Social Media

Hacked activist's tweet storm shows flaw in a common cybersecurity standard

Civil rights activist DeRay Mckesson is speaking out about how a standard Verizon cybersecurity protection failed to protect his Twitter account from being hacked.

Mckesson, a "Black Lives Matter" activist who ran for mayor of Baltimore, raised eyebrows when he apparently endorsed Republican presidential hopeful Donald Trump on his Twitter account Friday. It turns out Mckesson was hacked, even though he had a commonly-accepted cybersecurity measure in place: Two-factor authentication.

Tweet 2: "At 10:31 am, someone called @verizon impersonating me and successfully changed my SIM & unsuccessfully attempted to change my phone number."

Tweet 4: "Today I learned that it is rather easy for someone to call the provider & change your SIM. The hacker got the account verification texts."

Deray McKesson, an avid protestor and frontline activist, is seen in St. Louis, Missouri.
Michael B. Thomas | AFP | Getty Images

The hackers got around it by calling Verizon Wireless, impersonating him, and changing his SIM, which redirected his texts and allowed the hackers to reset his passwords, according to Mckesson, who spoke out in a tweet storm Friday afternoon.

"Verizon takes the security and privacy of our customers very seriously," a spokesman told CNBC. "Our security teams are looking into these claims."

Tweet 6: "The staff from @twitter were incredibly helpful once alerted and helped to both delete some of the hacked tweets and give me back access."

Tweet 8: "No, I do not endorse Trump as the next President. He cannot be the President of the United States. He is racist & a bigot, unfit to lead."

Multi-factor authentication combines knowledge like a username and password, with either a biometric credential or a digital credential like a text message with a temporary code, Verizon's Enterprise unit wrote in a 2014 blog post. It can even be something like a key card, said Tim Erlin, director of IT security and risk strategy for cybersecurity firm Tripwire.

"In this case, McKesson appears to have done the right thing by using two-factor authentication, but the attacker managed to compromise his phone in order to intercept the authentication code sent by Twitter," Erlin said."In a consistently more connected eco-system, the ability to for disparate organizations like Twitter and phone carriers to work together is vitally important for security."

Mckesson told his followers that Verizon has safeguards in place to prevent it from happening again:

Tweet 9: "They simply needed to last four digits of my social security number to gain full access to my @verizon account."

Tweet 10: "I'm not sure. But they knew it. @Verizon has other safeguards now in place so that it doesn't happen again."

"There's no such thing as perfect security," Erlin said. "Two-factor authentication is better than relying on a single password for authentication, but that doesn't mean it's perfect.

Tweet 11: "The hacker got access by changing my SIM which redirected texts, then resetting my passwords to trigger two-factor authentication. Intense."

Tweet 12: "They didn't need the passwords up front. They changed the SIM, reset the passwords, got the codes, reset passwords."