How Activist DeRay Mckesson's Twitter Account Was Hacked

Racial justice activist DeRay Mckesson became the most recent victim of a high-profile Twitter account hack. Mckesson this week started to endorse for Donald Trump and posted a self-defamatory tweet. Later he announced that his account was hacked. What's interesting about this hack was that Mckesson had two-factor authentication enabled on "all" of his accounts. Hackers apparently resorted to a much-sophisticated attack: Hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.

Trump 2016

Just sayin'

Re: Trump 2016

So wait ... Trump _isn't_ a racist now? Or he _is_ now? I'm confused.

Re:Trump 2016

That was not me. My account has been hacked.

Re:Trump 2016

[burni2]

I hope gets elected.

Not because I like him, but I think that people abbiding to Trumps Newspeak and not to common sense deserve a fair share of their own medicine - Trump is the overlord of Newspeak.

Meaning: Earlier or Later Trump will use his Newspeak also against his prior supporters.

War is peace
Freedom is slavery
Ignorance is Strength

Re:Trump 2016

[sumdumass]

The alternative is much worse. I'd rather be disappointed by an idiot than played a fool by some sinister evil who's best qualification to date is being the first woman president.

It is not like we have an outstanding field to choose from. I'm not a trump supporter and could be considered a Hillary opposer which makes trump support a neccesity at this point i guess. But most of the trump supporters i talk to already admit he will not do half of what he says. They claim he pushes for stuff that is unacceptable in order to have his real agenda/terms accepted.

Re:Trump 2016

But most of the trump supporters i talk to already admit he will not do half of what he says. They claim he pushes for stuff that is unacceptable in order to have his real agenda/terms accepted.

So basically he's just totally lying to get idiots to go along?

That's a pretty bad option there.

Re:Trump 2016

But most of the trump supporters i talk to already admit he will not do half of what he says.

So these Trump supporters think he's lying to everyone else, but they're the special people who know when he's telling the truth.

Re:Trump 2016

[I'm+New+Around+Here]

It worked well for Obama.

Twice.

Re: Trump 2016

Change, anybody got any spare change? Change? Change?

- zombies, South Park

Re: Trump 2016

Oh come on, you know he really wanted to close Guantanamo but congress wouldn't let him.

Re: Trump 2016

With Trump it's hard to know when he's telling the truth but thankfully with Hillary it's much easier because she never does it.

Re: Trump 2016

Hmm let's find out by comparing how many brownish people's deaths him and his opponent have been involved in.

He is the better choice unfortunately. Vote Trump or don't vote.

Re:Trump 2016

[sumdumass]

I don't know, he is playing you like a fiddle. You are all upset and butt hurt over it speaking all about it. Maybe it is just publicity to get him free support when you go off.

Trump even said in an interview that he always asked for way more than he knows he can get so it looks like major concessions when he settles for what he really wanted. It may be lying to get the idiots to go along, but I don't think those idiots are who _you_ think they are. If he is elected, I can see a lot of people proudly proclaiming they stopped Trump's idiocy in congress or something when a law he wants passed is watered down quite a bit. They will walk around patting themselves on the back not realizing they did what he wanted in the first place.

But it is a game I guess. One that he seems to be playing well.

Re:Trump 2016

[sumdumass]

That could be, or they could have read his book which explains this reasoning quite well.

Have you ever had a conversation with a trump supporter where you wasn't trying to antagonize each other? You should try it some time and actually listen to them. Some are complete loons, some act that way to get your goat, some see the cleaver ruse in it all.

Re: Trump 2016

Best qualifications? Wtf.

I must have missed where Trump worked in government.

Glad I'm not American, but sucks that the rest of the world is going to feel the negative effects if Trump is elected.

Re:Trump 2016

[Maritz]

One that he seems to be playing well.

Yeah. He bet on the american electorate being even fucking stupider than him, and he's right. Give yourselves some medals.

Re:Trump 2016

Trumps epic landslide loss will be the most enjoyable thing I'll ever experience in my life. I actually have a bottle of champagne saved for the moment.

The only problem is that shit-eating morons like you will still be around after he's long gone. Such a shame, but hopefully such a disastrous loss will convince many of you what idiots you were and maybe you'll begin to change your ways and reintegrate with the sane people in society, where we don't tolerate bigotry, racism, and all-around assholity.

Re:Trump 2016

[Coren22]

As opposed to those getting ready to elect someone who committed multiple felonies while head of the state department, and married to a serial rapist that she continues to defend?

Re:Trump 2016

Coren22 backup your alleged self-proclaimed professional status in security + programming. Your evasions are good for laughs https://slashdot.org/comments.pl?sid=9229319&cid=52314773 @ your expense, hahahaha!

SMS was never true 2-factor

Enough said.

