In July of 2020 I first reported to you about the hacking of Twitter accounts belonging to many prominent people including Joe Biden, Bill Gates, Elon Musk, Kanye West, Kim Kardashian, Warren Buffet, Jeff Bezos and Mike Bloomberg along with company Twitter accounts of Apple, Uber and Wendy’s. For more than two hours the hackers sent out tweets that tricked a few hundred people into transferring Bitcoin to the hackers believing that they would receive a large Bitcoin payment in return. The phony tweet that came from Bill Gates’ Twitter account read “Everyone is asking me to give back, and now is the time. You send $1,000 and I will send you back $2,000.” This type of scam tricking people through Twitter into sending bitcoins to scammers is nothing new. I have written about this scam many times during the last few years. However, what is unique and extremely concerning about this scam is that the people whose Twitter accounts were hacked did absolutely nothing to make themselves vulnerable to such an attack.
After a quick investigation three people, Graham Ivan Clark, Mason Sheppard and Nima Fazeli were charged with the crime. According to law enforcement, Clark a then 17 year old Floridian was the mastermind of the cybercrime, which is good news and bad news. It is good news because, Clark was portrayed by law enforcement as just a tech savvy, greedy young person and not an agent of some foreign government seeking to disrupt American life. It is bad news because this case is an example of how vulnerable companies and government agencies are to being seriously disrupted by a mere tech savvy teenager. On March 4th I told you of a possible plea deal between prosecutors and the now 18 year old Graham Ivan Clark. On March 16th the plea deal was accepted by the court and Clark was sentenced to three years in juvenile prison and three years of probation.
Clark used a socially engineered phone call to a Twitter employee in which he convinced the Twitter employee that he was a co-worker in the technology department who needed the employee’s credentials to access the customer service portal. He then used this information to gain access to the Twitter accounts of his 130 victims. Clark then in conjunction with Sheppard and Fazeli who he is alleged to have met in the hacking online forum OGUsers sold most of the hacked accounts to other scammers while Clark kept control over 17 of the most high-profile accounts including those of Bill Gates, Barack Obama and Elon Musk to use to perpetrate his Bitcoin scam.
In the past many such attacks, such as when Jennifer Lawrence had her iCloud account hacked and nude photos of her stolen from her iCloud account, have resulted because the people whose accounts were stolen did not use dual factor authentication. Most companies such as Facebook, Instagram, Twitter, Google, Tumblr, Yahoo, WhatsApp and others use dual factor authentication which most commonly works such that when your password is used to access your account, a special code is sent to your cellphone that must be used in order to complete access to the account. This provides dramatically enhanced security. Whenever you are able to use dual factor authentication for a particular website, account or app, you should take advantage of this. Some dual factor authentication protocols do not require it to be used when you are accessing the account from the computer or smartphone that you usually use, but only if the request to access the account comes from a different device.
But dual factor authentication is not perfect. Two years ago Twitter CEO Jack Dorsey’s own Twitter account was hacked. The hacker posted numerous racist tweets. It obviously is shocking when the CEO of Twitter has his account hacked. Jack Dorsey uses dual factor authentication, however, it was able to be bypassed because the hackers gained access to his account by taking over his phone through SIM card swapping. SIM card swapping is a major problem. A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate subscribers on mobile devices, such as a cell phone. The SIM card can be transferred between different devices, and often is, when people update into a newer cell phone. As more and more financial transactions, such as online banking, are now done through cell phones, identity thieves with access to their victims’ SIM cards are also increasingly becoming able to intercept security codes sent by text messages for online banking as part of dual factor authentication and thereby providing the identity thief with the opportunity to empty their victims’ bank accounts and cause other financial havoc.
Porting is the name for the crime where someone convinces your phone carrier to transfer your SIM card to a phone controlled by the criminal. They often do this by answering security questions over the phone after gathering information about you. To prevent someone from stealing access to your phone through porting, you should have a PIN added to your account so that no one can call your cell phone provider posing as you and ask to have your SIM card transferred. If Jack Dorsey had done this, his account would have been secure.
Many of the Twitter accounts hacked used dual factor authentication, but it was able to be avoided by the hackers because the hackers had hacked the computers of Twitter and were able to get direct access to the accounts of their victims bypassing the dual factor authentication.
We are always going to be as vulnerable as the companies and governmental agencies with the worst security that have our important data and there is nothing you could have done to protect yourself from the type of attack perpetrated here on Twitter, but there are things you can do to protect yourself.
The first step to protecting your Twitter account from being hacked is to set up dual factor authentication. Here is the link to information about setting up dual factor authentication for your Twitter account. https://help.twitter.com/en/managing-your-account/two-factor-authentication
The best thing you can do to protect your SIM card from porting is to set up a PIN or password to be used for access to your mobile service provider account. This will help prevent a criminal from calling your carrier posing as you and convincing your mobile carrier to swap your SIM card to the criminal’s phone merely by providing personal identifying information or answering a security question.
AT&T will allow you to set up a passcode for your account that is different from the password that you use to log into your account online. Without this passcode, AT&T will not swap your SIM card. Here is a link with instructions as to how to set up the passcode. https://www.att.com/esupport/article.html#!/wireless/KM1051397?gsi=9bi24i
Verizon enables customers to set up a PIN or password to be used for purposes of authentication when they contact a call center. Here is a link with information and instructions for setting up a PIN with Verizon. https://www.verizonwireless.com/support/account-pin-faqs/
T-Mobile will allow you to set up a passcode that is different from the one you use to access your account online. This new passcode is used when changes to your account are attempted to be made such as swapping a SIM card. This code will not only protect you from criminals attempting to call T-Mobile and swap your SIM card, but will also prevent someone with a fake ID from making changes to your account at a T-Mobile store. Here is a link to information and instructions for adding a new passcode to your account. https://www.t-mobile.com/customers/secure
Sprint customers can establish a PIN that must be provided when doing a SIM swap, in addition to merely answering a security question, the answer to which may be able to be learned by a clever identity thief. Here is a link to information about adding a PIN to your Sprint account. https://www.sprint.com/en/support/solutions/account-and-billing/update-your-pin-and-security-questions-on-sprint-com.html
You also may want to consider protecting your dual factor authentication from being threatened by a SIM swap by using a dual factor authentication app such as Google Authenticator which is not tied to your cell phone. Here is a link with more information about Google Authenticator. https://support.google.com/accounts/answer/1066447?hl=en&ref_topic=2954345
For those of you receiving the Scam of the day through an email, I just want to remind you that if you want to see the ever increasing list of Coronavirus scams go to the first page of the http://www.scamicide.com website and click on the tab at the top of the page that indicates “Coronavirus Scams.” Scamicide has been cited by the New York Times as one of three top sources for information about Coronavirus related scams.
If you are not a subscriber to Scamicide.com and would like to receive daily emails with the Scam of the day, all you need to do is sign up for free using this link. https://scamicide.com/scam-of-the-day/