Gehackt trotz Zwei-Faktor-Authentifizierung

Zwei-Faktor-Authentifizierung (2FA) ist kein endgültiger Schutz davor, gehackt zu werden, wenn nicht die Sicherheit jedes einzelnen Glieds der Authentifizierungskette gewährleistet ist. In Grant Blakemans Fall (sein Instagram-Konto wurde übernommen) scheint der Hack seinen Ausgang beim Telefonie-Anbieter (!) genommen zu haben.

I had two-factor authentication turned on for Google […] I use 1Password and passwords I use to each service are painfully-long, complex, and unique. [Mat Honan] suggested that I check with my cell phone provider and make sure that call-forwarding had not been enabled on my number without me knowing. […] I called, and sure enough, as of Saturday morning my number had been forwarded to a number I did not recognize. Unreal. So, as far I can tell, the attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.

Nota bene: Authentifizierungs-SMS abschalten, Authentifizierung per App einschalten.