All the hacker had to do was be persistent.
The Register explains:
A software developer says a thief siphoned cash from his PayPal account – after a dumbass AT&T rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication.
Justin Williams, an iOS code jockey based in Denver, Colorado, said someone was able to dupe an AT&T support tech into assigning his account to a new SIM card and phone – despite the miscreant not knowing the security code connected to the account. In other words, the criminal was able to persuade the US cell network's rep into making substantial changes to his account without the code, we're told.
Williams said the breach occurred last Thursday, when the hacker made multiple calls to AT&T support asking to transfer his account to a new phone. Initially, Williams said, AT&T staffers blocked the attempts when the caller could not give the phone account's correct passcode.