthening 2-factor authentication.”
Instagram actually lacked any two-factor protection until 2016 when it already had 400 million users. In November 2015, I wrote a story titled “Seriously. Instagram Needs Two-Factor Authentication.” A friend and star Instagram stop-motion animation creator Rachel Ryle had been hacked, costing a lucrative sponsorship deal. The company listened. Three months later, the app began rolling out basic SMS-based 2FA.
But since then, SIM porting has become a much more common problem. Hackers typically call a mobile carrier and use social engineering tactics to convince them they’re you, or bribe an employee to help, and then change your number to a SIM card they control. Whether they’re hoping to steal intimate photos, empty cryptocurrency wallets or sell desirable social media handles like @t or @Rainbow as Motherboard reported, there are plenty of incentives to try a SIM porting attack. This article outlines how you can take steps to protect your phone number.
Hopefully as knowledge of this hacking technique becomes more well-known, more apps will introduce non-SMS 2FA, mobile providers will make it tougher to port numbers and users will take more steps to safeguard their accounts. As our identities and assets increasingly go digital, it’s pin codes and authenticator apps, not just deadbolts and home security systems, that must become a part of our everyday lives.
Instagram is building non-SMS 2-factor auth to thwart SIM hackers
Абоненты «полосатого» сотового оператора получили возможность оплачивать контент в App Store и iTunes прямо со счета телефона. Теперь пользователи «Билайн» могут не привязывать банковскую карту к iTunes, а покупать приложения, игры и фильмы с баланса SIM.
Покупки в App Store со счета «Билайн»: приложения, игры и контент в iTunes
Tracfone Wireless is acquiring Simple Mobile in a deal that could help it kick off a SIM-only service to the U.S. market.
Tracfone Ups Prepaid Stakes with Simple Mobile Buy
iPhone unlocks are usually a tetchy experience – you have to have the right firmware on the right model iPhone at the right time. Now, however, thanks to a method that spoofs the activation server, you can unlock almost any iPhone semi-permanently.
The system, called Subscriber Artificial Module or SAM, requires a jailbroken iPhone and Cydia. To run it, you de-activate your phone, insert a new SIM, and then activate SAM. SAM spoofs the activation process, convincing the phone that it has been unlocked properly and without issues.
Built by hackers Loktar_Sun and Laforet, the process isn’t for the faint of heart and it takes twenty-eight steps. You can follow along at iClarified where they’ve outlined the entire process in meticulous detail.
Because you’re not really unlocking the phone but in fact activating it using an unsupported SIM, expect some wonky server issues. You will also have to go back and reactivate the device later if you decide to switch SIMs. It’s a small price to pay for freedom.
New iPhone Unlock Should Work With Any Model
Ask (enough times) and ye shall receive. AT&T has kept the iPhone under lock and key since day one, but we’re hearing that a pretty dramatic policy shift will go into effect starting this Sunday. Once April 8 rolls around AT&T will unlock your iPhone should you so choose, at which point it’ll play nicely with a microSIM from any GSM carrier.
Of course, there are a few conditions you have to meet before AT&T will swoop in and unlock your iPhone. First and foremost, your device has to be completely out of contract and your account must be in good standing — that means no history of missed payments or disconnections. AT&T will also unlock your device if you’ve gotten sick of your contract and decided to shell out the early termination fee, or if you spent full price on it, rather than purchase it subsidized with a contract. Not bad AT&T, not bad at all.
Alright, fine, not everyone actually needs a globetrotting phone, isn’t it better to be safe than sorry? Just don’t expect every SIM card to grant you magical access to high speed data — T-Mobile USA’s pre-cut microSIMs will fit just fine for example, but you’ll be stuck cruising the web at EDGE speeds.
Long time AT&T customers may know that the company’s policy has been to unlock a user’s device after 90 days of continued service, but the iPhone has always been a special case. Then again, we’ve been hearing that Apple CEO Tim Cook has been getting more than his share of iPhone unlock requests lately (mostly because looping him in actually gets things done), so maybe Mr. Cook just didn’t feel like dealing with the masses any more.
AT&T Will Unlock Your Off-Contract iPhone Starting On April 8