A bitcoin investor is suing AT&T for $240m after it allegedly ported his phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency.
Michael Terpin is suing the phone giant [PDF] for the value of the three million electronic coins plus $216m in punitive damages after he claims an AT&T employee at a store in Connecticut agreed, in person, to transfer his personal phone number to a new SIM card, despite the account having "high risk" protection following an earlier hacking effort.
The anonymous hacker then used his access to Terpin's phone number to bypass security on his cryptocurrency accounts, thanks to two-factor authentication sent by text, and transferred millions of dollars to a different account: an approach known as "SIM swap fraud."
Terpin claims AT&T admitted to him that the employee in question agreed to shift the SIM despite the security requirement that they ask for a valid form of ID and having ignored an additional "VIP" requirement that they provide a special six-digit passcode before changes are allowed on the account.
That six-digit extra security step was introduced after Terpin says his account had been targeted – and hacked – six months earlier through the same approach. That time, he says, a hacker made no less than 11 in-store attempts to steal his SIM information before finally succeeding.
On both occasions, the first Terpin knew of the hack was when his phone went dead. The second time, he says he knew immediately what had happened and tried immediately to contact AT&T to shut the phone down but was stymied by the fact it was a Sunday and "AT&T's fraud department apparently does not work on Sundays." By the time he regained access, $23.8m in bitcoin had gone missing, he claims.
By failing to follow procedures and given the extra security on his accounts, Terpin claims that AT&T has broken multiple laws and lists no less than sixteen claims for relief ranging from negligence to breach of contract to insufficient security and providing unlawful access to personal information.
SIM swap fraud became an issue more than six years ago and has become an increasing problem, particularly with the growing use of two-factor authentication with hackers often targeting specific individuals.
There are a number of different ways that criminals carry it out but broadly they first gain access to an individual's username and password – often through malware introduced on their computer – and then contact their mobile phone company and provide a plausible story why their number needs to be transferred to a new SIM card.
Once an attacker has access to their mobile phone, they are able to use it to provide the secondary identification that many online services now require before making significant changes.
Korean cryptocoin exchange $30m lighter after hacking attackREAD MORE
Mobile phone companies responded to early attacks by adding the requirement that employees require a valid ID of the account holder before making any such changes but a number of cases have emerged where criminals paid phone company employees to make changes. Terpin alleges that's what happened in this case, given that neither a valid ID nor the special six-figure passcode were asked for porting his details to a new SIM.
The big legal question of course is whether AT&T is then liable for what is done with that access. Although it appears to have failed to implement its own security requirements – if we take Terpin's account of the theft to be entirely accurate – AT&T's lawyers will no doubt argue that it cannot be held responsible for everything that happens subsequently.
After all, a hacker would still have required Terpin's username and password to access a secure cryptocurrency wallet.
There are several elements in the lawsuit that suggest Terpin's lawsuit may not have the tightest legal case, including a colorful but somewhat meandering and irrelevant legal argument in which SIM swap fraud is called a "metastasizing cancer" and AT&T's security a "modern-day Maginot line."
It cites a relevant FCC fine against AT&T for not protecting its users' privacy but also goes into some depth on an irrelevant argument about media coverage of other SIM fraud cases. The lengthy claims for relief rely heavily on California business law and contractual arguments – which is rarely a good sign when going up against a huge corporation.
Regardless, if Terpin's version of events are comprehensive, it would appear that AT&T failed to implement its own security arrangements and the fact that the account had already been flagged as high risk makes Terpin's case that much stronger.
AT&T for its part has promised to fight the lawsuit. "We dispute these allegations and look forward to presenting our case in court," said a representative. ®