AT&T Sued After SIM Hijacker Steals $24 Million in Customer's Cryptocurrency
from the whoops-a-daisy dept
It has only taken a few years, but the press, public and law enforcement appear to finally be waking up to the problem of SIM hijacking. SIM hijacking (aka SIM swapping or a “port out scam”) involves a hacker hijacking your phone number, porting it over to their own device (often with a wireless carrier employee’s help), then taking control of your personal accounts. As we’ve been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data.
Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target’s banking or cryptocurrency accounts. Case in point: California authorities recently brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin.
One of the problems at the core of this phenomenon is that hackers have either tricked or paid wireless carrier employees to aid in the hijacking, or in some instances appear to have direct access to (apparently) poorly-secured internal carrier systems. That has resulted in lawsuits against carriers like T-Mobile for not doing enough to police their own employees, the unauthorized access of their systems, or the protocols utilized to protect consumer accounts from this happening in the first place.
While T-Mobile has received the lion’s share of negative press attention on this subject in recent months, AT&T this week got dragged into the fun. The company was sued this week for $224 million by a customer who says AT&T’s failure to adequately protect his account resulted in the theft of nearly $24 million in cryptocurrency. The full complaint (pdf) notes that AT&T customer Michael Terpin is seeking $200 million in punitive damages and $24 million of compensatory damages for the cryptocurrency losses.
The suit alleges that Terpin had his phone number stolen and ported out at least twice between mid 2017 and early 2018, resulting in the thief then hijacking his identity to empty out his cryptocurrency accounts. Terpin also accuses of AT&T of failing to protect its customers despite ample press coverage of the SIM hijacking phenomenon. Worse perhaps, the lawsuit alleges that the thief successfully hijacked his phone number despite AT&T adding “higher security level” protections, which AT&T specifically stated would protect his account from such hijinks. From the complaint:
“AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care.”
Again, carriers haven’t really much wanted to talk about this phenomenon, or the fact that their own employees are frequently either being hoodwinked or paid to participate in these thefts. And while carriers are trying to add additional security to protect such ports from happening (for example, T-Mobile customers should call 611 from their phone and demand a “port validation? passcode), the problem of carrier employees playing a starring role in these scams hasn’t yet been fully addressed. It’s likely the growing number of lawsuits by hoodwinked users will add some additional incentive to do so.
Filed Under: cryptocurrency, michael terpin, security, sim hijack
Companies: at&t
Comments on “AT&T Sued After SIM Hijacker Steals $24 Million in Customer's Cryptocurrency”
I hope the punitive damages get inflated to billions. It’s a very serious issue that has to be addressed and if they aren’t going to do it to provide a better service then let’s make them do it because it hurts financially not to do it.
I can dream, right?
Please excuse my ignorance, but what data is being hijacked in order to get access to the victims accounts?
How does one access accounts from their phone, does this have to be set up previously? Are passwords stored on the phone?
Re: Re:
When you get a new phone, you have to have the company deactivate your old one and make the new one answer when people dial your number. This scenario has 3rd parties paying off employees to change your phone over to one in their control. Any phone-based security like texting you a passcode will now go to the fake phone and you lose everything you tied to your phone account.
Re: Re: Re:
I had not thought of passcodes being sent to the cell phone.
Another reason to not tie anything to the cell
Re: Re: Re: Re:
Sadly, companies demand more and more services be tied in part or in full to cell/phone numbers, because their market is the average user who isn’t savvy enough to know or care about real security, and so companies push cell/phone number authentication in the name of ease of use, when it actually offers attackers an easy means to gain unauthorized access to accounts.
Re: Re: Re:2 Re:
Amazon requires you to use a cell phone that they send passcodes to in order to “verify” your identity. I’ve run into this a few times lately while buying stuff on Amazon.
Re: Re: Re:3 Re:
I don’t have a phone and I don’t have a problem using Amazon. Not sure why it is different for me.
