AT&T Sued After SIM Hijacker Steals $24 Million in Customer's Cryptocurrency

from the whoops-a-daisy dept

It has only taken a few years, but the press, public and law enforcement appear to finally be waking up to the problem of SIM hijacking. SIM hijacking (aka SIM swapping or a “port out scam”) involves a hacker hijacking your phone number, porting it over to their own device (often with a wireless carrier employee’s help), then taking control of your personal accounts. As we’ve been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data.

Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target’s banking or cryptocurrency accounts. Case in point: California authorities recently brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin.

One of the problems at the core of this phenomenon is that hackers have either tricked or paid wireless carrier employees to aid in the hijacking, or in some instances appear to have direct access to (apparently) poorly-secured internal carrier systems. That has resulted in lawsuits against carriers like T-Mobile for not doing enough to police their own employees, the unauthorized access of their systems, or the protocols utilized to protect consumer accounts from this happening in the first place.

While T-Mobile has received the lion’s share of negative press attention on this subject in recent months, AT&T this week got dragged into the fun. The company was sued this week for $224 million by a customer who says AT&T’s failure to adequately protect his account resulted in the theft of nearly $24 million in cryptocurrency. The full complaint (pdf) notes that AT&T customer Michael Terpin is seeking $200 million in punitive damages and $24 million of compensatory damages for the cryptocurrency losses.

The suit alleges that Terpin had his phone number stolen and ported out at least twice between mid 2017 and early 2018, resulting in the thief then hijacking his identity to empty out his cryptocurrency accounts. Terpin also accuses of AT&T of failing to protect its customers despite ample press coverage of the SIM hijacking phenomenon. Worse perhaps, the lawsuit alleges that the thief successfully hijacked his phone number despite AT&T adding “higher security level” protections, which AT&T specifically stated would protect his account from such hijinks. From the complaint:

“AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care.”

Again, carriers haven’t really much wanted to talk about this phenomenon, or the fact that their own employees are frequently either being hoodwinked or paid to participate in these thefts. And while carriers are trying to add additional security to protect such ports from happening (for example, T-Mobile customers should call 611 from their phone and demand a “port validation? passcode), the problem of carrier employees playing a starring role in these scams hasn’t yet been fully addressed. It’s likely the growing number of lawsuits by hoodwinked users will add some additional incentive to do so.

Filed Under: , , ,
Companies: at&t

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “AT&T Sued After SIM Hijacker Steals $24 Million in Customer's Cryptocurrency”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

When you get a new phone, you have to have the company deactivate your old one and make the new one answer when people dial your number. This scenario has 3rd parties paying off employees to change your phone over to one in their control. Any phone-based security like texting you a passcode will now go to the fake phone and you lose everything you tied to your phone account.

Anonymous Coward says:

Re: Re: Re: Re:

Sadly, companies demand more and more services be tied in part or in full to cell/phone numbers, because their market is the average user who isn’t savvy enough to know or care about real security, and so companies push cell/phone number authentication in the name of ease of use, when it actually offers attackers an easy means to gain unauthorized access to accounts.

Anonymous Coward says:

Re: Re: Re:

I get it now.

Many sites use additional “security” questions. Some of these questions are based upon public info like where were you born, so they may be easily obtained if you use your real info for these questions.

I’m not a luddite if I avoid new fangled devices that invite criminal activities on my behalf .. am I?

Wesley Bidsnipes says:

The stooge deserves the loss. The only way the sim hijacking would help with the cryptocurrency theft is if he was using one of those “bitcoin banks”.

The whole point of cryptocurrency was that you wouldn’t need banks anymore.

Had he done this properly, his wallet is merely a (hopefully backed up) file on his computer, one that only he knows the password for.

XcOM987 (profile) says:

Re: Re:

I fail to see why his use of a “Bitcoin Bank” means he deserve to lose his money because you feel it isn’t the correct method to store funds.

He secured it correctly, AT&T’s method of protecting his mobile account is the root cause of all this, what if someone managed to get access to your traditional bank due to your mobile account being compromised, would you just brush it off, blame the bank, or blame the mobile network providor for granting someone else access to your account for $100?

Wesley Bidsnipes says:

Re: Re: Re:

Yes. You fail to see.

He did not secure it correctly. He gave it to someone else, who promised to maybe give it back later.

