AT&T Sued After SIM Hijacker Steals $24 Million in Customer's Cryptocurrency
from the whoops-a-daisy dept
It has only taken a few years, but the press, public and law enforcement appear to finally be waking up to the problem of SIM hijacking. SIM hijacking (aka SIM swapping or a "port out scam") involves a hacker hijacking your phone number, porting it over to their own device (often with a wireless carrier employee's help), then taking control of your personal accounts. As we've been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data.
Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target's banking or cryptocurrency accounts. Case in point: California authorities recently brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin.
One of the problems at the core of this phenomenon is that hackers have either tricked or paid wireless carrier employees to aid in the hijacking, or in some instances appear to have direct access to (apparently) poorly-secured internal carrier systems. That has resulted in lawsuits against carriers like T-Mobile for not doing enough to police their own employees, the unauthorized access of their systems, or the protocols utilized to protect consumer accounts from this happening in the first place.
While T-Mobile has received the lion's share of negative press attention on this subject in recent months, AT&T this week got dragged into the fun. The company was sued this week for $224 million by a customer who says AT&T's failure to adequately protect his account resulted in the theft of nearly $24 million in cryptocurrency. The full complaint (pdf) notes that AT&T customer Michael Terpin is seeking $200 million in punitive damages and $24 million of compensatory damages for the cryptocurrency losses.
The suit alleges that Terpin had his phone number stolen and ported out at least twice between mid 2017 and early 2018, resulting in the thief then hijacking his identity to empty out his cryptocurrency accounts. Terpin also accuses of AT&T of failing to protect its customers despite ample press coverage of the SIM hijacking phenomenon. Worse perhaps, the lawsuit alleges that the thief successfully hijacked his phone number despite AT&T adding "higher security level" protections, which AT&T specifically stated would protect his account from such hijinks. From the complaint:
"AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care."
Again, carriers haven't really much wanted to talk about this phenomenon, or the fact that their own employees are frequently either being hoodwinked or paid to participate in these thefts. And while carriers are trying to add additional security to protect such ports from happening (for example, T-Mobile customers should call 611 from their phone and demand a "port validation” passcode), the problem of carrier employees playing a starring role in these scams hasn't yet been fully addressed. It's likely the growing number of lawsuits by hoodwinked users will add some additional incentive to do so.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cryptocurrency, michael terpin, security, sim hijack
Companies: at&t
Reader Comments
The First Word
“from the the-more-things-change dept.
We don't care. We don't have to. We're the phone company!Subscribe: RSS
View by: Time | Thread
I can dream, right?
[ link to this | view in chronology ]
How does one access accounts from their phone, does this have to be set up previously? Are passwords stored on the phone?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Another reason to not tie anything to the cell
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Many sites use additional "security" questions. Some of these questions are based upon public info like where were you born, so they may be easily obtained if you use your real info for these questions.
I'm not a luddite if I avoid new fangled devices that invite criminal activities on my behalf .. am I?
[ link to this | view in chronology ]
Re: Re:
Banks, and pseudobank cryptocoin sites, should know better. Ultimately, their negligence (validating identity via insecure methods) is to blame.
[ link to this | view in chronology ]
The whole point of cryptocurrency was that you wouldn't need banks anymore.
Had he done this properly, his wallet is merely a (hopefully backed up) file on his computer, one that only he knows the password for.
[ link to this | view in chronology ]
Re:
He secured it correctly, AT&T's method of protecting his mobile account is the root cause of all this, what if someone managed to get access to your traditional bank due to your mobile account being compromised, would you just brush it off, blame the bank, or blame the mobile network providor for granting someone else access to your account for $100?
[ link to this | view in chronology ]
Re: Re:
He did not secure it correctly. He gave it to someone else, who promised to maybe give it back later.
AT&T's failure to secure his phone number is completely incidental. Had this not happened, he'd have lost his cryptocurrency anyway eventually.
AT&T never promised to be someone's password manager for their accounts. People use them for this, even if they don't realize they're doing so. It places an impossible burden on AT&T. If they stopped doing this, the worst that could happen would be a few prank calls.
How is a phone company supposed to confirm that a person truly wants to port their number? What uncompromised channel of communication is left for them to figure this out?
Telling them to "do more" without explaining how they could accomplish this is dumb.
[ link to this | view in chronology ]
Re: Re: Re:
If they didn't set up the PIN for this person, or if the customer service rep didn't ask the caller for the PIN before making changes to the account, that's totally on AT&T.
Note that this is the same thing that happened to the customer who's suing T-Mobile: "The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang’s account prior to the incident, but didn’t actually implement it. Tapang also states that hackers are able to call T-Mobile’s customer support multiple times to gain access to customer accounts, until they’re able to get an agent on the line that would grant them access without requiring further identity verification."