Re: Re: Re:3 Re:
guess I will not be getting an Amazon account then.
Re: Re: Re:3 Re:
You do also have the option of using the much saner ‘generate a token’ programs like Authy or Google or Microsoft Authenticator.
Re: Re:
If you you have any password recoveries as texts to your phone, along with texts to that phone for second factor authorization, someone gaining control over your phone number can use it to gain control over your accounts.
Re: Re:
Websites routinely believe that 2FA codes sent via SMS are safe and secure. This is false. Hacker steals/hijacks victims phone number, goes to website X, does password/account recovery, sends SMS codes to hacker. Hacker gains access.
Re: Re: Re:
I get it now.
Many sites use additional “security” questions. Some of these questions are based upon public info like where were you born, so they may be easily obtained if you use your real info for these questions.
I’m not a luddite if I avoid new fangled devices that invite criminal activities on my behalf .. am I?
Re: Re: Re:
Banks, and pseudobank cryptocoin sites, should know better. Ultimately, their negligence (validating identity via insecure methods) is to blame.
The stooge deserves the loss. The only way the sim hijacking would help with the cryptocurrency theft is if he was using one of those “bitcoin banks”.
The whole point of cryptocurrency was that you wouldn’t need banks anymore.
Had he done this properly, his wallet is merely a (hopefully backed up) file on his computer, one that only he knows the password for.
Re: Re:
I fail to see why his use of a “Bitcoin Bank” means he deserve to lose his money because you feel it isn’t the correct method to store funds.
He secured it correctly, AT&T’s method of protecting his mobile account is the root cause of all this, what if someone managed to get access to your traditional bank due to your mobile account being compromised, would you just brush it off, blame the bank, or blame the mobile network providor for granting someone else access to your account for $100?
Re: Re: Re:
Yes. You fail to see.
He did not secure it correctly. He gave it to someone else, who promised to maybe give it back later.
AT&T’s failure to secure his phone number is completely incidental. Had this not happened, he’d have lost his cryptocurrency anyway eventually.
AT&T never promised to be someone’s password manager for their accounts. People use them for this, even if they don’t realize they’re doing so. It places an impossible burden on AT&T. If they stopped doing this, the worst that could happen would be a few prank calls.
How is a phone company supposed to confirm that a person truly wants to port their number? What uncompromised channel of communication is left for them to figure this out?
Telling them to “do more” without explaining how they could accomplish this is dumb.
Re: Re: Re: Re:
I’m an AT&T wireless customer. One thing they’ve done for me is to implement a 4-character “PIN” that they’re supposed to require from me before any changes can be made to my account.
If they didn’t set up the PIN for this person, or if the customer service rep didn’t ask the caller for the PIN before making changes to the account, that’s totally on AT&T.
Note that this is the same thing that happened to the customer who’s suing T-Mobile: “The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang’s account prior to the incident, but didn’t actually implement it. Tapang also states that hackers are able to call T-Mobile’s customer support multiple times to gain access to customer accounts, until they’re able to get an agent on the line that would grant them access without requiring further identity verification.”
Re: Re: Re:2 Re:
You’re a fool if you think the PIN will somehow fix this.
People will still have their numbers ported. People will still have fortunes stolen from them (partly because they don’t understand cryptocurrency). People will still wail and gnash teeth.
The only thing the PIN changes is that AT&T has an invincible defense in court (someone had the right PIN, how can it be our fault!).
Stop using your phone number as the master password to your life. Stop using cryptocurrency banks.
Re: Re: Re:3 Re:
“Stop using your phone number as the master password to your life. Stop using cryptocurrency banks.”
It’s not the password, it’s either a recovery method or a 2FA device. I do agree that we should avoid using phone numbers to such ends due to their inherent insecurity (though having the phone as a 2FA is better than having nothing). However, it doesn’t invalidate the fact that telcos have to fix these issues because even if you don’t use the phone as any of those, having your line taken over may pose all kinds of problems outside cryptocurrency.
