Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Twitter Security Social Networks

How Activist DeRay Mckesson's Twitter Account Was Hacked 86

Racial justice activist DeRay Mckesson became the most recent victim of a high-profile Twitter account hack. Mckesson this week started to endorse for Donald Trump and posted a self-defamatory tweet. Later he announced that his account was hacked. What's interesting about this hack was that Mckesson had two-factor authentication enabled on "all" of his accounts. Hackers apparently resorted to a much-sophisticated attack: Hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.
This discussion has been archived. No new comments can be posted.

How Activist DeRay Mckesson's Twitter Account Was Hacked

Comments Filter:
  • Trump 2016 (Score:1, Interesting)

    by Anonymous Coward

    Just sayin'

    • by burni2 ( 1643061 )

      I hope gets elected.

      Not because I like him, but I think that people abbiding to Trumps Newspeak and not to common sense deserve a fair share of their own medicine - Trump is the overlord of Newspeak.

      Meaning: Earlier or Later Trump will use his Newspeak also against his prior supporters.

      War is peace
      Freedom is slavery
      Ignorance is Strength

      • The alternative is much worse. I'd rather be disappointed by an idiot than played a fool by some sinister evil who's best qualification to date is being the first woman president.

        It is not like we have an outstanding field to choose from. I'm not a trump supporter and could be considered a Hillary opposer which makes trump support a neccesity at this point i guess. But most of the trump supporters i talk to already admit he will not do half of what he says. They claim he pushes for stuff that is unacceptabl

        • by Anonymous Coward

          But most of the trump supporters i talk to already admit he will not do half of what he says.

          So these Trump supporters think he's lying to everyone else, but they're the special people who know when he's telling the truth.

          • That could be, or they could have read his book which explains this reasoning quite well.

            Have you ever had a conversation with a trump supporter where you wasn't trying to antagonize each other? You should try it some time and actually listen to them. Some are complete loons, some act that way to get your goat, some see the cleaver ruse in it all.

  • by Anonymous Coward
    Enough said.
    • by hsmith ( 818216 )
      If all i have to do is pop your sim out of your phone and put it in mine, it isn't much of an authentication factor
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        I know some people leave their phones laying all about, but good luck getting the SIM out of my phone without me being aware of it, or dead.

    • For all my stuff I *really* need 2 factor for on I use an old cell phone with custom firmware not connected to anything and Google Authenticator.

    • > SMS was never true 2-factor

      Sure it is. Two factor is something you know and something you have. Your ATM card is two factor: to use, supply a PIN (what you know) and the card itself (what you have).

      SMS (what you have) combined with a password (what you know) is a perfectly valid two factor authentication system.

      • by Z00L00K ( 682162 )

        In this case it's not tied to a physical device, it's tied to a subscription that's tied to a physical device and the intruder re-routed the subscription to a device he possessed.

        At best a SMS solution is a 1.5 factor.

        I can also imagine apps hijacking text messages given certain conditions allowing an intruder to use your device to gain access.

        This is why I don't use banking apps in my phone.

    • by allo ( 1728082 )

      SMS is only to spy on you. A dataset with phone number is worth ten times of a dataset without, because companies can link it with datasets from other companies.
      Do you know analytics.twitter.com? Go look what your audience looks like. You can see, if people are interested in buying automobiles, etc. Stuff people never twittered? Why? Because twitter cooperates with ad companies, which return your interests when twitter gives them your phone number. And they aggregate from many different services, which have

  • by Anonymous Coward
    Just goes to show that no matter how secure your system is there is still a human who needs to be able to access it at the end of the day, and that human is vulnerable to being tricked. This does call into question exactly how lax Verizon's customer service is at verifying that they are indeed talking to the account holder. Id be interested in hearing what Verizon has to say about this incident, whether or not proper procedure was followed or not.
  • by Gravis Zero ( 934156 ) on Sunday June 12, 2016 @08:40AM (#52299063)

    What's next, people fooling Comcast?! -_-

  • What does "much-sophisticated" mean?

    • It is sophisticated only much more. Much-morely-sophisticated is the proper term I think.
    • It means that the two-factor authentication wasn't bypassed, like it said in the summary. Instead, it was COMPROMISED.
    • by Maritz ( 1829006 )

      What does "much-sophisticated" mean?

