
Hackers will keep searching until they find the one element they can exploit.
STATES CHRONICLE – There seems to be some bad news about Twitter almost every day now and strangely enough though the microblogging service isn’t really at fault. But with such a highly used and followed service and with so many high-profile targets, not even additional security measures, such as two factor authentication can prevent cunning or determined hackers from eventually getting to their mark.
DeRay Mckesson, well-known activist and former candidate for the mayor’s office was such a mark. However, even though he safeguarded his Twitter account with a strong password and with two factor authentication, Mckesson’s account was still hacked. The hacker in question then used @deray to promote positive support towards Donald Trump.
And what brilliant tools did the hacker utilize in order to bypass the extra layer of security offered by two factor authentication? Verizon Customer Service. After recovering his account, DeRay Mckesson decided to share the details with the world, in order to allow others to be better prepared than he was.
The hacker called Verizon Customer Service. Said hacker used DeRay Mckesson’s last four digits of his social security number. This information is quite easy to obtain for almost anyone who is known on social media with their real name. With the trust and compliance of the Verizon Customer Service employee, the hacker then changed the registered SIM from Mckesson’s to their own.
From that point on, all further outgoing but especially incoming mobile data or communication would arrive at the hacker and not DeRay. This included Twitter’s two factor authentication SMS. After receiving the SMS, the hacker just used the easily accessible password reset function that Twitter accounts have and full control was obtained.
This was not the first time when customer service was used as a tool by hackers, of course. The fact of the matter is that a majority of online services use either an SMS or a phone call as their second part of authentication.
There are those services that use hardware or software based authenticators. The security granted by those is, of course, higher until the user happens to lose said authenticator and then they’re locked out of their own account for a period of time ranging from very long to forever.
Nevertheless, the most used mobile carriers can allow users to set up an additional safeguard for accessing their accounts, such as an additional PIN or password. It’s like another two factor authentication for your two factor authentication. While this can stop hackers from using customer service against its customers, it’s an additional piece of data that needs to be remembered and constantly updated.
Image Courtesy of DeRay Mckesson’s Twitter, @deray.