August 19, 2018 at
Hackers gained access to US crypto investor Michael Terpin’s SIM card and personal information twice, claiming security negligence from AT&T in a $224 million lawsuit on August 15.
Co-founder of a private investment group for Bitcoin (BTC) and CEO of TransformGroup, Michael Terpin is suing AT&T for neglecting security flaws and vulnerabilities within their security systems after allowing hackers to acquire access to Terpin’s SIM information on two separate occasions and steal $23.8 million of his cryptocurrency tokens.
My friend Michael Terpin is suing AT&T for $224 million for breaching his privacy and letting a hacker steal over $20 million from him.
In some cases juries will award more than what’s asked for – I hope they award Michael $10 billion and force AT&T to pay it to him in Bitcoin.
— Bruce Fenton (@brucefenton) August 15, 2018
In June 2017, his phone suddenly went dead and thus set off alarms that his number provided by AT&T has been compromised. He also received notifications from the service provider that his password has been remotely changed at an AT&T store after 11 failed attempts. In the first breach in June 2017, Terpin lost control of his Skype account and phone number, where the hackers impersonated Terpin and convinced one of his clients to transfer a large sum of cryptocurrency.
In the second breach in January 2018, his SIM was again updated in a Connecticut AT&T Store despite the additional security measures Terpin emplaced after the first SIM card breach. Both of the two security breaches in 2017 and 2018 passed Terpin’s two-factor mobile security authentication and many other forms of security for several related accounts connected to his phone’s SIM card information.
When Terpin noticed the second breach, he immediately attempted to contact the service provider but supposedly had his requests ignored. This resulted in $23.8 million in cryptocurrency to be transferred from his accounts to the hackers. His wife also attempted to contact the AT&T fraud department but was allegedly put on hold for the entire duration of the incident.
AT&T is being accused of failing to reasonably protect their customers from these attacks despite being supposedly aware of the breaches as they are happening, one disgruntled user citing that AT&T “has become too big to care”. They have not attempted to strengthen security measures despite several breaches prior to Terpin’s two incidents.
What is the SIM swapping scam?
The store’s relaxed security measures allowed the hacker to update the card without having to provide a passcode nor any sort of scannable identification that AT&T normally requires. This is called SIM swapping, or the “port out” scam, where a service provider transfers the victim’s phone number to someone else’s SIM card. This allows the thief to then reset and gain access to private accounts online.
Majority of hackers focus on cryptocurrency accounts as they are generally the easiest and most common targets, making the SIM swapping scam very widespread. Once the hackers gain access to the victim’s SIM card, they can receive and intercept texts for password resets and two-factor authentication from targeted services and accounts. This method is very quick and simple, posing a great risk to many sensitive accounts.
How do hackers gain access?
While tactics may vary from hacker to hacker, they all commonly use “plugs”, or insiders within target telecom companies which the thieves pay to perform the swaps. Several other service providers have reported similar attempts and breaches, including Verizon where two employees claimed to have made over $100 thousand from few months of cooperation.
The hackers’ AT&T plug involved in the attack has been identified by the FBI as well as Homeland Security and charges are being pressed.
An employee from AT&T also stated that their security system is designed to allow several employees to easily bypass the required security features used when porting phone numbers from SIM cards, making the entire system vulnerable to these plugs who the thieves handsomely pay.
Terpin, represented by litigation firm Greenberg Glusker from Los Angeles, is seeking $200 million in punitive damages from the breach, and financial compensation for his $23.8 million loss in cryptocurrency. “We dispute these allegations and look forward to presenting our case in court,” said AT&T in an official statement.
How can I protect myself?
Whenever possible, two-factor authentication that is not phone-based is recommended by experts. If that is not possible, connecting it to a relatively inactive and separate number you control works as well. Extra passwords are possible to be added to your account by your service provider should you give them a call.