If Somebody Really Wants to Hack You You're Probably Fucked
In the wake of the leak of tens of millions of Twitter and old Myspace passwords this week, you may have heard a lot about two-factor authentification, the supposed impenetrable firewall between you, the unsuspecting cloud-based electronics user, and a hacker. I’m here to tell you that if someone is deeply intent on hacking you, you’re probably fucked.
This morning, the Twitter account of famed Black Lives Matter organizer DeRay Mckesson was compromised. Per the Baltimore Sun (Jesus Christ), the hacker tweeted, among other things, an endorsement of Donald Trump from Mckesson’s account. This afternoon, after regaining access to his some-376,000 followers, Mckesson revealed that he did in fact have two-factor authentification on his Twitter account, but the hacker(s) managed to bypass the system anyway:
At 10:31 am, someone called @verizon impersonating me and successfully changed my SIM & unsuccessfully attempted to change my phone number.
— deray mckesson (@deray) June 10, 2016
By calling @verizon and successfully changing my phone's SIM, the hacker bypassed two-factor verification which I have on all accounts.
— deray mckesson (@deray) June 10, 2016
Today I learned that it is rather easy for someone to call the provider & change your SIM. The hacker got the account verification texts.
— deray mckesson (@deray) June 10, 2016
I'd realized that my phone had been hacked & separated from the actual phone number when the web only routed here: pic.twitter.com/zwYygVfbYy
— deray mckesson (@deray) June 10, 2016
The hacker got access by changing my SIM which redirected texts, then resetting my passwords to trigger two-factor authentication. Intense.
— deray mckesson (@deray) June 10, 2016
This sort of “social engineering” preys not on the security of your password-protected accounts, but the lowly call center employees who can access your shit with a few keystrokes.
So what are the solutions? Destroy all your electronics. Ummm, move to a remote island. Uhh...