Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Activist DeRay Mckesson's Twitter Account Was Hacked

Posted by msmash on from the security-woes dept.

Racial justice activist DeRay Mckesson became the most recent victim of a high-profile Twitter account hack. Mckesson this week started to endorse for Donald Trump and posted a self-defamatory tweet. Later he announced that his account was hacked. What's interesting about this hack was that Mckesson had two-factor authentication enabled on "all" of his accounts. Hackers apparently resorted to a much-sophisticated attack: Hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.

42 of 86 comments (clear)

  1. Trump 2016 by Anonymous Coward · · Score: 1, Interesting

    Just sayin'

    1. Re:Trump 2016 by sumdumass · · Score: 1

      The alternative is much worse. I'd rather be disappointed by an idiot than played a fool by some sinister evil who's best qualification to date is being the first woman president.

      It is not like we have an outstanding field to choose from. I'm not a trump supporter and could be considered a Hillary opposer which makes trump support a neccesity at this point i guess. But most of the trump supporters i talk to already admit he will not do half of what he says. They claim he pushes for stuff that is unacceptable in order to have his real agenda/terms accepted.

    2. Re:Trump 2016 by Anonymous Coward · · Score: 1

      But most of the trump supporters i talk to already admit he will not do half of what he says.

      So these Trump supporters think he's lying to everyone else, but they're the special people who know when he's telling the truth.

    3. Re:Trump 2016 by I'm+New+Around+Here · · Score: 2, Insightful

      It worked well for Obama.

      Twice.

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    4. Re:Trump 2016 by sumdumass · · Score: 1

      I don't know, he is playing you like a fiddle. You are all upset and butt hurt over it speaking all about it. Maybe it is just publicity to get him free support when you go off.

      Trump even said in an interview that he always asked for way more than he knows he can get so it looks like major concessions when he settles for what he really wanted. It may be lying to get the idiots to go along, but I don't think those idiots are who _you_ think they are. If he is elected, I can see a lot of people proudly proclaiming they stopped Trump's idiocy in congress or something when a law he wants passed is watered down quite a bit. They will walk around patting themselves on the back not realizing they did what he wanted in the first place.

      But it is a game I guess. One that he seems to be playing well.

    5. Re:Trump 2016 by sumdumass · · Score: 1

      That could be, or they could have read his book which explains this reasoning quite well.

      Have you ever had a conversation with a trump supporter where you wasn't trying to antagonize each other? You should try it some time and actually listen to them. Some are complete loons, some act that way to get your goat, some see the cleaver ruse in it all.

    6. Re:Trump 2016 by Maritz · · Score: 1

      One that he seems to be playing well.

      Yeah. He bet on the american electorate being even fucking stupider than him, and he's right. Give yourselves some medals.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    7. Re:Trump 2016 by Coren22 · · Score: 1

      As opposed to those getting ready to elect someone who committed multiple felonies while head of the state department, and married to a serial rapist that she continues to defend?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  2. SMS was never true 2-factor by Anonymous Coward · · Score: 1

    Enough said.

    1. Re:SMS was never true 2-factor by hsmith · · Score: 1

      If all i have to do is pop your sim out of your phone and put it in mine, it isn't much of an authentication factor

    2. Re:SMS was never true 2-factor by Anonymous Coward · · Score: 2, Insightful

      I know some people leave their phones laying all about, but good luck getting the SIM out of my phone without me being aware of it, or dead.

    3. Re:SMS was never true 2-factor by 0100010001010011 · · Score: 1

      For all my stuff I *really* need 2 factor for on I use an old cell phone with custom firmware not connected to anything and Google Authenticator.

    4. Re:SMS was never true 2-factor by golgotha007 · · Score: 2

      > SMS was never true 2-factor

      Sure it is. Two factor is something you know and something you have. Your ATM card is two factor: to use, supply a PIN (what you know) and the card itself (what you have).

      SMS (what you have) combined with a password (what you know) is a perfectly valid two factor authentication system.

    5. Re:SMS was never true 2-factor by Z00L00K · · Score: 1

      In which case they aren't true 2-factor anymore.

      But in this case someone really wanted to hack his account.

      It also highlights that you shall never ever trust what anyone writes when it comes to controversial stuff. I sometimes don't even trust myself.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    6. Re:SMS was never true 2-factor by Z00L00K · · Score: 1

      In this case it's not tied to a physical device, it's tied to a subscription that's tied to a physical device and the intruder re-routed the subscription to a device he possessed.