As for the stop using cryptocurrency banks I’d say cryptocurrencies need to include some sharing of functions of a wallet if the owner needs to. The banking system has many perks we use other than simply storing cash and cryptocurrencies as they are now are not ready to replace banks.
Re: Re: Re:3 Re:
The results, and how people use their phone number, wittingly or not, is irrelevant to a service provider failing to properly secure and maintain customer accounts. Beyond that, many of these powers created or adopted (and force upon the user) the system whereby the goddamned mobile phone is required for multifactor authentication. (Just like the convenience of using things like fingerprint/face recognition/retina scan as a flippin’ password, when they are actually equivalent to a username.)
I think people are kind of dumb to trust these appliances and services, and frequently don’t bother to do minimal securing of anything themselves, even when tools are provided or available. But the entire system, corporate-wise and code-wise, is based on the “(barely (or not really)) good enough” philosophy.
But at the core of this matter, the issue is: Service providers not following the protocol already in place, which is plenty good enough to stop numbers from being incorrectly ported by actors who have not managed to gain access to any credentials prior to the port.
Having 24m in cryptocurrency, yeah, i would do a bit more to secure that. It doesn’t change the fact the the mobile providers are full-on fail here. The porting issue still exists for those of us who have absolutely nothing of value connected to our devices.
Re: Re: Re:3 Re:
Are you the fool for setting up your cell to perform such activities?
Re: Re: Re: I do See
So by your logic.
If a cop shoots you dead for no good reason it is OK because eventually you were going to die anyway?
For all you know in another week he was moving his money out of bit-coins.
Re: Re: Re:2 I do See
More like it’s your fault for having yoru work pirated if you relied on “obsolete” copyright law to protect it, since your business model is evil, and anyone who has ever created anything is an evil billionaire coporation who rips off the little guy, who has ore rights than you to control distribution of your work.
Re: Re: Re:3 I do See
You keep trying so hard to portray the RIAA as heroes, John. It’s almost adorable.
Re: Re: Re:3 I do See
Are you typing with your pinkies?
Re: Re:
Comments like yours are exactly like blaming a rape victim for wearing sexy clothes, “she deserved it”. I think you must be trolling.
Re: Re: Re:
Comments like yours make it impossible to solve the problem. “Please, someone else fix this for me!”
AT&T and other companies will not come up with a better process for determining whether a number port is legitimate. First they’re incompetent. Even if some other organization could figure out the problem, they couldn’t. Second it’s an impossible problem. They might be able to reduce the number of swindles slightly, but only by becoming ever more invasive and making it difficult to port your number when you really want to. Third, this problem is ultimately caused by you, the user.
You’re the one that smiled and said “sign me up” when Facebook and other companies wanted to start using your phone number as your master password. You never bothered to understand passwords your entire life (what do you mean I can’t have the same password on every website!?!). You ooh and ahh when when Wired or Arstechnica puts up an article promising to make all the badness go away without you putting in any effort (I don’t know what 2FA is, but it sounds like magic, wonderful magic!).
This man (and all the rest) could have chosen to do the following: get password manager software, memorize a single long/difficult password, make all his other passwords 100 characters of unique garbage, use one of those for his wallet file, kept on his own computer and not in some Mt.Gox swindle bank.
He didn’t do these things, now he’s out millions. If you want to lose fortunes too, you can do what he did and you can also have the hobby of finding people like me on the internet and screaming “you’re victim blaming!”.
His stupidity was punished. Yours will be punished too.
Re: Re: Re: Re:
Are you threatening people on this blog?
Re: Re: Re: Re:
“AT&T and other companies will not come up with a better process for determining whether a number port is legitimate”
They will if they’re encouraged enough to. The question is whether the courts and the market can force their hand.
“Third, this problem is ultimately caused by you, the user.”
You are also a user, genius. That you avoid certain obvious (to you) security risks does not make you immune, it only means that you potentially wouldn’t have been caught by this particular scam. There will be others.
