It was just last week that Mark Zuckerberg’s Twitter account was taken over by hackers who managed to send out embarrassing tweets using his account. In the Scam of the day for June 7, 2016 I described how Zuckerberg failed to use a unique password for his Twitter account so when his password, which he used in multiple accounts, became known due to a data breach at LinkedIn, hackers were able to use the password to take over his Twitter account. Zuckerberg’s other mistake was failing to take advantage of the Twitter offered option to use dual factor authentication for added security. With dual factor authentication, whenever you are going to access an online account, a special code is sent to your smartphone after you have typed in your user name and password. Without this code, you cannot gain access to your account. Thus, even if Zuckerberg’s password was known by the hackers, they would not have been able to access his Twitter account without the one-time code provided to his smartphone.
Civil rights activist Deray Mckesson also had his Twitter account hacked recently and the hackers sent out a number of phony tweets that appeared to come from Mckesson, including one indicating his support for Donald Trump’s presidential candidacy. However, what is particularly noteworthy in this hacking was that the hackers did not have Mckesson’s password and his Twitter account was protected through dual factor authentication. What the hackers did is call Verizon, Mckesson’s carrier, and tricked customer service into changed his SIM card to one in a phone controlled by the hackers. A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information including your smartphone number used to authenticate subscribers on mobile devices. The SIM card is able to be transferred between different devices, and often is, when people update into a newer smartphone. In the case of Mckesson, using a scam about which I warned you three years ago, the hackers contacted the Mckesson’s wireless carrier and pretending to be Mckesson and convinced Verizon to switch the SIM card to a new smartphone controlled by the hackers who were then able to not only then change Mckesson’s password, but also get the dual factor authentication one-time code sent to the phone that they controlled. The hacker was able to convince the Verizon customer service employee that he was Mckesson merely by providing the last four digits of Mckesson’s Social Security number which in these days of massive data breaches is not that hard for a determined identity thief to obtain.
Deray Mckesson did a better job of protecting the security of his Twitter account than Mark Zuckerberg did, but he did not do quite a good enough job to protect him from having his account hijacked. Fortunately, there is an easy way to enhance your security to protect your SIM card from being switched thereby thwarting the protections provided by dual factor authentication and that is to set up a PIN or password to be used for access to your mobile service provider account. Sprint and Verizon use PINs while T-Mobile and AT&T will let you set up a password. It may seem like these are just more things to remember, but the protection they provide is worth it.