      It is similar to regular sophistication, except that it is also much.

  • Any relation to the medical supply company?
    the family that owns that must be billionaires.

  • by KiloByte ( 825081 ) on Sunday June 12, 2016 @09:03AM (#52299109)

    So these days the word for "racism" is now "racial justice"?

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      A brave slashdot fucktard is here to save us from people who point out racism is still a problem. Tip of the fedora, kind sir!!!
  • Day of Rest (Score:1, Troll)

    by PopeRatzo ( 965947 )

    This story about DeRay Mckensson has been on Slashdot for over half an hour on a Sunday morning and there still aren't any blatantly racist posts.

    They must all be in church or a Trump rally.

  • by mi ( 197448 )

    Racial justice activist DeRay Mckesson

    Is this — his being a "Racial Justice Activist" — the best way to describe a person? The supposed profession seems straight out of the Onion's polls [theonion.com] — along with other gems like "Grammar Innovator" and "Cactus Purchaser".

    Seriously, has he done something more profound in his life than raising awareness and, if he did, why is not that mentioned in the write-up instead?

    Well, at least now I have heard of the guy — the hack and /. have achieved for

    • by mjm1231 ( 751545 )

      The article is describing them in relation to the twitter account, which, it seems, was primarily used for racial justice activism. I've never heard of this person before either, but I could give two shits if the actual person is a plumber or a mailman the rest of the day. The story is about the twitter account.

      • by mi ( 197448 )

        The story is about the twitter account.

        Well, when Sarah Palin's private e-mail was hacked, reports weren't referring to her as just a mother and grand-mother — the capacity in which she used it and, incidentally, achievements far more serious than being an awareness raiser. No, the reports [wikileaks.org] were referring to her as the Governor of Alaska and a VP-contender.

        The story is about the twitter account.

        The story is, indeed. And yet, if they describe him, they should've listed things that make hum especially (i

        • OMG! This guy?! He's more phony than Jesse Jackson. A typical subway scammer. And he's not even entertaining. Too bad people are falling for this shit. I think somebody like Soros or Koch is putting up some money. This stuff can't possibly make it on its own. Not when there's real tweets worth reading [twitter.com]

  • by redelm ( 54142 ) on Sunday June 12, 2016 @09:21AM (#52299159) Homepage

    Users should be able to choose their own level of security to match their individual situations (consequences). With just one provider-imposed level, the same compromises between security and useability have to be selected and imposed on all users.

    For instance, a user could choose to set security very lax (pwd over phone) if they have little to protect and value convenience. Someone with something to worry about might set security very tight (long/rand pwds, resets only in meatspace with two forms of ID).

    • I would say the 2fa via SMS is a very weak level of protection and should be understood as such. Ideally you would have challenge/response on the phone to get the authorization code, plus a password for the account-- if you must use the phone.

      Personally would much rather use an RSA-ID or Nubikey as my "something I have".

      • by redelm ( 54142 )
        Agreed. Even if the phone is secure (does not flash SMS when locked), the channel is not -- SMS are unencrypted. Even challenge / response is subject to intercept & replay / frontrunning if without a passwd.
      • I disagree, the issue here is the fact the SMS is being managed by a third party.

        If you want each factor of your security identity to be secure, you need to manage it yourself.

        That means not using a free email account from someone else and using your own VOIP setup for SMS or audio confirmations.

        The issue is not the technology, but allowing others to access the systems hosting your security mediums.
  • Going off on a bit of a tangent about IOT, but it is relevant. OK, cellphones have to be controlled by the cellphone provider.

    But do you like the fact that your GM car can be de-activated from the cloud (Onstar)?

    Do want "Cloud connect" controlling your home router (Linksys; withdrawn quickly after backlash) https://tech.slashdot.org/stor... [slashdot.org]

    Do like spending good money on a home light controller (Revolv), only to have it bricked when the new owners after an acquisition decide they can't be bothered with it? h [slashdot.org]

FORTUNE'S FUN FACTS TO KNOW AND TELL: A guinea pig is not from Guinea but a rodent from South America.

Working...