A California judge has given the go-ahead for a $240m lawsuit against AT&T for porting a subscriber's phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency.
Michael Terpin sued the mobile operator back in August 2018, revising his legal challenge a year later to make more specific allegations. This week, a judge dismissed AT&T’s effort to dismiss the case, noting that Terpin had provided sufficient proof that the US telco giant should defend its position in front of a jury.
At the heart of the matter is Terpin’s phone number. In June 2017, miscreants successfully managed, after no fewer than 11 attempts in AT&T retail stores, to transfer his number to a smartphone controlled by the criminals – a so-called SIM jacking attack. The phone was then used to gain access to cryptocurrency accounts, linked to his phone number, to steal an unspecified amount of Bitcoin, and impersonate him on Skype.
Terpin complained to AT&T, and the carrier agreed to put a special system in place where any future changes would require someone to not only provide ID but also supply a special six-digit code that only he and his wife knew.
Despite those additional measures, however, in January 2018, fraudsters were again able to hijack his phone number and, once again, broke into his cryptocurrency accounts, ultimately stealing $24m worth of Bitcoin, he alleged. Terpin is suing AT&T for not following its own agreed security protocol, and he wants punitive damages. AT&T denies it is responsible for any loss.
What was unclear in the original lawsuit was exactly how the hackers had used his hijacked phone number to gain access to his accounts, and thus whether AT&T should be held liable for the theft. AT&T argued the cryptocurrency accounts he used did not have two-factor authentication (2FA) enabled, and so it could not be held responsible.
How did it happen?
In his revised complaint, Terpin claimed hackers used his phone number to request a password change and 2FA token to a particular online account, which the thieves then entered and discovered a file that contained login details for his cryptocurrency wallets.
“A password reset request to [Mr. Terpin’s password protected] program or programs which then sent a 2FA message to Mr Terpin’s telephone number, which was by virtue of the SIM swap in the hackers’ possession,” the complaint reads [PDF].
The judge in his judgment this week noted that: “Mr Terpin further alleges that the hackers created new passwords, which allowed them to ‘locate a file with confidential information to access Mr Terpin’s [cryptocurrency] wallets and/or accounts.’ Mr Terpin alleges that, as a result, between January 7 and 8, 2018, the hackers stole nearly $24m worth of cryptocurrency from him.”
What a pair of Massholes! New England duo cuffed over SIM-swapping cryptocoin chargesREAD MORE
It’s not clear what that account was – possibly a password manager or a cloud storage archive – and Terpin’s representatives refused our request for more information, though the judge was clear it didn’t matter precisely what account was involved, only that AT&T’s actions led directly to the theft.
“At this stage, Mr Terpin is not required to reconstruct the precise sequence of the hack, but rather, merely establish a ‘natural and continuous sequence’ of plausible events connecting the hackers’ access to his phone number to the theft of his cryptocurrency,” the judge ruled.
Critically, the judge decided Terpin had proved his case that there was a “special relationship” between himself and AT&T necessary for his claim of economic loss to be accepted legally. Terpin pointed to his contract with AT&T, the fact that AT&T had promised to keep his information confidential through the special six-digit PIN, and that by holding AT&T accountable it will require the telco to “provide reasonable, reliable, and industry-standard security measures.”
Not all his claims were accepted, however: the small print in his AT&T contract that it “cannot guarantee that your Personal Information will never be disclosed in a manner inconsistent with Policy” helped the company escape a Deceit by Concealment claim. And another was also dismissed with prejudice.
Crucially, however, the size of the possible future reward is up for debate. For punitive damages to be applied – taking the case from the $24m he lost to the $240m he is claiming – he has to allege that “an officer, director, or managing agent of AT&T knew about or ratified the alleged wrongful conduct of which he complains.”
Even though Terpin names a specific AT&T employee, Jahmil Smith, and alleges he was “bribed by a criminal gang” to “fabricate information indicating that Mr Terpin visited [an AT&T] store and showed identification,” he still has to connect someone higher up to the theft and the failure to use the six-digit code in order to specifically sue for “corporate misconduct.”
In other words, if it was just one rogue employee, you can’t sue the entire organization for additional damages beyond what was lost. The judge has, however, given him 21 days to revise the complaint, and allege a large failure by AT&T to enforce agreed security policies.
Taken overall, the decision to allow the case to move forward is an important one. The judge accepted that AT&T may well be responsible for the money lost by Terpin as a result of it handing over control of his phone number to someone who didn’t have the necessary proof of identification.
It will still be a long and difficult route to resolution, however. It remains unclear how exactly the phone number allowed the hackers to get into his accounts and so it is currently impossible to say whether AT&T should bear some responsibility for what subsequently happened.
The case will be worth watching however for several reasons. For one, the use of mobile phones to confirm someone’s bona fides is increasingly common, and is an area of law that has no clear precedents. And secondly, it could result in significant changes for how mobile networks deal with customer requests and their account security.
With our phones increasingly gateways to so much of our lives, the big question is: are we solely responsible for making sure they are secure, or do the companies that make money from the sale of phones and related data plans also share a degree of responsibility? ®