Re:SMS was never true 2-factor

Some two-factor authentication systems can be reset or otherwise bypassed through text message services.

Re:SMS was never true 2-factor

[hsmith]

If all i have to do is pop your sim out of your phone and put it in mine, it isn't much of an authentication factor

Re:SMS was never true 2-factor

I know some people leave their phones laying all about, but good luck getting the SIM out of my phone without me being aware of it, or dead.

Re:SMS was never true 2-factor

[0100010001010011]

For all my stuff I *really* need 2 factor for on I use an old cell phone with custom firmware not connected to anything and Google Authenticator.

Re:SMS was never true 2-factor

[golgotha007]

> SMS was never true 2-factor

Sure it is. Two factor is something you know and something you have. Your ATM card is two factor: to use, supply a PIN (what you know) and the card itself (what you have).

SMS (what you have) combined with a password (what you know) is a perfectly valid two factor authentication system.

Re:SMS was never true 2-factor

[Z00L00K]

In which case they aren't true 2-factor anymore.

But in this case someone really wanted to hack his account.

It also highlights that you shall never ever trust what anyone writes when it comes to controversial stuff. I sometimes don't even trust myself.

Re:SMS was never true 2-factor

[Z00L00K]

In this case it's not tied to a physical device, it's tied to a subscription that's tied to a physical device and the intruder re-routed the subscription to a device he possessed.

At best a SMS solution is a 1.5 factor.

I can also imagine apps hijacking text messages given certain conditions allowing an intruder to use your device to gain access.

This is why I don't use banking apps in my phone.

Re:SMS was never true 2-factor

They didn't take the SIM card out, they had Verizone reassociate the SIM for Deray's phone number with their own SIM number, allowing them to essentially turn their phone into his.

This attack is pretty hard to understand unless you've actually played with GSM and understand how phone numbers and SIMs are associated. The phone number is just a pointer to the SIM card, and the carrier can arbitrarily change the SIM associated with a phone number

Re:SMS was never true 2-factor

I know what you mean, but was replying to hsmith's comment.

Re:SMS was never true 2-factor

It's a knowledge factor as it can be intercepted without someone knowing and without having the destination device. A card will have a secure chip/processor which interacts with the ATM and is hardened against a series of attacks, SMS is not designed to be a secure channel.

Re:SMS was never true 2-factor

[allo]

SMS is only to spy on you. A dataset with phone number is worth ten times of a dataset without, because companies can link it with datasets from other companies.
Do you know analytics.twitter.com? Go look what your audience looks like. You can see, if people are interested in buying automobiles, etc. Stuff people never twittered? Why? Because twitter cooperates with ad companies, which return your interests when twitter gives them your phone number. And they aggregate from many different services, which have your number.
True 2FA without any side effects is google authenticator (which is a offline solution, even if the name doesn't sound like it). You can have it on your pc, phone or even smartwatch. OTP-Codes are just generated based on a secret start code and the current time.

Re:SMS was never true 2-factor

[Cramer]

Actually, the pathetic thing is just how easy it is to do this. Verizon store minions don't do jack to verify anything. When I replaced my lost SIM (lost the whole tablet), it took all of 11s, "I lost the tablet that had the SIM in it. Here's the phone number." No name asked for, no ID asked for, NOTHING AT ALL. Drone walks off to get a new SIM.

Re:SMS was never true 2-factor

[Coren22]

Whenever I went into a VZ store, they always asked for the last four of the account holder's social. Perhaps you just went into a poorly trained store?

Re:SMS was never true 2-factor

Coren22 backup your alleged self-proclaimed professional status in security + programming. Your evasions are good for laughs https://slashdot.org/comments.... @ your expense, hahahaha!

Social engineering is king

Just goes to show that no matter how secure your system is there is still a human who needs to be able to access it at the end of the day, and that human is vulnerable to being tricked. This does call into question exactly how lax Verizon's customer service is at verifying that they are indeed talking to the account holder. Id be interested in hearing what Verizon has to say about this incident, whether or not proper procedure was followed or not.

Verizon accounts are unsecure?!

[Gravis+Zero]

What's next, people fooling Comcast?! -_-

Re:Verizon accounts are unsecure?!

[JustAnotherOldGuy]

What's next, people fooling Comcast?! -_-

They're way ahead of you- Comcast has its own "Fool Ourselves" division. Just dial their 800 number and press any button to be connected to be connected to a fool.

Re:Verizon accounts are unsecure?!

[fustakrakich]

Lucky you. At least you got connected to something

Don't understand

[johnw]

What does "much-sophisticated" mean?

Re:Don't understand

[110010001000]

It is sophisticated only much more. Much-morely-sophisticated is the proper term I think.

Re:Don't understand

[freeze128]

It means that the two-factor authentication wasn't bypassed, like it said in the summary. Instead, it was COMPROMISED.

