In The News

Why was a Twitter account getting hacked Verizon’s fault?

When a civil rights activist’s Twitter account got hacked, the fault didn’t end up lying with Twitter, or the activist. In fact the intrusion led to the doorstep of phone provider Verizon. But how?

Civil right activist and politician Deray McKesson isn’t a Donald Trump fan. Which is why when his Twitter account started posting endorsements for the controversial presidential candidate, something was clearly up.

Of course McKesson’s Twitter account had been compromised. But despite lots of recent password leaks on the social media website, in this particular case, the fault didn’t lie with Twitter, or McKesson.

In fact Twitters security systems acted like they should have done, and McKesson even used 2FA (Two-Factor Authentication) on his Twitter account, which is an extra layer of protection we recommend using on all your important accounts that will send an authorisation code to you via SMS every time someone attempts to login to your account on an unrecognised computer or phone. It also sends you an authorisation code when you use the “Forgot My Password” feature that allows you to reset your password.

So what happened?

Computer criminals would have needed both McKesson’s password AND the authorisation code sent via SMS to his phone if they broke in through the front door.

OR the criminals could use the password reset feature that only requires an SMS authorisation code sent to McKesson’s phone that would allow them to reset the password to one of their choosing.


Sponsored Content. Continued below...




The criminals chose the latter, but how did they get that SMS authorisation code? As it turns out, by stealing McKesson’s mobile phone account away from him. Phone account hijacking has become increasingly popular over the last few years, where criminals call up phone carriers pretending to be their victims in an attempt to fool the carriers into handing over control of an account over to them. In McKesson’s case, the phone carrier was Verizon, who – after satisfying an all-too-basic security check – allowed the criminals to reset McKesson’s SIM and place any calls or texts to McKesson to phones operated by the criminals.

So when the criminals used the password reset feature on McKesson’s Twitter account, that all-important SMS authorisation code was sent straight to them.

This is far from the first time this type of crime has occurred. Chief technologist of the Federal Trade Commission Lorrie Cranor recently had to deal with someone walking into a mobile phone store posing as her and asked for all her phones to be upgraded, and managed to walk off with brand new iPhones, all associated with her mobile number.

There are steps you can take with the major carriers in the US (and other countries) in terms of locking down your mobile phone account by placing some type of PIN or password that is required every time you make changes to your mobile phone account, though whether criminals will managed to bypass these security measures remains to be seen.

It’s a reminder that not only is our first line of defence – our passwords – not good enough when it comes to securing our accounts, our second line of defence – Two-Factor Authentication – isn’t necessarily good enough either. Now we need a third line of defence, locking down our mobile phone accounts.

It’s enough to ask how many steps we really need to take to truly secure our online accounts. Let us know your thoughts below.

Share
Published by
Craig Haley