Court Will Decide If AT&T Is Liable For Cryptocurrency Theft Caused By Shoddy Security
from the ill-communication dept
Wireless carriers are coming under increasing fire for failing to protect their users from SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.
T-Mobile customers aren't the only users who've experienced this problem. US entrepreneur and cryptocurrency investor Michael Terpin sued AT&T last summer (pdf) for the same thing: somebody ran a SIM hijacking scam on AT&T, then stole his identity and, in turn, stole $23.8 million in cryptocurrency. And while AT&T tried hard to have the case dismissed, a Los Angeles federal judge last week issued a mixed ruling that nixed AT&T's request to dismiss the case, but demanded that Terpin do a better job highlighting how AT&T is directly responsible:
"Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin's claimed $24 million loss. However, Wright dismissed the claims with "leave to amend," meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible."
AT&T, as you might expect, has argued in court and in public that it's not liable for, well, anything. Ever.
Carriers frequently aren't keen on talking about the problem, in part because their employees keep getting busted for helping the scammers. And keep in mind AT&T keeps having these kinds of problems. Repeatedly. In just the last few years AT&T has been: fined $18.6 million for helping rip off programs for the hearing impaired; fined $10.4 million for ripping off a program for low-income families; and fined $105 million for helping "crammers" by intentionally making such bogus charges more difficult to see on customer bills.
In short this isn't a company with a great track record when it comes to ethical behavior or protecting its subscribers from scams. Terpin, for his part, has been given an additional three weeks to beef up his case before it proceeds:
"I am grateful that Judge Wright is allowing my case to proceed," Terpin said. "We must hold AT&T accountable. If AT&T demonstrated the same zeal to totally revamp its porous security system as it does to suppress the damning evidence of its callous indifference to its customers, we would not be in court."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cryptocurrency, liability, michael terpin, security, sim hijacking
Companies: at&t
Reader Comments
Subscribe: RSS
View by: Time | Thread
Liability aside, we need to re-think how we use our phones for security. They are an insecure mess.
[ link to this | view in chronology ]
We could always go back to the days when a phone was a phone instead of an all-in-one device. Flip phones are still around, y’know.
[ link to this | view in chronology ]
Re:
I'll take my horse and buggy into the market place and get me one of those right now.
[ link to this | view in chronology ]
Re:
A flip phone would not have made any difference in the case described by the article.
[ link to this | view in chronology ]
Re:
And they're just as vulnerable to SIM swap attacks as smartphones.
[ link to this | view in chronology ]
Fair point.
[ link to this | view in chronology ]
Re: Re:
Terms like "SIM swap" and "phone hacking" come up but don't describe what's actually happening. "Telco fell for fraud" is accurate but makes them look bad. Kind of like "identity theft" which suggests the person whose identity was used is the victim and should handle all the cleanup.
[ link to this | view in chronology ]
Re: Re: Re:
Exactly. Low-paid employees that hate their job are given access to vast amounts of personal information collected by AT&T. They are easy targets for scammers and hackers who need an inside angle.
[ link to this | view in chronology ]
Re: Re: Re: Re:
...and ordinary criminals who know nothing of hacking but know how to bribe people.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
...and ordinary criminals who know nothing of hacking but know how to bribe people.
I thought I'd covered that with "Scammers" but sure. (Not all scammers are self-help authors, most are just low grade criminals.)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Fair enough, but "scam" implies a person was tricked, no? If I just offer a telco employee a bribe to change an account, then use that to reset a password and transfer money, the only "lie" (pretending like I'm the account owner) was made to a computer.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Fair.
[ link to this | view in chronology ]
This should be interesting
If he amends, gets to continue the lawsuit and eventually wins, what will AT&T do? Will you be required to go to an AT&T store with ID and give a fingerprint to do a sim swap? Since he had previously told AT&T to increase the security on his account, it does seem that they should have some liability.
[ link to this | view in chronology ]
Re: This should be interesting
Using only your telephone-number for authentication (via SMS etc) isn't very secure, the better solution is to use for example Google Authenticator or one of the alternatives for OTP that's tied to your physical device. It's not foolproof but it's magnitudes better.
For a company like AT&T it should be quite easy to implement OTP et al, but the question is: are they willing? It all hinges on what will make more profit for them given their track-record.
[ link to this | view in chronology ]
Re: Re: This should be interesting
Even OTP is more than they need. A secret, maybe in QR form as used to set up OTP, would have prevented this attack. Just a piece of paper given by AT&T; "keep this safe and secret, and use it to recover your account if you lost your SIM, and your phone, and forgot all your PINs and passwords, and didn't provide a verifiable ID card at signup".
And if you don't have that, they could sign you up for a new account with a new phone number; then deactivate the old account, and after nobody complains or tries to use it for a few months, restore the original phone number.
[ link to this | view in chronology ]
Re: This should be interesting
The first responsible are the scum that executed the fraud... second is the crypto-exchange for insufficient security. And if AT&T suggested to its customer that they had protections in place against these SIM-swap-scams, they have responsibility too. With responsibility comes liability; I don't think the customer should get 100%, but I expect that AT&T will have to pay a significant fraction of the damage, for failing in its security procedures.
[ link to this | view in chronology ]
Re: This should be interesting
Step 1 for AT&T will be to add a "Security Cost Recovery Fee" to all cell data plans.
[ link to this | view in chronology ]
Re: Re: This should be interesting
And there will be no step 2.
[ link to this | view in chronology ]
Re: Re: Re: This should be interesting
Sure there will be a step 2 - it'll just be another fee but there will be a step 2
[ link to this | view in chronology ]
Re: Re: Re: Re: This should be interesting
Step 2 will be the "Administrative Fee to cover time spent implementing the Security Cost Recovery Fee."
[ link to this | view in chronology ]
Re: This should be interesting
Some African carriers have set up a database of recent SIM swaps that they allow banks to access.{Wired, possible paywall} Those banks can choose not to allow transfers to be approved by numbers that have recently been swapped. There has been a push from the financial and tech sectors in Europe and North America for our carriers to adopt the same method for additional security but, our carriers are reluctant. If this guy wins his case, maybe it'll light a fire under the North American carriers to set up something similar here.
[ link to this | view in chronology ]
"Holy Ayyadurai, out_of_the_blue! AT&T was criticized again!" wailed Hamilton.
"QUICK," declared blue as he randomly capitalized a word. "To the Horizontal Linemobile!"
[ link to this | view in chronology ]
Re:
Where's Poochie?
[ link to this | view in chronology ]
Re: Re:
No, seriously, where's Poochie?
[ link to this | view in chronology ]
IMEI
[ link to this | view in chronology ]
Re: IMEI
The SIM card itself is a cryptographic authenticator, and most service requests should require the SIM card. The only time a telco employee should be able to access or change account information without a card is when the card is missing or damaged. And then there are alternate authenticators: the IMEI and/or phone, online logins, voicemail password. If someone can't demonstrate control of any of that stuff, higher-level approval should be required, logged, and audited; an employee using such overrides 10 times as often as the average employee would be suspicious.
[ link to this | view in chronology ]
You should not be able to get a sim card replaced unless you go to
a store with photo id .
Sms is not secure ,its easy to hack into,
it was not designed for security in the age of apps and smartphones .
IF i had 1 million dollars in crypto currency i would put my crypto wallet
on a pc which would be very secure with multiple passwords
and which would only be acessed with a finger print reader or maybe a usb dongle.
It should not be possible for someone to use your smartphone to
acess your crypto currency account .
if someone gets my sim card they cannot acess my
bank account ,
i have no banking apps or sign ins on my phone .
Had he no pin no,s or password s on his bank account ,
were all the apps on his phone hacked into
as well as his sim card .
If you have weak security on your apps and bank account pin
is ATT responsible for any hacks that accur on your phone ?
[ link to this | view in chronology ]
Re:
Finger print reader FTW. You only leave your fingerprint on half the stuff you touch anyway. I'm sure no one will manage to get into your account with your password plastered all over your home.
[ link to this | view in chronology ]
Re: Re:
Or, you know, your fingers. They don't know which, so they will just take them all.
[ link to this | view in chronology ]
Re:
Guy specifically told ATT he wanted a pin put onto his account (6 numbers) that had to be confirmed BEFORE anything is done. Someone at ATT still allowed a scammer to steal the phone number, WITHOUT the pin.
Rest of why he was using his phone to secure something of such value is irrelevant. Many websites (Banking included) allow you to use ONLY text msg as 2FA, so if the cell company can not even follow your instructions and just gives away the numbers, how is ANYTHING safe? He told tham ahead of time NOT to allow any changes.
This guys case hopefully can change that practice. Most of us might lose few hundred and not worth going to court over.
[ link to this | view in chronology ]
Re: Re:
It's kind of weird. He was obviously sufficiently paranoid to know there was a risk—and correctly so. This paranoia can't be rare for customers of cryptocurrency exchanges, so how do they get customers while offering such "security"?
[ link to this | view in chronology ]
Re: Re: Re:
The same thing is true of banks dealing in fiat currency. There are plenty of classical banks that don't offer TOTP (Google Authenticator) compatibility and that require SMS as the second factor.
Working with investment banking, I've seen plenty of older people with hundreds of thousands or millions of dollars in checking accounts that would be vulnerable to this type of attack. Fortunately, I haven't seen any investment bank with SMS only second factor but, I've only been in the industry for a few years.
[ link to this | view in chronology ]
yeah but...
CBD based quantum bitcoin?
[ link to this | view in chronology ]
Whose??
Whose Crypto did they steal??
That customers??
WHY the hell did they have access over THE CELLPHONE, to a private currency, that has no federal protection???
You might as well, store your real money in a Box, buried in the back yard...and leave the map sitting on the Coffee table..
JFC..
[ link to this | view in chronology ]
Anti-SIM swap procedures prevent bank losses in Australia
Other countries, including Australia, use a system for preventing SIM swaps from being used for bank fraud:
https://www.wired.com/story/sim-swap-fix-carriers-banks/
[ link to this | view in chronology ]
AAfter reading all this news I feel paranoia. I only hope that my primexbt trading account would be saved and my phone is not hacked.
[ link to this | view in chronology ]