[ link to this | view in chronology ]
Re: Re: Re: Re:
People will still have their numbers ported. People will still have fortunes stolen from them (partly because they don't understand cryptocurrency). People will still wail and gnash teeth.
The only thing the PIN changes is that AT&T has an invincible defense in court (someone had the right PIN, how can it be our fault!).
Stop using your phone number as the master password to your life. Stop using cryptocurrency banks.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
It's not the password, it's either a recovery method or a 2FA device. I do agree that we should avoid using phone numbers to such ends due to their inherent insecurity (though having the phone as a 2FA is better than having nothing). However, it doesn't invalidate the fact that telcos have to fix these issues because even if you don't use the phone as any of those, having your line taken over may pose all kinds of problems outside cryptocurrency.
As for the stop using cryptocurrency banks I'd say cryptocurrencies need to include some sharing of functions of a wallet if the owner needs to. The banking system has many perks we use other than simply storing cash and cryptocurrencies as they are now are not ready to replace banks.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I think people are kind of dumb to trust these appliances and services, and frequently don't bother to do minimal securing of anything themselves, even when tools are provided or available. But the entire system, corporate-wise and code-wise, is based on the "(barely (or not really)) good enough" philosophy.
But at the core of this matter, the issue is: Service providers not following the protocol already in place, which is plenty good enough to stop numbers from being incorrectly ported by actors who have not managed to gain access to any credentials prior to the port.
Having 24m in cryptocurrency, yeah, i would do a bit more to secure that. It doesn't change the fact the the mobile providers are full-on fail here. The porting issue still exists for those of us who have absolutely nothing of value connected to our devices.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
I do See
If a cop shoots you dead for no good reason it is OK because eventually you were going to die anyway?
For all you know in another week he was moving his money out of bit-coins.
[ link to this | view in chronology ]
Re: I do See
[ link to this | view in chronology ]
Re: Re: I do See
[ link to this | view in chronology ]
Re: Re: I do See
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
AT&T and other companies will not come up with a better process for determining whether a number port is legitimate. First they're incompetent. Even if some other organization could figure out the problem, they couldn't. Second it's an impossible problem. They might be able to reduce the number of swindles slightly, but only by becoming ever more invasive and making it difficult to port your number when you really want to. Third, this problem is ultimately caused by you, the user.
You're the one that smiled and said "sign me up" when Facebook and other companies wanted to start using your phone number as your master password. You never bothered to understand passwords your entire life (what do you mean I can't have the same password on every website!?!). You ooh and ahh when when Wired or Arstechnica puts up an article promising to make all the badness go away without you putting in any effort (I don't know what 2FA is, but it sounds like magic, wonderful magic!).
This man (and all the rest) could have chosen to do the following: get password manager software, memorize a single long/difficult password, make all his other passwords 100 characters of unique garbage, use one of those for his wallet file, kept on his own computer and not in some Mt.Gox swindle bank.
He didn't do these things, now he's out millions. If you want to lose fortunes too, you can do what he did and you can also have the hobby of finding people like me on the internet and screaming "you're victim blaming!".
His stupidity was punished. Yours will be punished too.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
They will if they're encouraged enough to. The question is whether the courts and the market can force their hand.
"Third, this problem is ultimately caused by you, the user."
You are also a user, genius. That you avoid certain obvious (to you) security risks does not make you immune, it only means that you potentially wouldn't have been caught by this particular scam. There will be others.
"I don't know what 2FA is"
You don't know what the fundamental underpinning of this entire case is, can't Google it for 5 seconds to find out, yet proclaim yourself better than who you're talking to about the subject? Hmmm...
"His stupidity was punished. Yours will be punished too."
Your arrogance and wilful ignorance will be, also.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Are you threatening people on this blog?
[ link to this | view in chronology ]
2FA
He's coming on too strong, but he's correct that putting your Bitcoins in places like Mt. Gox and using your phone number as a password reset mechanism are RECIPES FOR DISASTER. Don't do it and don't suggest that others should either.
[ link to this | view in chronology ]
Re: 2FA
But, it's still incredibly arrogant to state that people deserve to lose large amounts of money because they don't know as much about internet security as us here, especially since the security system is one used and approved of by so many sources the average person would trust. It's basically like a locksmith going "yeah, you used Yale locks, of course you deserved to have your house cleared out!"
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
from the the-more-things-change dept.
[ link to this | view in chronology ]
Couldn't they just change their password on the accounts (such as with a password manager) to make the SIM's useless (assuming they change the passwords in time)?
Or better yet, couldn't they require two factor authentication or something like that to access the Bitcoins?
[ link to this | view in chronology ]
Re: stop using his name jackbid
The user could not change their password without the 2FA device, in this case his phone.
