Court Will Decide If AT&T Is Liable For Cryptocurrency Theft Caused By Shoddy Security

from the ill-communication dept

Wireless carriers are coming under increasing fire for failing to protect their users from SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

T-Mobile customers aren't the only users who've experienced this problem. US entrepreneur and cryptocurrency investor Michael Terpin sued AT&T last summer (pdf) for the same thing: somebody ran a SIM hijacking scam on AT&T, then stole his identity and, in turn, stole $23.8 million in cryptocurrency. And while AT&T tried hard to have the case dismissed, a Los Angeles federal judge last week issued a mixed ruling that nixed AT&T's request to dismiss the case, but demanded that Terpin do a better job highlighting how AT&T is directly responsible:

"Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin's claimed $24 million loss. However, Wright dismissed the claims with "leave to amend," meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible."

AT&T, as you might expect, has argued in court and in public that it's not liable for, well, anything. Ever.

Carriers frequently aren't keen on talking about the problem, in part because their employees keep getting busted for helping the scammers. And keep in mind AT&T keeps having these kinds of problems. Repeatedly. In just the last few years AT&T has been: fined $18.6 million for helping rip off programs for the hearing impaired; fined $10.4 million for ripping off a program for low-income families; and fined $105 million for helping "crammers" by intentionally making such bogus charges more difficult to see on customer bills.

In short this isn't a company with a great track record when it comes to ethical behavior or protecting its subscribers from scams. Terpin, for his part, has been given an additional three weeks to beef up his case before it proceeds:

"I am grateful that Judge Wright is allowing my case to proceed," Terpin said. "We must hold AT&T accountable. If AT&T demonstrated the same zeal to totally revamp its porous security system as it does to suppress the damning evidence of its callous indifference to its customers, we would not be in court."

Filed Under: cryptocurrency, liability, michael terpin, security, sim hijacking
Companies: at&t


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Gary (profile), 29 Jul 2019 @ 7:01am

    Liability aside, we need to re-think how we use our phones for security. They are an insecure mess.

    reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 29 Jul 2019 @ 7:06am

      We could always go back to the days when a phone was a phone instead of an all-in-one device. Flip phones are still around, y’know.

      reply to this | link to this | view in chronology ]

      • identicon
        Michael, 29 Jul 2019 @ 7:54am

        Re:

        I'll take my horse and buggy into the market place and get me one of those right now.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Jul 2019 @ 8:17am

        Re:

        A flip phone would not have made any difference in the case described by the article.

        reply to this | link to this | view in chronology ]

      • icon
        Thad (profile), 29 Jul 2019 @ 8:30am

        Re:

        Flip phones are still around, y’know.

        And they're just as vulnerable to SIM swap attacks as smartphones.

        reply to this | link to this | view in chronology ]

        • icon
          Stephen T. Stone (profile), 29 Jul 2019 @ 8:33am

          Fair point.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 Jul 2019 @ 9:25am

          Re: Re:

          And they're just as vulnerable to SIM swap attacks as smartphones.

          Terms like "SIM swap" and "phone hacking" come up but don't describe what's actually happening. "Telco fell for fraud" is accurate but makes them look bad. Kind of like "identity theft" which suggests the person whose identity was used is the victim and should handle all the cleanup.

          reply to this | link to this | view in chronology ]

          • icon
            Gary (profile), 29 Jul 2019 @ 9:49am

            Re: Re: Re:

            Exactly. Low-paid employees that hate their job are given access to vast amounts of personal information collected by AT&T. They are easy targets for scammers and hackers who need an inside angle.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 29 Jul 2019 @ 10:36am

              Re: Re: Re: Re:

              They are easy targets for scammers and hackers who need an inside angle.

              ...and ordinary criminals who know nothing of hacking but know how to bribe people.

              reply to this | link to this | view in chronology ]

              • icon
                Gary (profile), 29 Jul 2019 @ 11:12am

                Re: Re: Re: Re: Re:

                ...and ordinary criminals who know nothing of hacking but know how to bribe people.

                I thought I'd covered that with "Scammers" but sure. (Not all scammers are self-help authors, most are just low grade criminals.)

                reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 29 Jul 2019 @ 12:27pm

                  Re: Re: Re: Re: Re: Re:

                  Fair enough, but "scam" implies a person was tricked, no? If I just offer a telco employee a bribe to change an account, then use that to reset a password and transfer money, the only "lie" (pretending like I'm the account owner) was made to a computer.

                  reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 29 Jul 2019 @ 7:02am

    This should be interesting

    If he amends, gets to continue the lawsuit and eventually wins, what will AT&T do? Will you be required to go to an AT&T store with ID and give a fingerprint to do a sim swap? Since he had previously told AT&T to increase the security on his account, it does seem that they should have some liability.

    reply to this | link to this | view in chronology ]

    • identicon
      Rocky, 29 Jul 2019 @ 7:18am

      Re: This should be interesting

      Using only your telephone-number for authentication (via SMS etc) isn't very secure, the better solution is to use for example Google Authenticator or one of the alternatives for OTP that's tied to your physical device. It's not foolproof but it's magnitudes better.

      For a company like AT&T it should be quite easy to implement OTP et al, but the question is: are they willing? It all hinges on what will make more profit for them given their track-record.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Jul 2019 @ 10:42am

        Re: Re: This should be interesting

        For a company like AT&T it should be quite easy to implement OTP et al, but the question is: are they willing?

        Even OTP is more than they need. A secret, maybe in QR form as used to set up OTP, would have prevented this attack. Just a piece of paper given by AT&T; "keep this safe and secret, and use it to recover your account if you lost your SIM, and your phone, and forgot all your PINs and passwords, and didn't provide a verifiable ID card at signup".

