Categories
Security

Steal Instagram accounts with tokens

Instagram is a social network to share images about you or your business. There are many profiles that monetize your account and it is very appetizing for cyber criminals. In this article I will comment on how they manage to access your instagram account by sending you a login token or tokens.

A token is similar to a museum watchman. Allows you to enter the museum if the visitor has a permit to do so. The token or tokens are permission, the document we show the watchman to enter the museum. The tokens contains the security credentials to log into your session and identifies the user, user groups, user privileges, in some cases, to a particular application.

SMS to regain fake access

The SMS seen in Fig 1 can reach you with a number from Spain, +34 671 467 469.

sms tokens
Figure 1. SMS with link to recover the account

This message invites me to recover my Instagram password by clicking on the link it provides. As a general rule we should NEVER click on these links. What we do have to do is copy that link to work with it.

How to check where the link is going

The link comes from a link shortener that uses Instagram, https://ig.me, but the final part is the key, since it has a series of letters that don’t give me any clues where it goes. We use the wheregoes page to know where that link is pointing.

tokens
Figura 2. Redirección 301 del enlace que viene en el SMS

As you would expect it is a redirect (it comes from a shortened link) that does not lead to any external page to Instagram http suspicious, but is a token of this social network. Every social network have their own tokens.

Suspicious login on Instagram with tokens

Both the mobile version and the pc version inform me that someone has tried to access an account and puts the location of the attempted access to the account. Unlike sms, which seems to come from Spain (prefix +34) however, Instagram informs me that suspicious access is from California.

instagram tokeninstagram token

Figure 3. Comparison between Instagram app messages on pc (left) and pc (right)

At this point and since obviously it wasn’t we have to click on the button It wasn’t me. Next we will have to change the password.

Tips to improve the security of your account

Here are some tips you can follow to help keep your account safe:

  • Choose a strong password.  Use a combination of at least six numbers, letters, and punctuation marks (such as “!” and “&”). It’s very important a unique password, that you only use on Instagram. Use password managers who do the work for you, and who keep a complicated password
  • Change your password regularly, especially when you see an Instagram message that prompts you. As we have seen in this SMS that comes to our account and the subsequent attempt to log in Instagram automatically asks us to change it. .
  • Never share your password with someone you don’t know and don’t trust.
  • Turn on two-factor  authentication for increased account security.
  • Make sure your email account is protected. Keep in mind that everyone who can access your email is likely to also be able to access your Instagram account. Have different passwords for social media accounts.
  • Sign out of Instagram when you use a computer or phone you share with others. In a public place it’s never a good idea for you to access a social network. . Also, if you log in to Facebook from a public computer, don’t check the “Remember password” box, as doing so will keep you connected even after you close the browser window.
  • Think about it before giving your authorization to third-party apps. It’s never a good idea unless you’ve done it yourself. If you see access to a third-party app, turn that access off.

How to know who accessed your Instagram account

In the https://www.instagram.com/accounts/access_tool/  you can see all the accesses your Instagram account has had. There’s a lot of relevant information about your Instagram account, such as when you joined the platform. The most important section is privacy and security.

instagram tokens
Figure 4. Your Instagram accoun details

Ways to improve your privacy and security on Instagram

The mejhor form, as long as nothing new is discovered, is to enable a double authentication factor. To do this, https://www.instagram.com/accounts/two_factor_authentication/  and enable the option you want. After enabling you will have some recovery codes that you will only be able to see as can be seen in Fig. 5.

codigos de recuperacion instagram

Figure 5. Double-factor privacy and security on Instagram

Authentication can be by text message sent to your mobile phone or by using an authentication app.

Summary

Stealing social media accounts through tokens is something you have to be careful about. If someone you don’t know sends you an sms or email with a link asking you to change your account details, don’t listen to them.

It’s always a good idea to first go into the social network to see that everything is in order. The social network itself will inform you if there is any suspicious activity and you can act from the same platform to avoid them. Activating a dual authentication factor will strengthen the security of your account.

Leave a Reply