AT&T Sued Over $24 Million Cryptocurrency SIM Hijack AttacksMichael Terpin Alleges Carrier Failed to Protect His Phone Number
A cryptocurrency investor is suing AT&T for $224 million, alleging he lost $24 million in virtual currency after the carrier failed to stop two separate attacks where his phone number was commandeered by attackers.
See Also: The Global State of Online Digital Trust
Michael Terpin, who runs an investment group called Bit Angels and is involved in the cryptocurrency community, is seeking $24 million in compensatory damages and $200 million in punitive damages, according to the lawsuit, which was filed on Wednesday in federal court in Los Angeles.
Terpin was a victim of two SIM hijacking attacks, which are sometimes referred to as SIM swapping or port-out scams. The attack involves an attacker convincing a mobile provider to move a number to a different SIM card. Many times, the targets of such attackers are those with large holdings of bitcoin and other cryptocurrencies (see Cryptocurrency Theft: $1.1 Billion Stolen in Last 6 Months).
Attackers can successfully take over someone's phone number by tricking an employee at a carrier that they're the legitimate account holder. In other cases, telecom employees may be crooked and actually be accomplices in SIM hijackings.
Indeed, Terpin's lawsuit accuses AT&T employees of being complicit in such schemes in dramatic terms.
"More recently, AT&T employees are participating in a new species of fraud - SIM swap fraud - which is a metastasizing cancer attacking AT&T customers and allowing hackers readily to bypass AT&T security to rob AT&T customers of valuable personal information and millions of dollars of cryptocurrency," the lawsuit alleges.
In a statement, an AT&T spokesman says: "We dispute these allegations and look forward to presenting our case in court."
SMS Authentication Dangers
SIM hijacking has become an increasing risk because online services often use a person's phone as a means of authentication.
If a user has two-factor authentication enabled on their account, many service providers will deliver a one-time, time-sensitive passcode via SMS. If an attacker has already obtained the victim's authentication credentials, the one-time passcode is the last component to taking over an account.
Last month, Vice's Motherboard published an in-depth story that showed how attackers manage to pull off SIM hijacking and take over accounts.
Many online services also use a phone number in order to recover access to accounts, writes Roel Schouwenberg of the Celsus Advisory Group in a blog post from last year. That method is used by Google, Twitter, Facebook and Microsoft's Office365 as well as banking apps and cryptocurrency trading platforms.
"Most of the account recovery implementations are not well thought out," he writes. "System architects are relying on attackers being unable to take over a phone number. This is a false assumption."
There are safer alternatives to passcodes delivered over SMS, including hardware tokens and software-based, two-factor code generators such as Google's Authenticator, Authy and SASSPASS. Those codes aren't sent over a network and usually would require an attacker to have someone's device in hand.
The dangers of SMS-based authentication have long been known. In 2016, the National Institute of Standards and Technology said it was deprecating out-of-band authentication over SMS or voice due to concerns over number hijacking.
Still, cybersecurity experts generally agree that using two-factor authentication even over SMS is better than not using it at all in light of the prevalence of account takeovers.
Two SIM Hijackings
Terpin was more than unlucky. The first attack took place in June 11, 2017. His phone went dead. Meanwhile, the hackers gained access to his accounts that used his phone in part for authentication.
The hackers also "convinced a client of Mr. Terpin to send them cryptocurrency and diverted a payment due to Mr. Terpin to themselves," the lawsuit says. AT&T cut off access to the phone number later that day but only after the hackers had "stolen substantial funds from Mr. Terpin."
After the attack, AT&T said it would put higher-level security on his account, similar to what the carrier provides for celebrities. The new security protection meant that Terpin would have to provide a six-digit code in order to make changes to his number.
The second attack came on Jan. 7. An employee in an AT&T store in Norwich, Conn., ported his number to an "imposter," the lawsuit says. It alleges that the store employees there were either blind or complicit. The employee didn't ask for the code or ask to see ID.
"It was impossible to look at Mr. Terpin's account information on the AT&T computer screen and not see the multiple warnings about the need for heightened vigilance, particularly the requirement of a six-digit password," the lawsuit says.
Although Terpin contacted AT&T immediately, the carrier failed to cancel his number, "which gave the hackers sufficient time to obtain information about Mr. Terpin's cryptocurrency holdings and to spirit off funds to their own accounts."
The lawsuit doesn't identify what kinds of cryptocurrency was stolen or from what services. But Terpin wrote on Twitter on Wednesday that the losses "were alts on native wallets."
Alts, short for alternative coins, is the term often used for relatively newer cryptocurrencies, and a wallet is the software program used to store the funds.
Terpin tells Gizmodo that he's now very careful about giving out his phone number and usually gives out a Google Voice number.
But that security-by-obscurity method probably isn't a good long-term plan. Anyone with significant cryptocurrency holdings would be wise to ensure that retention of a phone number isn't a defensive component.
Terpin indicates in the above tweet that he now uses a Trezor hardware wallet for bitcoin and ethereum and has Google's two-factor authentication enabled for his online accounts.