DeRay Mckesson’s Twitter account hacked with just his name and four digits

It’s a whole lot out of character for Black Lives Matter activist and politician DeRay Mckesson to proclaim support for Donald Trump.

But on Friday morning, as his friends informed him, Mckesson’s Twitter feed started spewing Trump endorsements and proclamations that “I’m not actually black.”

Of course, it turned out that Mckesson’s Twitter account had been hijacked.

That’s not terribly surprising, in lieu of the fact that 33 million Twitter logins were put up for sale last week.

Besides Twitter logins themselves being amassed and sold, this has proved to be the season for mega-breaches. People who reuse passwords have left multiple sites open for hijacking in wake of recent huge breaches: 65 million Tumblr passwords here, 117 million LinkedIn accounts’ details there, and half a billion MySpace passwords to (no pun intended) trump them all.

But as Mckesson came to find out, the problem wasn’t that he’d neglected to change passwords after one of those breaches, nor that he’d reused the same password across different sites.

In fact, he was doing what security people, and Twitter, tell people to do: he was using two-factor authentication (2FA) to protect his account.

Yet still, in spite of good security hygiene, as has happened to plenty of celebrities before him – Mark Zuckerberg being the latest – somebody managed to take control of Mckesson’s account.

After he regained control of his Twitter account, he explained that the attackers managed to do the deed by convincing Verizon to reset his SIM. That way, the hijacker or hijackers managed to set it up so they could intercept text messages intended for Mckesson and thereby bypass the 2FA that otherwise should have kept his account secure.

There was social engineering involved: the hacker(s) called Verizon’s billing department and impersonated him. Then, they redirected his phone service to their own phone, so that calls and texts that should have gone to Mckesson’s number went instead to theirs.

Then, they used Twitter’s password reset feature, which relies on authorization codes sent via SMS to a phone. In other words, they didn’t need Mckesson’s password: all they needed was the last four digits of his taxpayer ID and his name to lock him out of his account.

There are ways to fight off such an attack. The chief technologist of the Federal Trade Commission (FTC), Lorrie Cranor, described how you can fight off identity thieves who try to take over your mobile phone account.

In fact, a few weeks prior to her post, Cranor herself had her account exploited when somebody walked into a mobile phone store, claimed to be her, asked to upgrade her mobile phones, and walked out with two brand new iPhones assigned to her telephone numbers.

My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft.

Phone account hijacking is a growing problem: it’s doubled over the past three years to the point that as of January 2016, these incidents accounted for 6.3% of all identity thefts.

All four major US carriers have been involved in these cases. But all four of them also offer an important step to protect against identity theft. Namely, you can set up a password or PIN that’s required before any changes are made to your mobile account.

Here’s how to do it with the major carriers, according to the FTC:

AT&T offers a feature it refers to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security. Note that when you login online with your passcode, you may be presented with the option to not be asked for it again. Don’t accept! You’ll just undo the extra security.

Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.

T-Mobile allows customers to establish a customer care password on their accounts. Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.

Verizon allows customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.

If you’re outside the US, check with your phone carrier about extra security on accounts.