Court Will Decide If AT&T Is Liable For Cryptocurrency Theft Caused By Shoddy Security

from the ill-communication dept

Wireless carriers are coming under increasing fire for failing to protect their users from SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim’s cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

T-Mobile customers aren’t the only users who’ve experienced this problem. US entrepreneur and cryptocurrency investor Michael Terpin sued AT&T last summer (pdf) for the same thing: somebody ran a SIM hijacking scam on AT&T, then stole his identity and, in turn, stole $23.8 million in cryptocurrency. And while AT&T tried hard to have the case dismissed, a Los Angeles federal judge last week issued a mixed ruling that nixed AT&T’s request to dismiss the case, but demanded that Terpin do a better job highlighting how AT&T is directly responsible:

“Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin’s claimed $24 million loss. However, Wright dismissed the claims with “leave to amend,” meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible.”

AT&T, as you might expect, has argued in court and in public that it’s not liable for, well, anything. Ever.

Carriers frequently aren’t keen on talking about the problem, in part because their employees keep getting busted for helping the scammers. And keep in mind AT&T keeps having these kinds of problems. Repeatedly. In just the last few years AT&T has been: fined $18.6 million for helping rip off programs for the hearing impaired; fined $10.4 million for ripping off a program for low-income families; and fined $105 million for helping “crammers” by intentionally making such bogus charges more difficult to see on customer bills.

In short this isn’t a company with a great track record when it comes to ethical behavior or protecting its subscribers from scams. Terpin, for his part, has been given an additional three weeks to beef up his case before it proceeds:

“I am grateful that Judge Wright is allowing my case to proceed,” Terpin said. “We must hold AT&T accountable. If AT&T demonstrated the same zeal to totally revamp its porous security system as it does to suppress the damning evidence of its callous indifference to its customers, we would not be in court.”

Filed Under: , , , ,
Companies: at&t

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Court Will Decide If AT&T Is Liable For Cryptocurrency Theft Caused By Shoddy Security”

Subscribe: RSS Leave a comment
36 Comments
Anonymous Coward says:

Re: Re: Re: Re:

And they’re just as vulnerable to SIM swap attacks as smartphones.

Terms like "SIM swap" and "phone hacking" come up but don’t describe what’s actually happening. "Telco fell for fraud" is accurate but makes them look bad. Kind of like "identity theft" which suggests the person whose identity was used is the victim and should handle all the cleanup.

Pixelation says:

This should be interesting

If he amends, gets to continue the lawsuit and eventually wins, what will AT&T do? Will you be required to go to an AT&T store with ID and give a fingerprint to do a sim swap? Since he had previously told AT&T to increase the security on his account, it does seem that they should have some liability.

Rocky says:

Re: This should be interesting

Using only your telephone-number for authentication (via SMS etc) isn’t very secure, the better solution is to use for example Google Authenticator or one of the alternatives for OTP that’s tied to your physical device. It’s not foolproof but it’s magnitudes better.

For a company like AT&T it should be quite easy to implement OTP et al, but the question is: are they willing? It all hinges on what will make more profit for them given their track-record.

Anonymous Coward says:

Re: Re: This should be interesting

For a company like AT&T it should be quite easy to implement OTP et al, but the question is: are they willing?

Even OTP is more than they need. A secret, maybe in QR form as used to set up OTP, would have prevented this attack. Just a piece of paper given by AT&T; "keep this safe and secret, and use it to recover your account if you lost your SIM, and your phone, and forgot all your PINs and passwords, and didn’t provide a verifiable ID card at signup".

And if you don’t have that, they could sign you up for a new account with a new phone number; then deactivate the old account, and after nobody complains or tries to use it for a few months, restore the original phone number.

MathFox says:

Re: This should be interesting

The first responsible are the scum that executed the fraud… second is the crypto-exchange for insufficient security. And if AT&T suggested to its customer that they had protections in place against these SIM-swap-scams, they have responsibility too. With responsibility comes liability; I don’t think the customer should get 100%, but I expect that AT&T will have to pay a significant fraction of the damage, for failing in its security procedures.

R.H. (profile) says:

Re: This should be interesting

Some African carriers have set up a database of recent SIM swaps that they allow banks to access.{Wired, possible paywall} Those banks can choose not to allow transfers to be approved by numbers that have recently been swapped. There has been a push from the financial and tech sectors in Europe and North America for our carriers to adopt the same method for additional security but, our carriers are reluctant. If this guy wins his case, maybe it’ll light a fire under the North American carriers to set up something similar here.

Anonymous Coward says:

Re: IMEI

The SIM card itself is a cryptographic authenticator, and most service requests should require the SIM card. The only time a telco employee should be able to access or change account information without a card is when the card is missing or damaged. And then there are alternate authenticators: the IMEI and/or phone, online logins, voicemail password. If someone can’t demonstrate control of any of that stuff, higher-level approval should be required, logged, and audited; an employee using such overrides 10 times as often as the average employee would be suspicious.

Anonymous Coward says:

You should not be able to get a sim card replaced unless you go to
a store with photo id .
Sms is not secure ,its easy to hack into,
it was not designed for security in the age of apps and smartphones .
IF i had 1 million dollars in crypto currency i would put my crypto wallet
on a pc which would be very secure with multiple passwords
and which would only be acessed with a finger print reader or maybe a usb dongle.
It should not be possible for someone to use your smartphone to
acess your crypto currency account .
if someone gets my sim card they cannot acess my
bank account ,
i have no banking apps or sign ins on my phone .
Had he no pin no,s or password s on his bank account ,
were all the apps on his phone hacked into
as well as his sim card .
If you have weak security on your apps and bank account pin
is ATT responsible for any hacks that accur on your phone ?

Anonymous Coward says:

Re: Re:

Guy specifically told ATT he wanted a pin put onto his account (6 numbers) that had to be confirmed BEFORE anything is done. Someone at ATT still allowed a scammer to steal the phone number, WITHOUT the pin.

Rest of why he was using his phone to secure something of such value is irrelevant. Many websites (Banking included) allow you to use ONLY text msg as 2FA, so if the cell company can not even follow your instructions and just gives away the numbers, how is ANYTHING safe? He told tham ahead of time NOT to allow any changes.

This guys case hopefully can change that practice. Most of us might lose few hundred and not worth going to court over.

Anonymous Coward says:

Re: Re: Re:

Rest of why he was using his phone to secure something of such value is irrelevant. Many websites (Banking included) allow you to use ONLY text msg as 2FA

It’s kind of weird. He was obviously sufficiently paranoid to know there was a risk—and correctly so. This paranoia can’t be rare for customers of cryptocurrency exchanges, so how do they get customers while offering such "security"?

R.H. (profile) says:

Re: Re: Re: Re:

The same thing is true of banks dealing in fiat currency. There are plenty of classical banks that don’t offer TOTP (Google Authenticator) compatibility and that require SMS as the second factor.

Working with investment banking, I’ve seen plenty of older people with hundreds of thousands or millions of dollars in checking accounts that would be vulnerable to this type of attack. Fortunately, I haven’t seen any investment bank with SMS only second factor but, I’ve only been in the industry for a few years.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...