A good hacker doesn't always need to use sophisticated software to gain access to an online account. In some cases, they just need a phone.
That's exactly what social engineer hacker Jessica Clark demonstrates in a video from Fusion, when she calls the cell phone company of journalist Kevin Roose and, after a few minutes, is able to gain complete control over his account.
Here's how she did it.
First, Clark and the team at Social Engineer, Inc. put together a 13-page dossier of Roose, based on social media activity and publicly-available information found online. With this, they have a decent picture of who Roose is, his habits, and details that could come in handy later.
Next, she "spoofs" his phone number in a call to his phone company — masking the real number she's calling from with what a customer service representative would see as being Roose's number. This is just step one in convincing the company that Clark is legitimate.
She plays a YouTube video of babies crying in the background to make it seem like she's distraught and calling from a hectic household, and once she's talking to a customer service rep, she claims she is Roose's wife.
"I'm so sorry, can you hear me OK? My baby, I'm sorry. My husband is like, we're about to apply for a loan and we just had a baby, and he's like 'Get this done today,'" Clark says, setting the scene for the rep that she's a busy mom who really needs help. "I'm trying to log in to our account for usage information and I can't remember what email address we used."
It takes just about 30 seconds for Clark to have her target's email address.
In some cases, this could be just one small piece of what's needed to convince another company of who you are. For instance, a hacker might be able to convince someone to give up an account for online shopping using nothing more than an email address and the last four digits of a social security number.
But in this case Clark keeps going with the act, and is able to get a new account created for herself, and change Roose's password.
"Jessica uses my girlfriend's name and a fake social security number to set up her own personal access to my account," Roose says. "She even gets the support person to change my password. She just basically blocked me out of my own account."
Watch the video (starts at 1:36):