How Activist DeRay Mckesson's Twitter Account Was Hacked

Racial justice activist DeRay Mckesson became the most recent victim of a high-profile Twitter account hack. Mckesson this week started to endorse for Donald Trump and posted a self-defamatory tweet. Later he announced that his account was hacked. What's interesting about this hack was that Mckesson had two-factor authentication enabled on "all" of his accounts. Hackers apparently resorted to a much-sophisticated attack: Hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.

Social engineering is king

Just goes to show that no matter how secure your system is there is still a human who needs to be able to access it at the end of the day, and that human is vulnerable to being tricked. This does call into question exactly how lax Verizon's customer service is at verifying that they are indeed talking to the account holder. Id be interested in hearing what Verizon has to say about this incident, whether or not proper procedure was followed or not.

Verizon accounts are unsecure?!

[Gravis+Zero]

What's next, people fooling Comcast?! -_-

Re:Verizon accounts are unsecure?!

[JustAnotherOldGuy]

What's next, people fooling Comcast?! -_-

They're way ahead of you- Comcast has its own "Fool Ourselves" division. Just dial their 800 number and press any button to be connected to be connected to a fool.

Re:SMS was never true 2-factor

I know some people leave their phones laying all about, but good luck getting the SIM out of my phone without me being aware of it, or dead.

"racial justice activist" WTF?

[KiloByte]

So these days the word for "racism" is now "racial justice"?

Single-level Security Model flaw

[redelm]

Users should be able to choose their own level of security to match their individual situations (consequences). With just one provider-imposed level, the same compromises between security and useability have to be selected and imposed on all users.

For instance, a user could choose to set security very lax (pwd over phone) if they have little to protect and value convenience. Someone with something to worry about might set security very tight (long/rand pwds, resets only in meatspace with two forms of ID).

Re:WTF is DeRay Mckesson?

[mi]

The story is about the twitter account.

Well, when Sarah Palin's private e-mail was hacked, reports weren't referring to her as just a mother and grand-mother — the capacity in which she used it and, incidentally, achievements far more serious than being an awareness raiser. No, the reports were referring to her as the Governor of Alaska and a VP-contender.

The story is about the twitter account.

The story is, indeed. And yet, if they describe him, they should've listed things that make hum especially (in)famous. And, maybe, they did — must be real sad, when one's fame is based not on what one has achieved, but what was done to the person by others...

Re:SMS was never true 2-factor

[golgotha007]

> SMS was never true 2-factor

Sure it is. Two factor is something you know and something you have. Your ATM card is two factor: to use, supply a PIN (what you know) and the card itself (what you have).

SMS (what you have) combined with a password (what you know) is a perfectly valid two factor authentication system.

Re:Trump 2016

[I'm+New+Around+Here]

It worked well for Obama.

Twice.