My post yesterday describing someone’s attempt to get access to my Facebook account brought a very interesting response from longtime techie Ryan Ozawa.

I’m taking the liberty of reposting his comment here, both because it describes a hacking technique I’m sure most people are not aware of, and for the great advice it offers on how to defend your online accounts.

Here’s Ryan’s comment:

Two-factor authentication is a must these days, and SMS-based codes are better than nothing. But this post is pretty timely for me, in that my Instagram account was hacked and stolen last month through SIM hijacking, also known as port-out scams.

The security of SMS as a second factor (“something you have,” your phone) is only as secure as your mobile phone carrier account. Someone called AT&T, pretended to be me, and had my phone number disconnected and assigned to a phone SIM they controlled. Bam, all accounts secured by text message were vulnerable. Fortunately (!), my hacker was only after one.

This is a great series of articles on these phone hacks. The one about Instagram is exactly what happened to me.

https://motherboard.vice.com/en_us/topic/sim-hijacking

You’ll definitely want to read the one on how to protect yourself from SIM hijacking. Short version? Set a separate PIN for account changes with your mobile carrier. And don’t use SMS as a second factor if there’s another option, usually a separate authentication app like Authy or using a VOIP service as your number like Google Voice (no SIMs to hack).

I was able to get my account back, against all odds, and was lucky. I lost all my photos posted since 2010, though. Starting over now.