“What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewellery in the safe from the rightful owner.” says high-profile cryptocurrency investor, Michael Terpin, in a lawsuit against the telecommunications giant. The lawsuit claims that the security and privacy measures taken by the mobile carrier are illusionary, ‘a veritable modern-day Maginot line’. Terpin accuses AT&T of negligence that allegedly led to millions of dollars worth of cryptocurrency being stolen from his account.
The defendant fell victim to SIM swapping, allegedly perpetrated by hackers in cooperation with AT&T employees. In the court Mr. Terpin is seeking for a compensation of general damages estimated at $24 million and punitive damages of 9 times the stolen amount, $216 million.
SIM swapping is a relatively new type of fraud that allows hackers to gain access to personal information, passwords and private keys from bank accounts and cryptocurrency wallets. SIM swapping consists of hackers tricking mobile carriers into handing a new SIM card issued for the account of the attacker. Fraudsters normally achieve this through social engineering, pretending to be the carrier’s original customer. In some cases, criminals work directly with mobile store employees, which is repeatedly suggested in the text of the complaint.
The prevalence of such fraud has been increasing over the past years. The cases of SIM swapping have become a more lucrative enterprise due to increasing reliance on phone-based authentication. Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through successful social engineering. According to a tech publication, Motherboard, extra security measures such as 2-factor verification often used on cryptocurrency exchanges and wallets, often post no obstacle to fraudsters.
“In some cases, this [SIM swapping] works even if the accounts are protected by two-factor authentication. This kind of attack, also known as “port out scam,” is relatively easy to pull off and has become widespread”
The incident happened not on the first occurrence, and according to a 69-page complaint file, hackers obtained control over Michael Terpin’s phone for the first time on June 11, 2017. At that instance, hackers successfully changed Terpin’s AT&T passwords after initial 11 attempts failed in mobile stores. Plaintiff reported to the company a theft of his personal data as well as a substantial amount of money not specified in the complaint. In a meeting after the incident the company imposed a ‘higher security level’ on Terpin’s account, meaning an additional 6-code access passcode. Mr. Terpin was put on a so-called ‘celebrity’ protection allegedly promised by an AT&T representative.
The complaint mainly addresses an incident that took place on January 7, 2018. An imposter committed a SIM fraud in AT&T store in Connecticut, USA. It was commited presumably in cooperation with an employee who, as an AT&T representative, had an ability to override all existing security features. According to the complaint, thieves gained control over Terpin’s accounts and stole nearly $24 millions of cryptocurrency.
When on 7th July Terpin’s phone went dead. The entrepreneur recognised the threat of getting hacked and immediately tried to contact AT&T and have his phone blocked. Unfortunately, the plan fell through since nobody of customer support managed to promptly cancel Terpin’s account.
“Mr. Terpin’s wife never reached AT&T’s fraud department because it apparently does not work (or is unavailable) on Sundays. But the hackers work on Sunday!”
A news agency, Reuters, has contacted the mobile carrier for a press release. In an emailed response an AT&T spokesman said: “We dispute these allegations and look forward to presenting our case in court.”
Image Source: “Flickr”