Police in California have arrested a man accused of being among a group of hackers who found a way to take over Twitter CEO Jack Dorsey’s Twitter account.
The hacker was allegedly part of a group called The Chuckling Squad, which claimed responsibility for hacking the accounts of Dorsey and other high-profile celebrities. The arrest was made a couple of weeks ago, but it took a while to become public.
The hackers used a method called SIM-swapping, which doesn’t require high technical expertise. The alleged Chuckling Squad member arrested is accused of providing the group with numbers for high-profile targets. In the case of Dorsey, the attackers tricked the mobile carrier into issuing a new SIM card with the same number.
For 20 minutes, hackers posted anti-Semitic messages on Dorsey’s account. With access to the phone number logged in the two-factor authentication solution, resetting the password was easy. At this point, it’s clear why two-factor authentication with SMS is vulnerable to attacks.
“He was a member of Chuckling Squad but not anymore. He was an active member for us by providing celebs/public figure [phone] numbers and helped us hack them,” said Debug, a member of the Chuckling Squad to Vox.
SIM-swapping still works because few people use two-factor authentication, the ones that have it use SMS codes, and the call-center operators for mobile networks lack the training and procedures to identify attackers.
“We applaud the efforts of all the law enforcement agencies involved in this arrest,” said the Santa Clara County District Attorney’s Office for Vox. “REACT (Regional Enforcement Allied Computer Team) continues to work with and assist our law enforcement partners in any way we can. We hope this arrest serves as a reminder to the public that people who engage in these crimes will be caught, arrested and prosecuted.”