Re:Don't understand

[amiga3D]

That's why people come here, for shitty journalism. If they wanted real journalism they'd invent a time machine since it's been decades since that existed.

Re:Don't understand

[Maritz]

What does "much-sophisticated" mean?

It is similar to regular sophistication, except that it is also much.

Mckesson

[rossdee]

Any relation to the medical supply company?
the family that owns that must be billionaires.

Re: Mckesson

Idle, silver spoon children are usually the worst when it comes to telling other people how to act or what to do.

Re: Mckesson

DeRay is black. That should tell you enough.

Re: Mckesson

Does this guy really look like he was born with a silver spoon?

Re: Mckesson

He looks like a dead ringer for the guy who was sturring shit up at Mizzou who is worth $20 million.

Re: Mckesson

That just shows how bad you are judging people then. His parents were no name drug addicts (not the functional rich white addicts kind, the shitty kind). He was born with no silver spoon. And no, he is not known for stirring shit up.

Just eat your humble pie. You were wrong, admit it and move on.

Re: Mckesson

[LynnwoodRooster]

That's racist, you know...

Re: Mckesson

The $20 million kid IS black, dumbass.

You're the one who is wrong & needs to eat humble pie.

Re: Mckesson

The $20 million kid may black or blue I dont give a damn. This guy is not that guy, you fucking duffus.

"racial justice activist" WTF?

[KiloByte]

So these days the word for "racism" is now "racial justice"?

Re:"racial justice activist" WTF?

"Equal but separate" is the message flowing from that definition, with as much foam as the Zambezi and as much malice as Apartheid.

Re:"racial justice activist" WTF?

A brave slashdot fucktard is here to save us from people who point out racism is still a problem. Tip of the fedora, kind sir!!!

Day of Rest

[PopeRatzo]

This story about DeRay Mckensson has been on Slashdot for over half an hour on a Sunday morning and there still aren't any blatantly racist posts.

They must all be in church or a Trump rally.

Re: Day of Rest

[PopeRatzo]

Yeah, I guess it's too early for a Trump rally.

Re:Day of Rest

They are all posting about Trump's vindication on mainstream news sites.

When you set up a cowardly, bigoted, idiotic, hateful political movement that advances every time your cowardly, bigoted, idiotic, hateful enemy attacks, you win.

Re:Day of Rest

The world can be complicated and scary at times. To make things easier for your brain to comprehend, just keep telling yourself that everyone who wants to vote for a candidate other than your own all base their reasoning in "racism" or "bigotry" or "xenophobia" or whatever other simplistic label makes you feel safe and secure when you go to bed at night.

twitter wasn't hacked...

verizon was.

really? doing this sort of thing over the phone? fucking idiots. at least require a store visit.

WTF is DeRay Mckesson?

[mi]

Racial justice activist DeRay Mckesson

Is this — his being a "Racial Justice Activist" — the best way to describe a person? The supposed profession seems straight out of the Onion's polls — along with other gems like "Grammar Innovator" and "Cactus Purchaser".

Seriously, has he done something more profound in his life than raising awareness and, if he did, why is not that mentioned in the write-up instead?

Well, at least now I have heard of the guy — the hack and /. have achieved for him, what his "activity" itself was never able to...

Re:WTF is DeRay Mckesson?

[mjm1231]

The article is describing them in relation to the twitter account, which, it seems, was primarily used for racial justice activism. I've never heard of this person before either, but I could give two shits if the actual person is a plumber or a mailman the rest of the day. The story is about the twitter account.

Re:WTF is DeRay Mckesson?

[mi]

The story is about the twitter account.

Well, when Sarah Palin's private e-mail was hacked, reports weren't referring to her as just a mother and grand-mother — the capacity in which she used it and, incidentally, achievements far more serious than being an awareness raiser. No, the reports were referring to her as the Governor of Alaska and a VP-contender.

The story is about the twitter account.

The story is, indeed. And yet, if they describe him, they should've listed things that make hum especially (in)famous. And, maybe, they did — must be real sad, when one's fame is based not on what one has achieved, but what was done to the person by others...

Re:WTF is DeRay Mckesson?

[fustakrakich]

OMG! This guy?! He's more phony than Jesse Jackson. A typical subway scammer. And he's not even entertaining. Too bad people are falling for this shit. I think somebody like Soros or Koch is putting up some money. This stuff can't possibly make it on its own. Not when there's real tweets worth reading

Single-level Security Model flaw

[redelm]

Users should be able to choose their own level of security to match their individual situations (consequences). With just one provider-imposed level, the same compromises between security and useability have to be selected and imposed on all users.

