DeRay Mckessonis a widely known militant in the Black Lives Matter bowel movement and a former candidate in the wash for mayor of Baltimore . He ’s a high-pitched - profile mark , and someone finally see out a way to crack his pop Twitter report — by hijacking his cell phone turn , and getting it reassigned to a phone under their controller . This was used to push out a message in his account in support of a candidate who he says represent the antithesis of his impression . Those tweet have since been blue-pencil and Twitter has touch on account access to Mckesson .

A recent skill by a site of what ’s alleged to be 32 million Twitter passwords , couple on with other breaches , password - stealing malware , and other techniques may have led to his password being compromise .

Even though Mckessonsaid in a tweetthat he has two - divisor authentication ( 2FA ) enabled on all his story , Twitter included , once someone has your parole and can invite texts sent to your sound figure , they ’ve find two component : something you know ( your password ) and something you have ( your headphone ) . That part , a headphone being something you have , has long been read to be slight , and Mckesson ’s situation helps prove just how fragile that assumption is .

By calling@verizonand successfully convert my earphone ’s SIM , the hacker bypassed two - factor verification which I have on all news report .

Set a PIN on your carrier account

The three biggest American earpiece carrier do n’t command anything but cognition of what is sadly easily getable information in 2016 : the last four fingerbreadth of your Social Security Number ( SSN ) . That can be receive through phishing attempts , any of the large leaks of SSNs from various sites and government bureau that cracker can get at , or through theme from “ background signal check ” sites that do n’t verify who is requesting information .

Some carriers may require for extra personal or present and past computer address details for confirmation , most of which can be found mate with the same leak out SSN or through the background check — which bank in part on the same credit reputation that the carriers use to demand the questions .

However , you could total a PIN or password to your AT&T , T - Mobile , or Verizon account that reduces the chance of this natural event . ( Sprint call for a PIN alongside security dubiousness when pose up an account . ) It seems clear that the companies and resellers may have enough leeway for a smooth talker to get around the PIN or password essential , but that has n’t been thoroughly tested yet . After this highjack of Mckesson andthe recent identity law-breaking against the FTC ’s chief engineer , Lorrie Cranor , newsboy may be instructing their client - armed service representations to best resist societal applied science .

With AT&T , you enable Extra Security , a feature so hidden I was unaware it subsist . It can be coiffe via AT&T ’s website or its mobile app;follow AT&T ’s instructions . When you ’re logging in again after you ’ve limit the computer code , you should also reject the situation ’s pass to bypass the code on subsequent logins .

T - Mobile requiresthat you call client service or visit one of its retail fund . It texts you a one - time use PIN that , when assert with a representative , allow you adjust up a parole , which is then required in the future to get information about or make change to your account .

Verizon can sum a PIN to an account through your account controls on its site , via phone accompaniment , or in one of its retail stores .

What use is a phone number?

Most 2FA systems designed for consumers and stage business users ( as opposed to those managed by IT departments in go-ahead for intranet and web services ) either rely entirely on a computer code sent via SMS , offer that as an pick , or use Master of Science as a substitute . That works as long as it ’s assume that the telephone set itself , a strong-arm detail , has to be stolen , not the phonenumber , which is in effect an end item handled by the public switched phone internet ’s call routing system .

While you may useauthentication appsthat generate time - based one - clock time passwords ( TOTPs ) , like Authy , Google Authenticator , and several others , so long as SMS is also an choice , it ’s the weakest link . geminate that with password and SSN breaches , and the world-wide availability of background info about us to resolve coarse security questions , and that second broker has no time value at all . ( Biometrics , “ something you are , ” are a different matter — while people have manipulate fingerprints , it ’s a vastly , vastly high bar to clear . )

company retain SMS as an option because of the customer - support burden : it ’s easier to get someone to type in a codification transmit as a text substance than to download , install , configure , and use an authenticator app . But you would mean the time is ripe for company to allow expert users to disable SMS as a backup selection , especially since many site pair turning on 2FA with make a set of backup man , one - time use parole intend to restore access if one loses admittance to the assay-mark app that can generate the appropriate computer code .

You may look at the FTC ’s Cranor and DeRay Mckesson , and opine , “ I ’m not important enough to have someone go to these length . ” alas , you ’d be incorrect . Identity theft is worthful against nearly anyone with a balance in their bank account or enough credit for a thief to buy novel sound using their account information , which is what happened in Cranor ’s case — it ’s unbelievable the felon knew they were compromising someone at the FTC .

Because we ca n’t control the catamenia of our fixed , identifying information , like SSN and a preceding address , nor even our word , make certain to turn on extra shelter at your carrier right away . Even with 2FA , an history PIN or password can be the only thing keeping a thief from using your identity .