Sophos Cloud Optix
It’s a whole lot out of character for Black Lives Matter activist and politician DeRay Mckesson to proclaim support for Donald Trump.
But on Friday morning, as his friends informed him, Mckesson’s Twitter feed started spewing Trump endorsements and proclamations that “I’m not actually black.”
Of course, it turned out that Mckesson’s Twitter account had been hijacked.
That’s not terribly surprising, in lieu of the fact that 33 million Twitter logins were put up for sale last week.
Besides Twitter logins themselves being amassed and sold, this has proved to be the season for mega-breaches. People who reuse passwords have left multiple sites open for hijacking in wake of recent huge breaches: 65 million Tumblr passwords here, 117 million LinkedIn accounts’ details there, and half a billion MySpace passwords to (no pun intended) trump them all.
But as Mckesson came to find out, the problem wasn’t that he’d neglected to change passwords after one of those breaches, nor that he’d reused the same password across different sites.
In fact, he was doing what security people, and Twitter, tell people to do: he was using two-factor authentication (2FA) to protect his account.
Yet still, in spite of good security hygiene, as has happened to plenty of celebrities before him – Mark Zuckerberg being the latest – somebody managed to take control of Mckesson’s account.
After he regained control of his Twitter account, he explained that the attackers managed to do the deed by convincing Verizon to reset his SIM. That way, the hijacker or hijackers managed to set it up so they could intercept text messages intended for Mckesson and thereby bypass the 2FA that otherwise should have kept his account secure.
By calling @verizon and successfully changing my phone’s SIM, the hacker bypassed two-factor verification which I have on all accounts.
— deray mckesson (@deray) June 10, 2016
There was social engineering involved: the hacker(s) called Verizon’s billing department and impersonated him. Then, they redirected his phone service to their own phone, so that calls and texts that should have gone to Mckesson’s number went instead to theirs.
Then, they used Twitter’s password reset feature, which relies on authorization codes sent via SMS to a phone. In other words, they didn’t need Mckesson’s password: all they needed was the last four digits of his taxpayer ID and his name to lock him out of his account.
There are ways to fight off such an attack. The chief technologist of the Federal Trade Commission (FTC), Lorrie Cranor, described how you can fight off identity thieves who try to take over your mobile phone account.
In fact, a few weeks prior to her post, Cranor herself had her account exploited when somebody walked into a mobile phone store, claimed to be her, asked to upgrade her mobile phones, and walked out with two brand new iPhones assigned to her telephone numbers.
My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft.
Phone account hijacking is a growing problem: it’s doubled over the past three years to the point that as of January 2016, these incidents accounted for 6.3% of all identity thefts.
All four major US carriers have been involved in these cases. But all four of them also offer an important step to protect against identity theft. Namely, you can set up a password or PIN that’s required before any changes are made to your mobile account.
Here’s how to do it with the major carriers, according to the FTC:
AT&T offers a feature it refers to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security. Note that when you login online with your passcode, you may be presented with the option to not be asked for it again. Don’t accept! You’ll just undo the extra security.
Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.
T-Mobile allows customers to establish a customer care password on their accounts. Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.
Verizon allows customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.
If you’re outside the US, check with your phone carrier about extra security on accounts.
I really dont like the 2FA via SMS, I would rather Twitter gave the option to use an Authentication App like Googles.
I agree about 2FA via SMS – I see it mostly as a scam for the data aggregators to add your mobile number to their tracking system so they can tie your physical movements to your electronic movements. Until we have some meaningful protection against this kind of stalking I won’t use SMS 2FA. I happily bought a Yubico key to validate PayPal payments and it works well; it just gripes me no end that so few accounts permit this type of 2FA. But, I guess there is no advertising money to be made from Yubico-style authentication.
YubiKeys are also physical keys. The problem, I would imagine, is that very few people are going to buy hard tokens for personal use both due to a lack of convenience and having to carry around a token, but everyone has a cell phone. Most companies aren’t going to support a variety of standards that aren’t going to be utilized and circumventing SMS 2FA is fairly unlikely.
Hard tokens are great for the workplace, but are impractical for the average user. There’s always the trade-off between convenience and privacy/security for the average user.
Most of the hardware tokens yog can carry on keychain. Not sure what is so hard about that?
If you can change one factor using only the second factor, then it isn’t really 2FA.
More of an indictment of Verizon than of Twitter. Whatever the social engineering done, VZ could have easily seen that Mckesson’s current phone was still on the network and done a little homework.
Definitely, the verification of an additional secret sent via SMS is not 2FA. It is simply a two-steps verification. Per latest news such procedure is going to be deprecated in new NIST’s Digital Authentication guideline.
The advantage of SMS over an app-based token sequence (like Google Authenticator) that you type in on the same device where you are logging in is that there is no shared secret “seed” that generates the SMS codes (they can just be random each time). A one-time compromise of the authenticator seed lets a crook clone your whole token sequence indefinitely.
Ideally an SMS system would require an answer *via the mobile network* (so the request and the reply are both via a second communications channel). Some South African banks do something like this, for example, but I don’t know of it catching on elsewhere.
So realistically we need a second handset with just the authenticator on it or a specialized hardware authenticator.
What I think is a bigger crime is that they don’t give you options for different types of MFA based on your personal requirements.
Ouch!
In the Lorrie Cranor example at least, surely it would make sense to require customers to present some form of official proof of identity before allowing them to change an account?
Make it the company’s responsibility to verify the customer’s identity; don’t blame the customer for not setting up extra security restrictions that the company will then ignore!