clock menu more-arrow no yes mobile

Filed under:

Someone hijacked DeRay Mckesson’s Twitter account in a sneaky and preventable way

It’s called pretexting and it’s easy to do, but it’s also easy to prevent.

By now you've probably heard that the Twitter account belonging to #BlackLivesMatter activist DeRay Mckesson was hijacked on Friday. The tweet sent from Mckesson’s account that endorsed Donald Trump for president was probably a giveaway.

It wasn’t a hacking attack in the strictest sense: Twitter’s systems apparently weren’t compromised, and Mckesson even had two-factor authentication turned on. Instead, the attackers hijacked his mobile phone, using a weakness in how account information is managed by wireless providers.

Having first obtained the last four digits of Mckesson’s Social Security number, the hackers called Verizon’s billing department and impersonated him. They then redirected his service to a phone they had handy so that calls and texts going to his number were directed instead to their phone.

From there they used Twitter’s password reset feature — which relies on authorization codes sent via text messages to a phone — and locked Mckesson out of his account.

The technique of pretending to be someone and tricking a wireless provider into handing over control of a customer account is an old one. It’s called pretexting: The attacker pretends to be a customer having a problem, and convinces a service rep that the request they're making is legitimate.

It’s illegal. When the technique was used by a set of private investigators hired by the chairman of Hewlett-Packard a little more than a decade ago it caused a huge corporate scandal. One person charged served time in federal prison, while others received probation.

So how do you avoid experiencing the same headache Mckesson had on Friday? According to the Federal Trade Commission, it comes down to eliminating your Social Security number as a way to identify yourself to your carrier. Without that, hackers would have no way to access your phone and therefore no way to get ahold of your two-factor authentication code.

The details on how to set this up vary with your wireless carrier:

  • AT&T calls its feature “extra security." It means that before you can talk to a service rep you have to provide a passcode. You can read more about it here.
  • Verizon allows customers to set their own personal identifying number to access their accounts. You can do this by calling Verizon or going to a Verizon store.
  • T-Mobile does the same thing Verizon does, but calls it a “customer care password.” Again, call in or visit a T-Mobile store.
  • Sprint asks customers to set a PIN number to access their accounts.

And speaking of DeRay Mckesson, he was onstage with Twitter CEO Jack Dorsey at the Code Conference last week. In case you missed it, the video of the session is below, and if you prefer to listen to it as a podcast you can find that here.

This article originally appeared on Recode.net.