      At best a SMS solution is a 1.5 factor.

      I can also imagine apps hijacking text messages given certain conditions allowing an intruder to use your device to gain access.

      This is why I don't use banking apps in my phone.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    7. Re:SMS was never true 2-factor by Anonymous Coward · · Score: 1

      I know what you mean, but was replying to hsmith's comment.

    8. Re:SMS was never true 2-factor by allo · · Score: 1

      SMS is only to spy on you. A dataset with phone number is worth ten times of a dataset without, because companies can link it with datasets from other companies.
      Do you know analytics.twitter.com? Go look what your audience looks like. You can see, if people are interested in buying automobiles, etc. Stuff people never twittered? Why? Because twitter cooperates with ad companies, which return your interests when twitter gives them your phone number. And they aggregate from many different services, which have your number.
      True 2FA without any side effects is google authenticator (which is a offline solution, even if the name doesn't sound like it). You can have it on your pc, phone or even smartwatch. OTP-Codes are just generated based on a secret start code and the current time.

    9. Re:SMS was never true 2-factor by Cramer · · Score: 1

      Actually, the pathetic thing is just how easy it is to do this. Verizon store minions don't do jack to verify anything. When I replaced my lost SIM (lost the whole tablet), it took all of 11s, "I lost the tablet that had the SIM in it. Here's the phone number." No name asked for, no ID asked for, NOTHING AT ALL. Drone walks off to get a new SIM.

    10. Re:SMS was never true 2-factor by Coren22 · · Score: 1

      Whenever I went into a VZ store, they always asked for the last four of the account holder's social. Perhaps you just went into a poorly trained store?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  3. Social engineering is king by Anonymous Coward · · Score: 2, Informative

    Just goes to show that no matter how secure your system is there is still a human who needs to be able to access it at the end of the day, and that human is vulnerable to being tricked. This does call into question exactly how lax Verizon's customer service is at verifying that they are indeed talking to the account holder. Id be interested in hearing what Verizon has to say about this incident, whether or not proper procedure was followed or not.

  4. Verizon accounts are unsecure?! by Gravis+Zero · · Score: 3, Funny

    What's next, people fooling Comcast?! -_-

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Verizon accounts are unsecure?! by JustAnotherOldGuy · · Score: 4, Funny

      What's next, people fooling Comcast?! -_-

      They're way ahead of you- Comcast has its own "Fool Ourselves" division. Just dial their 800 number and press any button to be connected to be connected to a fool.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:Verizon accounts are unsecure?! by fustakrakich · · Score: 1

      Lucky you. At least you got connected to something

      --
      “He’s not deformed, he’s just drunk!”
  5. Don't understand by johnw · · Score: 1

    What does "much-sophisticated" mean?

    1. Re:Don't understand by 110010001000 · · Score: 1

      It is sophisticated only much more. Much-morely-sophisticated is the proper term I think.

    2. Re:Don't understand by Maritz · · Score: 1

      What does "much-sophisticated" mean?

      It is similar to regular sophistication, except that it is also much.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  6. Mckesson by rossdee · · Score: 1

    Any relation to the medical supply company?
    the family that owns that must be billionaires.

    1. Re: Mckesson by LynnwoodRooster · · Score: 1

      That's racist, you know...

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  7. "racial justice activist" WTF? by KiloByte · · Score: 4, Interesting

    So these days the word for "racism" is now "racial justice"?

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:"racial justice activist" WTF? by Anonymous Coward · · Score: 1, Insightful

      A brave slashdot fucktard is here to save us from people who point out racism is still a problem. Tip of the fedora, kind sir!!!

  8. Day of Rest by PopeRatzo · · Score: 1, Troll

    This story about DeRay Mckensson has been on Slashdot for over half an hour on a Sunday morning and there still aren't any blatantly racist posts.

    They must all be in church or a Trump rally.

    --
    You are welcome on my lawn.
    1. Re: Day of Rest by PopeRatzo · · Score: 1, Troll

      Yeah, I guess it's too early for a Trump rally.

      --
      You are welcome on my lawn.
  9. WTF is DeRay Mckesson? by mi · · Score: 1, Offtopic

    Racial justice activist DeRay Mckesson

    Is this — his being a "Racial Justice Activist" — the best way to describe a person? The supposed profession seems straight out of the Onion's polls — along with other gems like "Grammar Innovator" and "Cactus Purchaser".