“I don’t know what 2FA is”
You don’t know what the fundamental underpinning of this entire case is, can’t Google it for 5 seconds to find out, yet proclaim yourself better than who you’re talking to about the subject? Hmmm…
“His stupidity was punished. Yours will be punished too.”
Your arrogance and wilful ignorance will be, also.
Re: Re: Re:2 Re:
Are you threatening people on this blog?
Re: Re: Re:2 2FA
Duh. He probably meant users don’t know what 2FA means, but they still assume it will magically protect them.
He’s coming on too strong, but he’s correct that putting your Bitcoins in places like Mt. Gox and using your phone number as a password reset mechanism are RECIPES FOR DISASTER. Don’t do it and don’t suggest that others should either.
Re: Re: Re:3 2FA
Yeah possibly he did, I see that now.
But, it’s still incredibly arrogant to state that people deserve to lose large amounts of money because they don’t know as much about internet security as us here, especially since the security system is one used and approved of by so many sources the average person would trust. It’s basically like a locksmith going “yeah, you used Yale locks, of course you deserved to have your house cleared out!”
Re: Re: Re:
Some people actually think that way.
Re: Re:
I mean, that cryptocurrency in his sock is great and all, but I found even buying cryptocurrency, let alone using that currency, was impossible without a middleman.
Re: Re:
Since I have several forms of crypto I will agree that he was foolish to store it in such a fluid fashion. But if you think someone deserves to be robbed of all their money then maybe one day you will be lucky enough to experience that as well.
from the the-more-things-change dept.
We don’t care. We don’t have to. We’re the phone company!
… I don’t know much about how owning crypto currency actually works, but wouldn’t they still need the password to access said currency?
Couldn’t they just change their password on the accounts (such as with a password manager) to make the SIM’s useless (assuming they change the passwords in time)?
Or better yet, couldn’t they require two factor authentication or something like that to access the Bitcoins?
Re: stop using his name jackbid
Because the user implemented 2FA on the account, required use of the phone for 2FA.
The user could not change their password without the 2FA device, in this case his phone.
That makes AT&T an active conspirator and accomplice in the thefts.
Re: Re: stop using his name jackbid
So SIM hackers today are the Crammers and Slammers who generated millions of dollars in revenue for the Telco’s in the 80’s and 90’s(and cost users millions in bogus fees).
We saw how many of those companies were ‘brought to justice’ (zero in case you missed it), so I’m sure we can expect the same apathy and indifference to the financial ruin they are causing individuals, as long as their bottom line is growing…
So HIT THEM WHERE IT HURTS… STOP BUYING THE BIG TELINFOMEDIA COMPANY PRODUCTS AND SERVICES. but then when ALL OUR BASE ARE BELONG TO THEM, there isn’t much else we can do, (sue, sue, sue…) now is there.
Re: Re:
Re: Re: Re:
“If in your private life, your computing devise is your phone”
Then you have other serious issues.
What would be wrong with phoning the old phone and checking before making the transfer, as it is presumably still available when a SIM transfer is requested. If the phone is gone, then proof of identity in a shop would not be that inconvenient most of the time, as you have to go and buy a new one anyway.
O.K, not as convenient a the current system, but convenience is always the enemy of security.
This sort of thing is only going to happen more as more service providers demand a phone number be tied to an account as a primary means of authentication. It’s just as bad as making biometrics a primary means of authenticating devices. Phone numbers and biometric data can both be used to get access to accounts and devices quite easily compared to accounts with primary security done being secured by a strong password. Better yet, two-step authentication where the attacker needs access to both the password, and the email address of the victim to get into an account (password + verification email link is a common two-step method).
As long as email accounts are kept secure (strong Captcha protection), then that should be more than sufficient than demanding users compromise themselves both in terms of security and privacy by providing phone numbers to tie to accounts.
