Police in California have arrested a man accused of being
among a group of hackers who found a way to take over Twitter CEO Jack Dorsey’s
Twitter account.
The hacker was allegedly part of a group called The
Chuckling Squad, which claimed responsibility for hacking the accounts of
Dorsey and other high-profile celebrities. The arrest was made a couple of
weeks ago, but it took a while to become public.
The hackers used a method called SIM-swapping, which
doesn’t require high technical expertise. The alleged Chuckling Squad member arrested
is accused of providing the group with numbers for high-profile targets. In the
case of Dorsey, the attackers tricked the mobile carrier into issuing a new SIM
card with the same number.
For 20 minutes, hackers posted anti-Semitic messages on Dorsey’s
account. With access to the phone number logged in the two-factor
authentication solution, resetting the password was easy. At this point, it’s
clear why two-factor authentication with SMS is vulnerable to attacks.
“He was a member of Chuckling Squad but not anymore.
He was an active member for us by providing celebs/public figure [phone]
numbers and helped us hack them,” said
Debug, a member of the Chuckling Squad to Vox.
SIM-swapping still works because few people use
two-factor authentication, the ones that have it use SMS codes, and the
call-center operators for mobile networks lack the training and procedures to
identify attackers.
“We applaud the efforts of all the law enforcement
agencies involved in this arrest,” said the Santa Clara County District
Attorney’s Office for Vox. “REACT (Regional Enforcement Allied Computer
Team) continues to work with and assist our law enforcement partners in any way
we can. We hope this arrest serves as a reminder to the public that people who
engage in these crimes will be caught, arrested and prosecuted.”