AT&T’s failure to secure his phone number is completely incidental. Had this not happened, he’d have lost his cryptocurrency anyway eventually.

AT&T never promised to be someone’s password manager for their accounts. People use them for this, even if they don’t realize they’re doing so. It places an impossible burden on AT&T. If they stopped doing this, the worst that could happen would be a few prank calls.

How is a phone company supposed to confirm that a person truly wants to port their number? What uncompromised channel of communication is left for them to figure this out?

Telling them to “do more” without explaining how they could accomplish this is dumb.

Adam V says:

Re: Re: Re: Re:

I’m an AT&T wireless customer. One thing they’ve done for me is to implement a 4-character “PIN” that they’re supposed to require from me before any changes can be made to my account.

If they didn’t set up the PIN for this person, or if the customer service rep didn’t ask the caller for the PIN before making changes to the account, that’s totally on AT&T.

Note that this is the same thing that happened to the customer who’s suing T-Mobile: “The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang’s account prior to the incident, but didn’t actually implement it. Tapang also states that hackers are able to call T-Mobile’s customer support multiple times to gain access to customer accounts, until they’re able to get an agent on the line that would grant them access without requiring further identity verification.”

Wesley Bidsnipes says:

Re: Re: Re:2 Re:

You’re a fool if you think the PIN will somehow fix this.

People will still have their numbers ported. People will still have fortunes stolen from them (partly because they don’t understand cryptocurrency). People will still wail and gnash teeth.

The only thing the PIN changes is that AT&T has an invincible defense in court (someone had the right PIN, how can it be our fault!).

Stop using your phone number as the master password to your life. Stop using cryptocurrency banks.

Ninja (profile) says:

Re: Re: Re:3 Re:

“Stop using your phone number as the master password to your life. Stop using cryptocurrency banks.”

It’s not the password, it’s either a recovery method or a 2FA device. I do agree that we should avoid using phone numbers to such ends due to their inherent insecurity (though having the phone as a 2FA is better than having nothing). However, it doesn’t invalidate the fact that telcos have to fix these issues because even if you don’t use the phone as any of those, having your line taken over may pose all kinds of problems outside cryptocurrency.

As for the stop using cryptocurrency banks I’d say cryptocurrencies need to include some sharing of functions of a wallet if the owner needs to. The banking system has many perks we use other than simply storing cash and cryptocurrencies as they are now are not ready to replace banks.

orbitalinsertion (profile) says:

Re: Re: Re:3 Re:

The results, and how people use their phone number, wittingly or not, is irrelevant to a service provider failing to properly secure and maintain customer accounts. Beyond that, many of these powers created or adopted (and force upon the user) the system whereby the goddamned mobile phone is required for multifactor authentication. (Just like the convenience of using things like fingerprint/face recognition/retina scan as a flippin’ password, when they are actually equivalent to a username.)

I think people are kind of dumb to trust these appliances and services, and frequently don’t bother to do minimal securing of anything themselves, even when tools are provided or available. But the entire system, corporate-wise and code-wise, is based on the “(barely (or not really)) good enough” philosophy.

But at the core of this matter, the issue is: Service providers not following the protocol already in place, which is plenty good enough to stop numbers from being incorrectly ported by actors who have not managed to gain access to any credentials prior to the port.

Having 24m in cryptocurrency, yeah, i would do a bit more to secure that. It doesn’t change the fact the the mobile providers are full-on fail here. The porting issue still exists for those of us who have absolutely nothing of value connected to our devices.

John Smith says:

Re: Re: Re:2 I do See

More like it’s your fault for having yoru work pirated if you relied on “obsolete” copyright law to protect it, since your business model is evil, and anyone who has ever created anything is an evil billionaire coporation who rips off the little guy, who has ore rights than you to control distribution of your work.

Wesley Bidsnipes says:

Re: Re: Re:

Comments like yours make it impossible to solve the problem. “Please, someone else fix this for me!”

AT&T and other companies will not come up with a better process for determining whether a number port is legitimate. First they’re incompetent. Even if some other organization could figure out the problem, they couldn’t. Second it’s an impossible problem. They might be able to reduce the number of swindles slightly, but only by becoming ever more invasive and making it difficult to port your number when you really want to. Third, this problem is ultimately caused by you, the user.