Lately Google has stepped up its user hostility by not only demanding phone numbers for account authentication, but also by flat-out refusing to login if the user logs in from a different IP address. If you are travelling and attempt to log in on a different IP address on an unrecognized device, you have no way of accessing an email account unless a) you provide a phone number or b) have linked a secondary email to the primary you’re trying to get access to (which may or may not still require providing a phone number to get access, and still presents a privacy issue as you may not want to link multiple different email addresses you use together).
We’re in a terrifying age of technology, where ease of use appears to trump good security policies.
Re: Re:
I don’t have a phone, either landline or mobile. When companies require a phone number I give them one 1-800-555-1212. Guess what. It works.
Now Google is a bit different. To get a new account (I want a new account for my second tablet) they won’t give me one without a phone number. The option is to give them someone else’s phone number, so they can send their verification code. You use the code and open the account and then go in and change or delete the phone number. It must make sense to someone…who isn’t me.
Re: Re: Re:
They do not offer email as an alternative?
Re: Re: Re: Re:
A new account means a new email account, everything else hinges off of that, so no. I left a message at one of their product forums a year or so ago and have yet to receive an acceptable answer. They won’t even allow web based SMS, though it appears they used to.
My intention was to get a new account for my second Android tablet that had no relationship with any of my other accounts, so they could not be compromised. It’s not like I have anything to compromise, but the principle still holds.
Techdirt says put third-party liability on ATT.
First, let’s all weep for this multi-millionaire who thought he’d gained yet more millions without lifting a finger. Boohoo. I’m done.
"Wesley Bidsnipes" has already pointed out the not just legal "hurdle" but thousand-foot cliff that must be jumped to get anywhere in a suit. This is no more than extortion attempt to leverage his own stupidity with lawyering.
–> The "2FA" point simply highlights that phones and gadgets are inherently insecure! ANYONE WITH BRAINS DOESN’T KEEP ANYTHING VALUABLE ON THEM! MIGHT AS WELL BE CASH IN A PAPER BAG!
Sheesh.
So, HOW can anyone possibly blame ATT? … Only due to irrational hate from minion and fanboys.
Re: Techdirt says put third-party liability on ATT.
So in your mind AT&T can continue providing hackers with access to your cell phone account because the AT&T customers are stupid?
Re: The best part about your stupid monikers
Is that if you had your way; Thad could legally come over to your house and burn all your shit while you were forced to watch.
You did after all admit you got the idea from him…
I thought blockchain and crypto was super-secure?
Re: Re:
Encryption is secure.
Your phone number is not.
“despite ample press coverage of the SIM hijacking phenomenon”
So the phone company is expected to do more than the customer.
While ATT is the devil, shall we look at where this should fall apart.
His phone was ported out not once, but twice… he still used his phone to secure his fortune.
Well the pinto blows up if hit from behind even by a shopping cart, but its really nice to go get groceries. o_O OMG my pinto exploded!!!!!! I’m suing Ford!!! What do you mean there was ample press coverage of it exploding if a shopping cart bumped it… they still are responsible for my inaction in parsing my risk…with the 3rd pinto.
Nearly every major corporations policies to secure things for consumers is a shit show. The cost of placating the suckers is less than paying to have actual security… so ya think they will spend money on security??
Anyone tried password1 on the Equifax portal yet?
Re: Re:
Well, yes, ideally the phone company should not be giving its customers’ phone numbers away to other people.
…if your car explodes due to a manufacturer’s defect, then yes, the manufacturer is damn sure responsible, regardless of whether you made a sensible purchase decision.
Re: Re:
Well the pinto blows up if hit from behind even by a shopping cart
Embellish much?
Auntie beeb says the Vodafone is just as rubbish...
From https://www.bbc.co.uk/news/business-45213774
“Vodafone customer service agents can receive monthly bonuses worth up to £150 for high customer satisfaction scores alone. However, low scores can also result in them being placed on action plans to improve their performance.”
One more incentive for lax security. Gotta love it.