Gmail account gets hacked despite 2FA

News by Tim Ring

A widely circulated blog post from security expert Grant Blakeman about his Google Gmail and Instagram accounts being hacked has provoked a debate about the true strength of two-factor authentication (2FA).

Independent app developer Blakeman discovered over the weekend that his Gmail had been hacked and his Instagram account stolen, despite the fact that “I considered myself fairly security-savvy, I thought I'd done everything right”.

Blakeman was concerned at the fact that he had been compromised, even though he had turned on authentication for Google Gmail.

He eventually established the attack had started with his mobile phone provider, which had allowed call-forwarding to be enabled on his phone, giving the hackers some level of access or social engineering into his Google account. This in turn allowed them to receive a password reset email from Instagram, giving them control of that account.

Blakeman was helped in this discovery process by Mat Honan of publication Wired, whose own iCloud account was famously hacked two years ago and all his devices wiped.

After recovering his accounts, changing passwords and re-enabling 2FA on his Google account, Blakeman reflected: “In this particular case, it seems that two-factor authentication wasn't the security cure-all that many of us in the industry want it to be.”

His post went viral and appeared on Hacker News, attracting dozens of comments.

Blakeman said one key mistake he made was: “My Instagram account was tied to an email that was basically my name. I've since moved all important accounts that allow password reset emails to a different address that does not contain my name. You might want to consider doing that too.”

Commenting on the attack, Richard Cassidy, senior solutions architect at Alert Logic, said it does reveal problems with 2FA.

He told by email: “Two-factor authentication has always been a welcome addition to users' security when it comes to protecting valuable data and account access. It's based on strong security principles and in the end acts as a deterrent to attackers.

“That said, the fact remains that you are only as strong as the weakest link in your chain of security. Often with 2FA online, phones are the first choice in the chain of authentication, so if we find we don't have a strong security question for our phone provider, attackers need only perform a little due diligence to correctly guess your most likely passphrase and get full access to your account.”

Cassidy advised: “Users need to pay a great deal more attention to the reset mechanisms they have in place, especially concerning their most important data - such as popular social media and important email accounts.

“Users also need to take as great a deal of care in choosing strong (hard to guess or brute-force) security questions for account resets as they do for main account authentication. This doesn't just extend to online accounts, it also applies to cell phone providers, utility, banking, insurance and services accounts that we use daily outside of the WWW.

“Try to ensure that you link your password resets to an account that has no obvious link to your name, business or identity – that couldn't be linked back through simple online searches.”

Jeff Man, PCI specialist at Tenable, told “Probably the greatest misconception about security is that ‘good' security means that nothing ‘bad' will ever happen. This is simply not true.

“2FA raises the bar a little more than simply having a password. But one of its big problems is that there are many ‘solutions' out there that claim to meet the two-factor threshold but in fact are forms of the same type of authentication. The bigger problem for 2FA is the notion that ‘it solves the problem, so you can set it and forget it'.”

TK Keanini, CTO at Lancope, believes the main ‘takeaway' from the hack is that attackers are continually looking for new ways to bypass stronger defences.

In an interview with SC, he said: “It's a classic example of the attacker having to innovate around higher levels of defences. As we begin to raise the strength of authentication methods, re-authentication methods are going to be exploited as they are non-standard and at the mercy of human judgment.

“The reality is that we are not securing devices, or accounts; we are having to secure technical and social systems. And, by secure, it is not just at a point in time but again and again - and this attack shows that the exact use-case where the social system and the authentication process was exploited to then compromise the system as a whole.”

Keanini added: “The positive part of this story is that notification and detection was working and the breach was not only detected in a relatively timely manner but the root cause was also identified quickly.”

Despite the vulnerability of cloud services revealed, Blakeman also retains some confidence in 2FA. He said: “I still think it's a good idea and I have it enabled on any accounts that allow it (I did before the attack). Nothing is foolproof, and nothing is perfect, but it certainly makes it a lot harder for people to get into your digital stuff when you don't want them too.”

SC contacted Google but did not receive comment by time of writing.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews