$24 million SIM-swap cryptocurrency heist victim sues AT&T
Phone numbers are valuable data worth protecting, but there's not much to be done about inside jobs.
SIM swaps are the bane of everyone relying on 2-factor authentication (2FA), which many people quite reasonably are.
2FA requires people to approve certain logins or transactions on their phones in addition to having the usual password. The idea is that even if someone manages to steal your passwords, they can't get into important accounts without having your actual physical phone.
SIM swapping is the crook's way around this. Basically, the thief walks into a provider's store and pretends to be the person they're trying to rob. They'll tell a story about upgrading their phone, needing a replacement or whatever else feels right. If all goes to plan, they'll get a functional phone with the victim's phone number. Now the 2FA alerts will be sent to that new phone.
Traditionally, SIM swapping has been used to buy new phones, iPads and other electronics on the victim's dime to resell for a quick buck. Other times, it has been used to successfully get at people's bank accounts. The rise of cryptocurrency has created a lot of new targets though, in the form of traders and their accounts on cryptocurrency exchanges.
With enough legwork and information about a person, a dedicated thief can remotely drain someone's account before the account holder even realises there's a problem. This information typically includes their full name, email, phone number and knowledge of which exchanges their victim uses – most of which can be easily found online.
How to lose it all
From the perspective of banks and exchanges, they have no way of knowing whether the person asking for account access has genuinely been locked out or is a thief trying to break into someone else's account.
This might be why the person above never got a satisfactory resolution. They may have gotten off easy compared to Michael Terpin (yes, there is some irony in publishing their name here given the context), who lost $24 million of cryptocurrency to an enterprising SIM swapper. They're now suing AT&T for $240 million – $24 million to replace the lost currency and $216 in punitive damages.
Based on the story told in the suit (PDF), which suggests that AT&T employees may have been deliberately cooperating in exchange for a cut of the take, Terpin might have every reason to be ticked off.
The story as the suit tells it:
- Terpin is an "experienced, high profile cryptocurrency investor."
- Having previously been a target of SIM swapping, Terpin put as much security on his accounts as possible. Everything required a password and valid identification.
- But in the end, it didn't make a difference because an AT&T employee just handed over the phone number and made the changes anyway.
- When his phone suddenly died, Terpin instantly knew what had just happened. He immediately rushed off to call AT&T's fraud department to get them to freeze the number. But it was a Sunday, so they were closed.
- Terpin couldn't do anything except sit idly by while a thief had the run of his identity. By the time AT&T's fraud department was back on Monday, the hacker had stolen $23.8 million worth of bitcoin.
"It was AT&T's act of providing hackers with access to Mr. Terpin's telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur. What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner," the suit says.
"This lawsuit seeks to hold AT&T accountable for its abject failure to protect subscribers like Mr. Terpin. Apparently, AT&T would prefer to buy Time Warner for over $85 billion than pay for a state-of-the art security system and hire, train, and supervise competent and ethical employees—even when it was well known to AT&T that its system was vulnerable to precisely the type of hack experienced by Mr. Terpin. A verdict for $24 million of compensatory damages and over $200 million for punitive damages might attract the attention of AT&T’s senior management long enough to spend serious money on an acceptable customer protection program and measures to ensure that its own employees are not complicit in theft and fraud."
It's an interesting side effect of the digital age that phone companies are just as important as banks for keeping their customers' money safe.
Without a distinct and deliberate shift, where mobile phone carriers are held more accountable for the sheer value of the numbers under their control, it's probably no surprise that inside jobs, like this allegedly is, are so common. Phone numbers might be just as valuable and worth protecting as any other confidential personal information, even if they're not yet treated as such.
If it's successful, this lawsuit might be expensive enough to get the ball rolling.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.