It was because Mckesson's hackers used a technique called social engineering — a method that doesn't require a phone at all.
Social engineering is manipulating people in order to gain trust so that they'll divulge information. It's a lot like con artistry, requiring a little bit of research and a lot of charm. Social engineering is usually about gaining access, often through impersonation — like the Greeks entering Troy inside the Trojan horse, or a teenager accessing the accounts of CIA director John Brennan.
Sometimes the easiest way to breach a network is to manipulate the humans who protect it.
How it works: When you call your cable company or bank with a complaint, they might ask you to verify your identity with the last four digits of your Social Security number. But for the tens of millions of people whose social security information has been leaked in various hacks, that information is easy enough to come by.
With a small dossier of basic information openly available online, a hacker can impersonate you (or a loved one) while on the phone with a customer service representative, for example.
Mckesson has two-factor authentication enabled on his accounts, meaning whenever he logs in from a new device, Twitter sends him a text message to confirm his identity. Normally, this keeps people from gaining your password and hacking into your account.
But after the attacker successfully changed Mckesson's SIM, they redirected his text messages to another phone. When Mckesson's two-factor authentication kicked in, the hacker was still able to access his accounts.
In this video produced by Fusion, you can watch the technique in action.
Jessica Clark from hacking firm Social-Engineer uses a technique called spoofing to make it seem like she's calling from Fusion news director Kevin Roose's phone. Clark then calls the customer service representatives from Roose's service provider and pretends to be his wife — a technique called "vishing," for voice solicitation. Clark says she needs immediate access to Roose's account.
Clark even plays sounds of a baby crying in the background to ratchet up stress for the customer support representative.
"I'm so sorry," she says. "Can you hear me OK? My baby, I'm sorry. My husband's like — we're about to apply for a loan and we just had a baby — and he's like, 'Get this done by today.' ... I'm trying to log in to our account for usage information and I can't remember what email address we used."
Eventually, Clark is able to get Roose's password changed. She sets up a whole new administrative account for Roose's services.
It's an old-school method: Since the dawn of personal computing, hacking wasn't just about trying to steal secrets or do damage. It was about solving puzzles, sharing information and injecting some playful chaos into the world.
Social engineering isn't a recent development; it's been a staple of the hacking community for decades. Early pop-culture depictions of hackers, as silly as they often were, included social-engineering techniques. Take this scene from 1995's Hackers:
Hopefully, mainstream service providers like Verizon and AT&T will bone up on their defenses against social engineering. It might mean that the next time you're looking for a favor from customer support, they're a little less likely to trust you. There's a good reason why.