        And if you don't have that, they could sign you up for a new account with a new phone number; then deactivate the old account, and after nobody complains or tries to use it for a few months, restore the original phone number.

        reply to this | link to this | view in chronology ]

    • identicon
      MathFox, 29 Jul 2019 @ 9:19am

      Re: This should be interesting

      The first responsible are the scum that executed the fraud... second is the crypto-exchange for insufficient security. And if AT&T suggested to its customer that they had protections in place against these SIM-swap-scams, they have responsibility too. With responsibility comes liability; I don't think the customer should get 100%, but I expect that AT&T will have to pay a significant fraction of the damage, for failing in its security procedures.

      reply to this | link to this | view in chronology ]

    • icon
      tom (profile), 29 Jul 2019 @ 9:41am

      Re: This should be interesting

      Step 1 for AT&T will be to add a "Security Cost Recovery Fee" to all cell data plans.

      reply to this | link to this | view in chronology ]

    • icon
      R.H. (profile), 29 Jul 2019 @ 1:16pm

      Re: This should be interesting

      Some African carriers have set up a database of recent SIM swaps that they allow banks to access.{Wired, possible paywall} Those banks can choose not to allow transfers to be approved by numbers that have recently been swapped. There has been a push from the financial and tech sectors in Europe and North America for our carriers to adopt the same method for additional security but, our carriers are reluctant. If this guy wins his case, maybe it'll light a fire under the North American carriers to set up something similar here.

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 29 Jul 2019 @ 7:43am

    "Holy Ayyadurai, out_of_the_blue! AT&T was criticized again!" wailed Hamilton.

    "QUICK," declared blue as he randomly capitalized a word. "To the Horizontal Linemobile!"

    reply to this | link to this | view in chronology ]

  • identicon
    Avantare, 29 Jul 2019 @ 7:50am

    IMEI

    Many, many years ago Cingular was asking for the IMEI tied to the number before they would do anything with the number.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Jul 2019 @ 10:35am

      Re: IMEI

      The SIM card itself is a cryptographic authenticator, and most service requests should require the SIM card. The only time a telco employee should be able to access or change account information without a card is when the card is missing or damaged. And then there are alternate authenticators: the IMEI and/or phone, online logins, voicemail password. If someone can't demonstrate control of any of that stuff, higher-level approval should be required, logged, and audited; an employee using such overrides 10 times as often as the average employee would be suspicious.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Jul 2019 @ 8:27am

    You should not be able to get a sim card replaced unless you go to
    a store with photo id .
    Sms is not secure ,its easy to hack into,
    it was not designed for security in the age of apps and smartphones .
    IF i had 1 million dollars in crypto currency i would put my crypto wallet
    on a pc which would be very secure with multiple passwords
    and which would only be acessed with a finger print reader or maybe a usb dongle.
    It should not be possible for someone to use your smartphone to
    acess your crypto currency account .
    if someone gets my sim card they cannot acess my
    bank account ,
    i have no banking apps or sign ins on my phone .
    Had he no pin no,s or password s on his bank account ,
    were all the apps on his phone hacked into
    as well as his sim card .
    If you have weak security on your apps and bank account pin
    is ATT responsible for any hacks that accur on your phone ?

    reply to this | link to this | view in chronology ]

    • icon
      Cdaragorn (profile), 29 Jul 2019 @ 10:30am

      Re:

      Finger print reader FTW. You only leave your fingerprint on half the stuff you touch anyway. I'm sure no one will manage to get into your account with your password plastered all over your home.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Jul 2019 @ 10:36am

      Re:

      Guy specifically told ATT he wanted a pin put onto his account (6 numbers) that had to be confirmed BEFORE anything is done. Someone at ATT still allowed a scammer to steal the phone number, WITHOUT the pin.

      Rest of why he was using his phone to secure something of such value is irrelevant. Many websites (Banking included) allow you to use ONLY text msg as 2FA, so if the cell company can not even follow your instructions and just gives away the numbers, how is ANYTHING safe? He told tham ahead of time NOT to allow any changes.

      This guys case hopefully can change that practice. Most of us might lose few hundred and not worth going to court over.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Jul 2019 @ 12:31pm

        Re: Re:

        Rest of why he was using his phone to secure something of such value is irrelevant. Many websites (Banking included) allow you to use ONLY text msg as 2FA

        It's kind of weird. He was obviously sufficiently paranoid to know there was a risk—and correctly so. This paranoia can't be rare for customers of cryptocurrency exchanges, so how do they get customers while offering such "security"?

        reply to this | link to this | view in chronology ]

        • icon
          R.H. (profile), 29 Jul 2019 @ 1:28pm

          Re: Re: Re:

          The same thing is true of banks dealing in fiat currency. There are plenty of classical banks that don't offer TOTP (Google Authenticator) compatibility and that require SMS as the second factor.

          Working with investment banking, I've seen plenty of older people with hundreds of thousands or millions of dollars in checking accounts that would be vulnerable to this type of attack. Fortunately, I haven't seen any investment bank with SMS only second factor but, I've only been in the industry for a few years.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Jul 2019 @ 9:34am

    yeah but...

    CBD based quantum bitcoin?

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 29 Jul 2019 @ 11:53am

    Whose??

    Whose Crypto did they steal??
    That customers??
    WHY the hell did they have access over THE CELLPHONE, to a private currency, that has no federal protection???

    You might as well, store your real money in a Box, buried in the back yard...and leave the map sitting on the Coffee table..

    JFC..

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jul 2019 @ 2:48am

    Anti-SIM swap procedures prevent bank losses in Australia

    Other countries, including Australia, use a system for preventing SIM swaps from being used for bank fraud:
    https://www.wired.com/story/sim-swap-fix-carriers-banks/

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.