If you think the two-factor authentication offered by Google and other cloud services will keep your account out of the hands of an attacker, think again. One developer found out this weekend the hard way; Google’s account protection scheme can be bypassed by going after something most people would consider an even harder target—the user’s cell phone account.
As Wired’s Mat Honan found out two years ago, customer service representatives are the weakest link in cloud security. And mobile phone carrier customer service representatives are just as susceptible to social engineering attacks, apparently. That’s what Grant Blakeman, an independent software developer and designer, learned when he woke up to find his Google account’s password had been changed and his Instagram account—desirable because of its two-letter name (@gb)—had been hijacked despite the use of two-factor authentication on his Google account.
Blakeman contacted his cell provider after an online conversation with Honan about what happened. He found that someone enabled call-forwarding on his cell account without his knowledge. That call-forwarding setup allowed the attacker to get an authentication code from Google to take over his Gmail address, which was in turn tied to his Instagram account.