That makes AT&T an active conspirator and accomplice in the thefts.
[ link to this | view in chronology ]
Re: Re: stop using his name jackbid
We saw how many of those companies were 'brought to justice' (zero in case you missed it), so I'm sure we can expect the same apathy and indifference to the financial ruin they are causing individuals, as long as their bottom line is growing...
So HIT THEM WHERE IT HURTS... STOP BUYING THE BIG TELINFOMEDIA COMPANY PRODUCTS AND SERVICES. but then when ALL OUR BASE ARE BELONG TO THEM, there isn't much else we can do, (sue, sue, sue...) now is there.
[ link to this | view in chronology ]
Re:
If in your private life, your computing devise is your phone, how do you do that when it stops working. You now need another phone or a computer to do anything online.
A likely scenario, as this sort of crime needs prior research, is that on having the phone transferred, they then do a password recovery on the email account, and now they have time to rob you blind while you try and figure out how you do anything online.
[ link to this | view in chronology ]
Re: Re:
Then you have other serious issues.
[ link to this | view in chronology ]
O.K, not as convenient a the current system, but convenience is always the enemy of security.
[ link to this | view in chronology ]
As long as email accounts are kept secure (strong Captcha protection), then that should be more than sufficient than demanding users compromise themselves both in terms of security and privacy by providing phone numbers to tie to accounts.
Lately Google has stepped up its user hostility by not only demanding phone numbers for account authentication, but also by flat-out refusing to login if the user logs in from a different IP address. If you are travelling and attempt to log in on a different IP address on an unrecognized device, you have no way of accessing an email account unless a) you provide a phone number or b) have linked a secondary email to the primary you're trying to get access to (which may or may not still require providing a phone number to get access, and still presents a privacy issue as you may not want to link multiple different email addresses you use together).
We're in a terrifying age of technology, where ease of use appears to trump good security policies.
[ link to this | view in chronology ]
Re:
Now Google is a bit different. To get a new account (I want a new account for my second tablet) they won't give me one without a phone number. The option is to give them someone else's phone number, so they can send their verification code. You use the code and open the account and then go in and change or delete the phone number. It must make sense to someone...who isn't me.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
My intention was to get a new account for my second Android tablet that had no relationship with any of my other accounts, so they could not be compromised. It's not like I have anything to compromise, but the principle still holds.
[ link to this | view in chronology ]
Techdirt says put third-party liability on ATT.
First, let's all weep for this multi-millionaire who thought he'd gained yet more millions without lifting a finger. Boohoo. I'm done.
"Wesley Bidsnipes" has already pointed out the not just legal "hurdle" but thousand-foot cliff that must be jumped to get anywhere in a suit. This is no more than extortion attempt to leverage his own stupidity with lawyering.
--> The "2FA" point simply highlights that phones and gadgets are inherently insecure! ANYONE WITH BRAINS DOESN'T KEEP ANYTHING VALUABLE ON THEM! MIGHT AS WELL BE CASH IN A PAPER BAG!
Sheesh.
So, HOW can anyone possibly blame ATT? ... Only due to irrational hate from minion and fanboys.
[ link to this | view in chronology ]
Re: Techdirt says put third-party liability on ATT.
[ link to this | view in chronology ]
The best part about your stupid monikers
You did after all admit you got the idea from him...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Your phone number is not.
[ link to this | view in chronology ]
So the phone company is expected to do more than the customer.
While ATT is the devil, shall we look at where this should fall apart.
His phone was ported out not once, but twice... he still used his phone to secure his fortune.
Well the pinto blows up if hit from behind even by a shopping cart, but its really nice to go get groceries. o_O OMG my pinto exploded!!!!!! I'm suing Ford!!! What do you mean there was ample press coverage of it exploding if a shopping cart bumped it... they still are responsible for my inaction in parsing my risk...with the 3rd pinto.
Nearly every major corporations policies to secure things for consumers is a shit show. The cost of placating the suckers is less than paying to have actual security... so ya think they will spend money on security??
Anyone tried password1 on the Equifax portal yet?
[ link to this | view in chronology ]
Re:
Well, yes, ideally the phone company should not be giving its customers' phone numbers away to other people.
...if your car explodes due to a manufacturer's defect, then yes, the manufacturer is damn sure responsible, regardless of whether you made a sensible purchase decision.
[ link to this | view in chronology ]
Re:
Embellish much?
[ link to this | view in chronology ]
Auntie beeb says the Vodafone is just as rubbish...
"Vodafone customer service agents can receive monthly bonuses worth up to £150 for high customer satisfaction scores alone. However, low scores can also result in them being placed on action plans to improve their performance."
One more incentive for lax security. Gotta love it.
[ link to this | view in chronology ]