You’re the one that smiled and said “sign me up” when Facebook and other companies wanted to start using your phone number as your master password. You never bothered to understand passwords your entire life (what do you mean I can’t have the same password on every website!?!). You ooh and ahh when when Wired or Arstechnica puts up an article promising to make all the badness go away without you putting in any effort (I don’t know what 2FA is, but it sounds like magic, wonderful magic!).

This man (and all the rest) could have chosen to do the following: get password manager software, memorize a single long/difficult password, make all his other passwords 100 characters of unique garbage, use one of those for his wallet file, kept on his own computer and not in some Mt.Gox swindle bank.

He didn’t do these things, now he’s out millions. If you want to lose fortunes too, you can do what he did and you can also have the hobby of finding people like me on the internet and screaming “you’re victim blaming!”.

His stupidity was punished. Yours will be punished too.

PaulT (profile) says:

Re: Re: Re: Re:

“AT&T and other companies will not come up with a better process for determining whether a number port is legitimate”

They will if they’re encouraged enough to. The question is whether the courts and the market can force their hand.

“Third, this problem is ultimately caused by you, the user.”

You are also a user, genius. That you avoid certain obvious (to you) security risks does not make you immune, it only means that you potentially wouldn’t have been caught by this particular scam. There will be others.

“I don’t know what 2FA is”

You don’t know what the fundamental underpinning of this entire case is, can’t Google it for 5 seconds to find out, yet proclaim yourself better than who you’re talking to about the subject? Hmmm…

“His stupidity was punished. Yours will be punished too.”

Your arrogance and wilful ignorance will be, also.

Canuck says:

Re: Re: Re:2 2FA

Duh. He probably meant users don’t know what 2FA means, but they still assume it will magically protect them.

He’s coming on too strong, but he’s correct that putting your Bitcoins in places like Mt. Gox and using your phone number as a password reset mechanism are RECIPES FOR DISASTER. Don’t do it and don’t suggest that others should either.

PaulT (profile) says:

Re: Re: Re:3 2FA

Yeah possibly he did, I see that now.

But, it’s still incredibly arrogant to state that people deserve to lose large amounts of money because they don’t know as much about internet security as us here, especially since the security system is one used and approved of by so many sources the average person would trust. It’s basically like a locksmith going “yeah, you used Yale locks, of course you deserved to have your house cleared out!”

ShadowNinja (profile) says:

… I don’t know much about how owning crypto currency actually works, but wouldn’t they still need the password to access said currency?

Couldn’t they just change their password on the accounts (such as with a password manager) to make the SIM’s useless (assuming they change the passwords in time)?

Or better yet, couldn’t they require two factor authentication or something like that to access the Bitcoins?

Anonymous Coward says:

Re: Re: stop using his name jackbid

So SIM hackers today are the Crammers and Slammers who generated millions of dollars in revenue for the Telco’s in the 80’s and 90’s(and cost users millions in bogus fees).

We saw how many of those companies were ‘brought to justice’ (zero in case you missed it), so I’m sure we can expect the same apathy and indifference to the financial ruin they are causing individuals, as long as their bottom line is growing…

So HIT THEM WHERE IT HURTS… STOP BUYING THE BIG TELINFOMEDIA COMPANY PRODUCTS AND SERVICES. but then when ALL OUR BASE ARE BELONG TO THEM, there isn’t much else we can do, (sue, sue, sue…) now is there.

Anonymous Coward says:

Re: Re:

Couldn’t they just change their password on the accounts

If in your private life, your computing devise is your phone, how do you do that when it stops working. You now need another phone or a computer to do anything online.

A likely scenario, as this sort of crime needs prior research, is that on having the phone transferred, they then do a password recovery on the email account, and now they have time to rob you blind while you try and figure out how you do anything online.

Anonymous Coward says:

What would be wrong with phoning the old phone and checking before making the transfer, as it is presumably still available when a SIM transfer is requested. If the phone is gone, then proof of identity in a shop would not be that inconvenient most of the time, as you have to go and buy a new one anyway.

O.K, not as convenient a the current system, but convenience is always the enemy of security.

Anonymous Coward says:

This sort of thing is only going to happen more as more service providers demand a phone number be tied to an account as a primary means of authentication. It’s just as bad as making biometrics a primary means of authenticating devices. Phone numbers and biometric data can both be used to get access to accounts and devices quite easily compared to accounts with primary security done being secured by a strong password. Better yet, two-step authentication where the attacker needs access to both the password, and the email address of the victim to get into an account (password + verification email link is a common two-step method).

