Sunday, June 12, 2016

Twitter Account Hacked via SIM Reset

Kate Conger (via John Gruber, Slashdot):

Even though several huge data breaches have recently exposed hundreds of millions of social media login credentials online, users aren’t re-setting their passwords — which means you’ll probably continue to see celebrities’ social media accounts getting hijacked.

[…]

After regaining control of his Twitter account, Mckesson explained that the hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.

[…]

Passwords for tens of millions of Twitter accounts appeared online for sale this week, following the hacks of accounts belonging to Katy Perry, Ev Williams, Mark Zuckerberg, Drake and others. Although it’s possible that some of their passwords were included in the auctioned database, it’s more likely that their accounts were compromised because they reused passwords from other breached websites like LinkedIn, Myspace and Tumblr.

Nicole Nguyen:

With the last four digits of Mckesson’s Social Security number, they were able to gain full access to his Verizon account and changed the SIM, which redirected texts to a different device.

The hackers didn’t even need his account’s passwords. They could simply reset passwords to trigger two-factor authentication.

[…]

In a blog post, the FTC’s Chief Technologist Lorrie Cranor described how you can add an extra layer of security with your mobile carrier.

Without the proper carrier settings, two-factor is actually less secure than only using a password. AT&T customers should enable the “Extra security” option so that accessing the account always requires a 4-digit PIN other than the SSN.

Previously: Seven Hundred Million.

Update (2016-06-12): Glenn Fleishman:

Companies retain SMS as an option because of the customer-support burden: it’s easier to get someone to type in a code sent as a text message than to download, install, configure, and use an authenticator app. But you would think the time is ripe for companies to allow expert users to disable SMS as a backup option, especially since many sites pair turning on 2FA with creating a set of backup, one-time use passwords intended to restore access if one loses access to the authentication app that can generate the appropriate code.

Comments RSS · Twitter

Leave a Comment