DeRay Mckesson is a widely known activist in the Black Lives Matter movement and a former candidate in the race for mayor of Baltimore. He’s a high-profile target, and someone finally figured out a way to crack his popular Twitter account—by hijacking his cell phone number, and getting it reassigned to a phone under their control. This was used to push out a message in his account in support of a candidate who he says represents the antithesis of his beliefs. Those tweets have since been deleted and Twitter has restored account access to Mckesson.
A recent acquisition by a site of what’s alleged to be 32 million Twitter passwords, coupled with other breaches, password-stealing malware, and other techniques may have led to his password being compromised.
Even though Mckesson said in a tweet that he has two-factor authentication (2FA) enabled on all his accounts, Twitter included, once someone has your password and can receive texts sent to your phone number, they’ve obtained two factors: something you know (your password) and something you have (your phone). That part, a phone being something you have, has long been understood to be tenuous, and Mckesson’s situation helps prove just how fragile that assumption is.
By calling @verizon and successfully changing my phone’s SIM, the hacker bypassed two-factor verification which I have on all accounts.
The three biggest American phone carriers don’t require anything but knowledge of what is sadly easily obtainable information in 2016: the last four digits of your Social Security Number (SSN). That can be obtained through phishing attempts, any of the large leaks of SSNs from various sites and government agencies that crackers can access, or through reports from “background check” sites that don’t verify who is requesting information.
Some carriers may ask for additional personal or present and past address details for verification, most of which can be found paired with the same leaked SSN or through the background check—which relies in part on the same credit reports that the carriers use to ask the questions.
However, you can add a PIN or password to your AT&T, T-Mobile, or Verizon account that reduces the chance of this happening. (Sprint requires a PIN alongside security questions when setting up an account.) It seems clear that the companies and resellers may have enough leeway for a smooth talker to bypass the PIN or password requirement, but that hasn’t been thoroughly tested yet. After this hijack of Mckesson and the recent identity crime against the FTC’s chief technologist, Lorrie Cranor, carriers may be instructing their customer-service representations to better resist social engineering.
With AT&T, you enable Extra Security, a feature so hidden I was unaware it existed. It can be set via AT&T’s website or its mobile app; follow AT&T’s instructions. When you’re logging in again after you’ve set the code, you should also refuse the site’s offer to bypass the code on subsequent logins.
T-Mobile requires that you call customer service or visit one of its retail stores. It texts you a one-time use PIN that, when verified with a representative, lets you set up a password, which is then required in the future to get information about or make changes to your account.
Verizon can add a PIN to an account through your account controls on its website, via phone support, or in one of its retail stores.
What use is a phone number?
Most 2FA systems designed for consumers and business users (as opposed to those managed by IT departments in enterprises for intranet and network services) either rely entirely on a code sent via SMS, offer that as an option, or use SMS as a backup. That works as long as it’s assumed that the phone itself, a physical item, has to be stolen, not the phone number, which is effectively an end point handled by the public switched telephone network’s call routing system.
While you can use authentication apps that generate time-based one-time passwords (TOTPs), like Authy, Google Authenticator, and several others, so long as SMS is also an option, it’s the weakest link. Pair that with password and SSN breaches, and the general availability of background information about us to answer common security questions, and that second factor has no value at all. (Biometrics, “something you are,” are a different matter—while people have faked fingerprints, it’s a vastly, vastly higher bar to clear.)
Companies retain SMS as an option because of the customer-support burden: it’s easier to get someone to type in a code sent as a text message than to download, install, configure, and use an authenticator app. But you would think the time is ripe for companies to allow expert users to disable SMS as a backup option, especially since many sites pair turning on 2FA with creating a set of backup, one-time use passwords intended to restore access if one loses access to the authentication app that can generate the appropriate code.
You may look at the FTC’s Cranor and DeRay Mckesson, and think, “I’m not important enough to have someone go to these lengths.” Unfortunately, you’d be wrong. Identity theft is valuable against nearly anyone with a balance in their bank account or enough credit for a thief to purchase new phones using their account information, which is what happened in Cranor’s case—it’s unlikely the criminals knew they were compromising someone at the FTC.
Because we can’t control the flow of our fixed, identifying information, like SSN and a past address, nor even our passwords, make sure to turn on extra protection at your carriers right away. Even with 2FA, an account PIN or password can be the only thing keeping a thief from using your identity.