As long as email accounts are kept secure (strong Captcha protection), then that should be more than sufficient than demanding users compromise themselves both in terms of security and privacy by providing phone numbers to tie to accounts.

Lately Google has stepped up its user hostility by not only demanding phone numbers for account authentication, but also by flat-out refusing to login if the user logs in from a different IP address. If you are travelling and attempt to log in on a different IP address on an unrecognized device, you have no way of accessing an email account unless a) you provide a phone number or b) have linked a secondary email to the primary you’re trying to get access to (which may or may not still require providing a phone number to get access, and still presents a privacy issue as you may not want to link multiple different email addresses you use together).

We’re in a terrifying age of technology, where ease of use appears to trump good security policies.

Anonymous Anonymous Coward (profile) says:

Re: Re:

I don’t have a phone, either landline or mobile. When companies require a phone number I give them one 1-800-555-1212. Guess what. It works.

Now Google is a bit different. To get a new account (I want a new account for my second tablet) they won’t give me one without a phone number. The option is to give them someone else’s phone number, so they can send their verification code. You use the code and open the account and then go in and change or delete the phone number. It must make sense to someone…who isn’t me.

Anonymous Anonymous Coward (profile) says:

Re: Re: Re: Re:

A new account means a new email account, everything else hinges off of that, so no. I left a message at one of their product forums a year or so ago and have yet to receive an acceptable answer. They won’t even allow web based SMS, though it appears they used to.

My intention was to get a new account for my second Android tablet that had no relationship with any of my other accounts, so they could not be compromised. It’s not like I have anything to compromise, but the principle still holds.

Alfred E Einstein (user link) says:

Techdirt says put third-party liability on ATT.

First, let’s all weep for this multi-millionaire who thought he’d gained yet more millions without lifting a finger. Boohoo. I’m done.

"Wesley Bidsnipes" has already pointed out the not just legal "hurdle" but thousand-foot cliff that must be jumped to get anywhere in a suit. This is no more than extortion attempt to leverage his own stupidity with lawyering.

–> The "2FA" point simply highlights that phones and gadgets are inherently insecure! ANYONE WITH BRAINS DOESN’T KEEP ANYTHING VALUABLE ON THEM! MIGHT AS WELL BE CASH IN A PAPER BAG!


So, HOW can anyone possibly blame ATT? … Only due to irrational hate from minion and fanboys.

That Anonymous Coward (profile) says:

“despite ample press coverage of the SIM hijacking phenomenon”

So the phone company is expected to do more than the customer.

While ATT is the devil, shall we look at where this should fall apart.
His phone was ported out not once, but twice… he still used his phone to secure his fortune.
Well the pinto blows up if hit from behind even by a shopping cart, but its really nice to go get groceries. o_O OMG my pinto exploded!!!!!! I’m suing Ford!!! What do you mean there was ample press coverage of it exploding if a shopping cart bumped it… they still are responsible for my inaction in parsing my risk…with the 3rd pinto.

Nearly every major corporations policies to secure things for consumers is a shit show. The cost of placating the suckers is less than paying to have actual security… so ya think they will spend money on security??
Anyone tried password1 on the Equifax portal yet?

Thad (profile) says:

Re: Re:

So the phone company is expected to do more than the customer.

Well, yes, ideally the phone company should not be giving its customers’ phone numbers away to other people.

Well the pinto blows up if hit from behind even by a shopping cart, but its really nice to go get groceries. o_O OMG my pinto exploded!!!!!! I’m suing Ford!!! What do you mean there was ample press coverage of it exploding if a shopping cart bumped it… they still are responsible for my inaction in parsing my risk…with the 3rd pinto.

…if your car explodes due to a manufacturer’s defect, then yes, the manufacturer is damn sure responsible, regardless of whether you made a sensible purchase decision.

carlb (profile) says:

Auntie beeb says the Vodafone is just as rubbish...


“Vodafone customer service agents can receive monthly bonuses worth up to £150 for high customer satisfaction scores alone. However, low scores can also result in them being placed on action plans to improve their performance.”

One more incentive for lax security. Gotta love it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...