    Seriously, has he done something more profound in his life than raising awareness and, if he did, why is not that mentioned in the write-up instead?

    Well, at least now I have heard of the guy — the hack and /. have achieved for him, what his "activity" itself was never able to...

    --
    In Soviet Washington the swamp drains you.
    1. Re:WTF is DeRay Mckesson? by mjm1231 · · Score: 1

      The article is describing them in relation to the twitter account, which, it seems, was primarily used for racial justice activism. I've never heard of this person before either, but I could give two shits if the actual person is a plumber or a mailman the rest of the day. The story is about the twitter account.

      --
      Ideology: A tool used primarily to avoid the bother of thinking.
    2. Re:WTF is DeRay Mckesson? by mi · · Score: 2

      The story is about the twitter account.

      Well, when Sarah Palin's private e-mail was hacked, reports weren't referring to her as just a mother and grand-mother — the capacity in which she used it and, incidentally, achievements far more serious than being an awareness raiser. No, the reports were referring to her as the Governor of Alaska and a VP-contender.

      The story is about the twitter account.

      The story is, indeed. And yet, if they describe him, they should've listed things that make hum especially (in)famous. And, maybe, they did — must be real sad, when one's fame is based not on what one has achieved, but what was done to the person by others...

      --
      In Soviet Washington the swamp drains you.
    3. Re:WTF is DeRay Mckesson? by fustakrakich · · Score: 1

      OMG! This guy?! He's more phony than Jesse Jackson. A typical subway scammer. And he's not even entertaining. Too bad people are falling for this shit. I think somebody like Soros or Koch is putting up some money. This stuff can't possibly make it on its own. Not when there's real tweets worth reading

      --
      “He’s not deformed, he’s just drunk!”
  10. Single-level Security Model flaw by redelm · · Score: 4, Interesting

    Users should be able to choose their own level of security to match their individual situations (consequences). With just one provider-imposed level, the same compromises between security and useability have to be selected and imposed on all users.

    For instance, a user could choose to set security very lax (pwd over phone) if they have little to protect and value convenience. Someone with something to worry about might set security very tight (long/rand pwds, resets only in meatspace with two forms of ID).

    1. Re:Single-level Security Model flaw by aaarrrgggh · · Score: 1

      I would say the 2fa via SMS is a very weak level of protection and should be understood as such. Ideally you would have challenge/response on the phone to get the authorization code, plus a password for the account-- if you must use the phone.

      Personally would much rather use an RSA-ID or Nubikey as my "something I have".

    2. Re:Single-level Security Model flaw by redelm · · Score: 1

      Agreed. Even if the phone is secure (does not flash SMS when locked), the channel is not -- SMS are unencrypted. Even challenge / response is subject to intercept & replay / frontrunning if without a passwd.

    3. Re:Single-level Security Model flaw by MatthiasF · · Score: 1

      I disagree, the issue here is the fact the SMS is being managed by a third party.

      If you want each factor of your security identity to be secure, you need to manage it yourself.

      That means not using a free email account from someone else and using your own VOIP setup for SMS or audio confirmations.

      The issue is not the technology, but allowing others to access the systems hosting your security mediums.

  11. Why I don't want "internet-enabled" cloud crap. by knorthern+knight · · Score: 1

    Going off on a bit of a tangent about IOT, but it is relevant. OK, cellphones have to be controlled by the cellphone provider.

    But do you like the fact that your GM car can be de-activated from the cloud (Onstar)?

    Do want "Cloud connect" controlling your home router (Linksys; withdrawn quickly after backlash) https://tech.slashdot.org/stor...

    Do like spending good money on a home light controller (Revolv), only to have it bricked when the new owners after an acquisition decide they can't be bothered with it? https://yro.slashdot.org/story...

    Anything "in the cloud" is susceptible to some minimum-wage level-1 helpdesk employee in Mumbai being fast-talked into handing over your password. You need to keep 100% control over as much of your possessions as possible.

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user
  12. Re:whickey tango foxtrot by Maritz · · Score: 1

    This man advocates violence against whites. This man advocates killing whites.

    I've been following his twitter for a few years. Can you link me some of that? I must have missed that.

    Seriously, do so.

    --
    I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.