New Instagram security measures are not that secure

Share this…

The social network will try with third-party authentication to reinforce its security

Cyber security organization specialists from the International Institute of Cyber Security report that Instagram is about to include additional security measures in its mobile app to protect the privacy of its users against possible cyberattacks. The Facebook-owned social network is in the process of implementing third-party authentication.

However, these new security measures will not help block the compromising of Instagram accounts if a hacker managed to hijack the mobile phone number of a user, an increasingly common criminal practice.

For years, cyber security organization experts have warned that hackers have been exploiting weak Instagram authentication. For some time, Instagram offers users a security option to send a single-use code via SMS to a mobile device, but these codes can be intercepted through various methods.

The new authentication mechanism would require users to download a third-party app such as Authy, Duo, or Google Authenticator, which generates a single-use code that must be entered after the user provides a password. Instagram said support for third-party authentication apps has started to expand and will be available to users around the world in the coming weeks.

Instagram has selected some users to test how the new security feature works, as these options are not yet available to most users. According to reports from users who have tested the new features, the process for implementing multifactor authentication envelops:

  • Go to Settings
  • Scroll down and select “Two-factor authentication”
  • If two-factor authentication has not been activated, select “Start”
  • Follow the on-screen instructions
  • Enter the confirmation code for the third-party authentication app to complete the process

If you have already enabled SMS-based authentication, it is likely that after the update is still enabled. The app will also ask users to save a series of recovery codes, which must be stored in a safe place in case they ever miss the mobile device.

The problems Instagram has not fixed

Instagram has recently received bad publicity from publications that report the hijacking of many accounts, even those with authentication via SMS. In many cases, the hijacking of the accounts was given thanks to the hackers who managed to get the victims’ phone numbers. In these cases, as reported by cyber security organization experts, accounts were hijacked because Instagram allows users to reset their account passwords with a single factor, using nothing more than a text message sent to a registered mobile phone number, so the new security mechanisms will be useless in cases like these.

Hackers exploit SMS-based password reset requests to hijack Instagram accounts by executing unauthorized “SIM swaps” by cheating the victim’s mobile phone provider to transfer the telephone number to a device or account controlled by the hacker. Once the victim’s mobile number is hijacked, they can reset the associated Instagram account password.