×

Hacked activist's tweet storm shows flaw in a common cybersecurity standard

Civil rights activist DeRay Mckesson is speaking out about how a standard Verizon cybersecurity protection failed to protect his Twitter account from being hacked.

Mckesson, a "Black Lives Matter" activist who ran for mayor of Baltimore, raised eyebrows when he apparently endorsed Republican presidential hopeful Donald Trump on his Twitter account Friday. It turns out Mckesson was hacked, even though he had a commonly-accepted cybersecurity measure in place: Two-factor authentication.

Deray McKesson, an avid protestor and frontline activist, is seen in St. Louis, Missouri.
Michael B. Thomas | AFP | Getty Images
Deray McKesson, an avid protestor and frontline activist, is seen in St. Louis, Missouri.

The hackers got around it by calling Verizon Wireless, impersonating him, and changing his SIM, which redirected his texts and allowed the hackers to reset his passwords, according to Mckesson, who spoke out in a tweet storm Friday afternoon.

"Verizon takes the security and privacy of our customers very seriously," a spokesman told CNBC. "Our security teams are looking into these claims."

Multi-factor authentication combines knowledge like a username and password, with either a biometric credential or a digital credential like a text message with a temporary code, Verizon's Enterprise unit wrote in a 2014 blog post. It can even be something like a key card, said Tim Erlin, director of IT security and risk strategy for cybersecurity firm Tripwire.

"In this case, McKesson appears to have done the right thing by using two-factor authentication, but the attacker managed to compromise his phone in order to intercept the authentication code sent by Twitter," Erlin said."In a consistently more connected eco-system, the ability to for disparate organizations like Twitter and phone carriers to work together is vitally important for security."

Mckesson told his followers that Verizon has safeguards in place to prevent it from happening again:

"There's no such thing as perfect security," Erlin said. "Two-factor authentication is better than relying on a single password for authentication, but that doesn't mean it's perfect.