Hackers Don't Need a Computer to Access Your Accounts — They Just Need Charm

Source: Getty Images
Source: Getty Images

DeRay Mckesson's Twitter account was hacked on Friday, causing the politician and Black Lives Matter activist to tweet an endorsement for Donald Trump

Mckesson wasn't hacked because he had a terrible password, like Mark Zuckerberg's "dadada." Nor was he using the same password over and over, like Drake did.

It was because Mckesson's hackers used a technique called social engineering — a method that doesn't require a phone at all. 

Social engineering is manipulating people in order to gain trust so that they'll divulge information. It's a lot like con artistry, requiring a little bit of research and a lot of charm. Social engineering is usually about gaining access, often through impersonation — like the Greeks entering Troy inside the Trojan horse, or a teenager accessing the accounts of CIA director John Brennan. 

Sometimes the easiest way to breach a network is to manipulate the humans who protect it.

How it works: When you call your cable company or bank with a complaint, they might ask you to verify your identity with the last four digits of your Social Security number. But for the tens of millions of people whose social security information has been leaked in various hacks, that information is easy enough to come by.

With a small dossier of basic information openly available online, a hacker can impersonate you (or a loved one) while on the phone with a customer service representative, for example.

Mckesson has two-factor authentication enabled on his accounts, meaning whenever he logs in from a new device, Twitter sends him a text message to confirm his identity. Normally, this keeps people from gaining your password and hacking into your account.

But after the attacker successfully changed Mckesson's SIM, they redirected his text messages to another phone. When Mckesson's two-factor authentication kicked in, the hacker was still able to access his accounts.

In this video produced by Fusion, you can watch the technique in action.

Source: YouTube

Jessica Clark from hacking firm Social-Engineer uses a technique called spoofing to make it seem like she's calling from Fusion news director Kevin Roose's phone. Clark then calls the customer service representatives from Roose's service provider and pretends to be his wife — a technique called "vishing," for voice solicitation. Clark says she needs immediate access to Roose's account. 

Clark even plays sounds of a baby crying in the background to ratchet up stress for the customer support representative.

"I'm so sorry," she says. "Can you hear me OK? My baby, I'm sorry. My husband's like — we're about to apply for a loan and we just had a baby — and he's like, 'Get this done by today.' ... I'm trying to log in to our account for usage information and I can't remember what email address we used."

Eventually, Clark is able to get Roose's password changed. She sets up a whole new administrative account for Roose's services.

It's an old-school method: Since the dawn of personal computing, hacking wasn't just about trying to steal secrets or do damage. It was about solving puzzles, sharing information and injecting some playful chaos into the world. 

Social engineering isn't a recent development; it's been a staple of the hacking community for decades. Early pop-culture depictions of hackers, as silly as they often were, included social-engineering techniques. Take this scene from 1995's Hackers:

Source: YouTube

Hopefully, mainstream service providers like Verizon and AT&T will bone up on their defenses against social engineering. It might mean that the next time you're looking for a favor from customer support, they're a little less likely to trust you. There's a good reason why.

How likely are you to make Mic your go-to news source?

Jack Smith IV

Jack Smith IV is a senior writer covering technology and inequality. Send tips, comments and feedback to jack@mic.com.

MORE FROM

Meet the Girl Scouts that will earn badges for being cybersecurity experts

They'll soon get badges for coding, cryptography and more.

How to use the Snapchat Map while everyone else continues to be confused about it

Everything you need to know about the new feature.

Planet 10? Scientists may have discovered a hidden planet in our solar system

There could be a ninth — or even 10th — planet hiding out in our solar system.

Scientists created a robot that will iron your clothes for you

Shut up and take my money.

Moth eyes have inspired the touchscreen of the future

It's going to change the anti-reflection game.

Twitter was flagging tweets including the word "queer" as potentially "offensive content"

Why Twitter put the word "queer" in the same category as violent, sexual imagery.

Meet the Girl Scouts that will earn badges for being cybersecurity experts

They'll soon get badges for coding, cryptography and more.

How to use the Snapchat Map while everyone else continues to be confused about it

Everything you need to know about the new feature.

Planet 10? Scientists may have discovered a hidden planet in our solar system

There could be a ninth — or even 10th — planet hiding out in our solar system.

Scientists created a robot that will iron your clothes for you

Shut up and take my money.

Moth eyes have inspired the touchscreen of the future

It's going to change the anti-reflection game.

Twitter was flagging tweets including the word "queer" as potentially "offensive content"

Why Twitter put the word "queer" in the same category as violent, sexual imagery.