For instance, a user could choose to set security very lax (pwd over phone) if they have little to protect and value convenience. Someone with something to worry about might set security very tight (long/rand pwds, resets only in meatspace with two forms of ID).

Re:Single-level Security Model flaw

[aaarrrgggh]

I would say the 2fa via SMS is a very weak level of protection and should be understood as such. Ideally you would have challenge/response on the phone to get the authorization code, plus a password for the account-- if you must use the phone.

Personally would much rather use an RSA-ID or Nubikey as my "something I have".

Re:Single-level Security Model flaw

[redelm]

Agreed. Even if the phone is secure (does not flash SMS when locked), the channel is not -- SMS are unencrypted. Even challenge / response is subject to intercept & replay / frontrunning if without a passwd.

Re:Single-level Security Model flaw

[MatthiasF]

I disagree, the issue here is the fact the SMS is being managed by a third party.

If you want each factor of your security identity to be secure, you need to manage it yourself.

That means not using a free email account from someone else and using your own VOIP setup for SMS or audio confirmations.

The issue is not the technology, but allowing others to access the systems hosting your security mediums.

Re: Single-level Security Model flaw

and its one factor auth in these cases. not two.

One-size-fits-all security not good enough

The defense must match the threat. SMS "two factor" authentication is good enough for accounts with 100 followers, all family, friends and acquaintances of the nobody account holder. It's not good enough for people who have actual enemies.

it wuz haxx0rz!

"We don't know shit so we blame the bogeymen with their bogeyman-doings."

This is very useful. This way I know for a fact that the piece is empty fluffy nitwittery and needs burning before it touches the mind of the young and the gullible. BURN THAT SUCKER DOWN. For public safety.

Never heard of him

but he sounds like a dick.

Re:Never heard of him

That's because liberal SJWs are. Just look at most of the registered posters here for proof.

Uhm....

There's a bit more to it than this.

Twitter doesn't use SMS. SMS would be the only way that this "worked" as claimed.

I'm calling bullshit on what we're getting told here (Past "hacked" which I might believe...this, this is utter BULLSHIT.)

Re:whickey tango foxtrot

What the frick has happened to this site? I know slashdot has always been left leaning, but this...

"Racial justice activist DeRay Mckesson became the most recent victim of a high-profile Twitter account hack."

This man advocates violence against whites. This man advocates killing whites. This man is as much of a racist as the people he whines about--moreso, because most whites do not go on rants on the internet using their real identities about killing blacks. And before you claim it's satire, it isn't. If you say it's "harmless" or "balancing the scales" or some other nonsense about how this is okay for him to do because he's black, then you are a hypocrite arguing for special pleading.

He deserves exactly as much attention as you would afford someone from, say, coontown in your news feed: none.

Racism and violence are OK if you're on the Left. In fact it's celebrated.

Because you're on the 'correct' side and the ends justify the means, just as they always have with the Left.

Just listen to a Louis Farrakhan speech or a New Black Panthers speech, or heck, even Obama's long-time (until people started paying attention) minister Rev. Wright.

Compared to them, Trump is a racial peace-maker.

What?!?

"Hackers apparently resorted to a much-sophisticated attack: Hacker or hackers were able to take over by convincing Verizon to reset his SIM."

Convincing a 'tard at Verizon to break some company rules? How in the fuck is this even remotely considered sophisticated. Or a hack for that matter?

Re:whickey tango foxtrot

> has always been left leaning

No, it used to be 'news for nerds' with science stories and geeky projects that people were doing. Then .yro was added and it became a place to complain. All the future innovators of society left.

ignore the stupid humans at your peril

if they have little to protect and value convenience.

humans are really, really bad at making these sorts of determinations, they don't understand the risks, they don't have enough info to decide.

Re:whickey tango foxtrot

This is not YRO, you fucktard. TFA using SMS not being secure is newsworthy, and belongs in tech.slashdot.org.

Why I don't want "internet-enabled" cloud crap.

[knorthern+knight]

Going off on a bit of a tangent about IOT, but it is relevant. OK, cellphones have to be controlled by the cellphone provider.

But do you like the fact that your GM car can be de-activated from the cloud (Onstar)?

Do want "Cloud connect" controlling your home router (Linksys; withdrawn quickly after backlash) https://tech.slashdot.org/stor...

Do like spending good money on a home light controller (Revolv), only to have it bricked when the new owners after an acquisition decide they can't be bothered with it? https://yro.slashdot.org/story...

Anything "in the cloud" is susceptible to some minimum-wage level-1 helpdesk employee in Mumbai being fast-talked into handing over your password. You need to keep 100% control over as much of your possessions as possible.

Re:whickey tango foxtrot

[Maritz]

This man advocates violence against whites. This man advocates killing whites.

I've been following his twitter for a few years. Can you link me some of that? I must have missed that.

Seriously, do so.