[2018-08-15]U.S. investor sues AT&T for $224 million over loss of cryptocurrency

[vit05]

REUTERS

NEW YORK (Reuters) - U.S. entrepreneur and cryptocurrency investor Michael Terpin filed a $224 million lawsuit on Wednesday against telecommunications company AT&T (T.N), accusing it of fraud and gross negligence in connection with the theft of digital currency tokens from his personal account.
In a 69-page complaint filed with the U.S. District Court in Los Angeles, Terpin alleged that on January 7, 2018, the tokens were stolen from him through what he alleged was a “digital identity theft” of his cellphone account. In the complaint, he said AT&T was his service provider.

In an emailed response, an AT&T spokesman said: “We dispute these allegations and look forward to presenting our case in court.”

At the time of the theft, the three million stolen tokens were worth $23.8 million, the complaint said. Terpin is also seeking $200 million in punitive damages.

The complaint said that AT&T had been previously contacted by law enforcement authorities about such frauds.

AT&T Inc
32.495
T.NNEW YORK STOCK EXCHANGE
+0.25(+0.79%)
T.N
T.N
Cryptocurrencies have a market capitalization of about $200 billion, according to data from virtual coin tracker coinmarketcap.com. Nine years after bitcoin came into existence, the market has seen the emergence of more than 1,800 digital currencies.

Terpin, represented by Los Angeles litigation firm Greenberg Glusker, claimed in the lawsuit that after the theft of the digital currency, his cellphone account was transferred to an international criminal gang.

Terpin co-founded the first angel group for bitcoin investors, BitAngels, in early 2013, and the first digital currency fund, the BitAngels/Dapps Fund, in March 2014. He is a senior advisor to Alphabit Fund, one of the world’s largest digital currency hedge funds.

The complaint claimed that the theft of the tokens occurred through what is called a SIM swap fraud. SIM stands for subscriber identification module, and SIM cards are used to authenticate subscribers on mobile phones.

SIM swapping consists of tricking a provider into transferring a subscriber’s phone number to a SIM card controlled by someone else. Once that person gets the phone number, it can be used to reset the subscriber’s passwords and access online accounts.

Reporting by Gertrude Chavez-Dreyfuss; Editing by Toni Reinhold and Nick Zieminski

Our Standards:The Thomson Reuters Trust Principles.

[1715053248]

1715053248

[Samarkand]

...
SIM swapping consists of tricking a provider into transferring a subscriber’s phone number to a SIM card controlled by someone else. Once that person gets the phone number, it can be used to reset the subscriber’s passwords and access online accounts.
...

This is an attack vector that is often used to bypass the 2FA that secures the exchange
accounts of many people. Usually it isn´t that difficult to trick the customer service
of the provider into transferring a phone number (even if they ask you a few security
questions, the answers to these questions are usually not too difficult if you have researched the
victim or know them in person).

I´d advise anyone to not keep a meaningful amount of funds on an exchange even
if they offer additional security-related features like 2FA. As this example shows
2FA is vulnerable to this kind of social engineering attack.

[snipie]

Too bad for AT&T, apparently they will have to pay since it is clearly its fault but I doubt the punitive damage will be accepted as it is by the court.

[Kemarit]

Let this be a lessons learned for cellphone providers, those hackers are really a pain in our community. Yes, this 2FA is also vulnerable and exploits has been reported already. We can even say that 2FA isn’t always totally secure and perhaps we really need to be aware that at any moment, you will be hacked. So make the necessary precautions as just like @Samarkand, its not a smart thing to put a lot of money in your crypto trading account.

[1Referee]

I´d advise anyone to not keep a meaningful amount of funds on an exchange even
if they offer additional security-related features like 2FA. As this example shows
2FA is vulnerable to this kind of social engineering attack.

When people talk about not having 'meaningful' amounts sitting in their exchange accounts it's all relative to the person. In other words, what you consider to be a lot money is literally pocket change for others. Some times I see insanely large buy or sell walls (worth millions $$) pop up that I ask myself why would someone have that much funds on an exchange, but then you have to think about the main rule of there always being a bigger fish than you, which helps you put things into perspective.

In the end there is no way for traders to not be exposed to counterparty risks. People can say you should withdraw your funds immediately, but that doesn't go up for traders with sessions lasting days and some times weeks. In most cases smart and responsible traders never leave more than 10% of their total stash on an exchange.

[audaciousbeing]

Even though this might not turn out to give the best outcome, its still going to make a statement that telecommunication service providers equally owe us significant duty of care in keeping our assets safe. Today, even in the fiat world, you bank account is linked to your mobile number that which means there should be another level of security that should happen at that point to ensure that when I lost my phone, I don't only lose a gadget but my entire assets.

I have read about people losing money in their bank accounts because they lost their phones and someone else retrieved the sim card without their authorization only to have access to classified information. Its not far that this is case of what is happening here that those people only believes they are doing you a favor by allowing you use their services. I just wished someone sue both the banks and the telecommunication providers in the case of fiat losses and both the telecommunication and the wallet providers in the case of crypto.

[FXTradingPro]

Even though this might not turn out to give the best outcome, its still going to make a statement that telecommunication service providers equally owe us significant duty of care in keeping our assets safe. Today, even in the fiat world, you bank account is linked to your mobile number that which means there should be another level of security that should happen at that point to ensure that when I lost my phone, I don't only lose a gadget but my entire assets.

I have read about people losing money in their bank accounts because they lost their phones and someone else retrieved the sim card without their authorization only to have access to classified information. Its not far that this is case of what is happening here that those people only believes they are doing you a favor by allowing you use their services. I just wished someone sue both the banks and the telecommunication providers in the case of fiat losses and both the telecommunication and the wallet providers in the case of crypto.

We often focus on how exchanges need to protect us but this clearly illustrates that telecoms need to do their part as well. If this suit is won by the plaintiff I am sure we will see changes to address the issue. It also might mean that we will see additional language in the terms and conditions that will try and limit liability in the event of asset theft.

[FlamingFingers]

For the life of me, I can't fathom why people still trust phone authentication—since 2016, it has been proven to be vulnerable to social engineering hack practices (and not complex by any means). It is still the major authentication method on Asian exchanges (particularly Chinese) and it is not good. One should take all security measures when it comes to using money online (whatever that might be).

[squatter]

Too bad for AT&T, apparently they will have to pay since it is clearly its fault but I doubt the punitive damage will be accepted as it is by the court.

It’s clearly their fault in a literal sense, but that doesn’t mean they have to pay. The law (Data Protection Act, etc.) calls for exercising some sort of reasonable care in authenticating customers. Across most industries, the threshold is pretty low. Usually all a hijacker needs is your account #, name, and a few pieces of identifying info about you.

That’s why it’s been an industry standard among exchanges for years now to offer at least TOTP authentication for 2FA. Anyone linking a phone number to an exchange account is asking to get robbed.

[Daltonik]

Update on this case.
 
So CoinDesk reports that 20 year old hacker Ellis Pinsky, nicknamed "Baby Al Capone", agreed to pay crypto investor Michael Turpin $22 million. What's interesting is that at the time of the incident, Pinsky, who was nicknamed "Baby Al Capone," was in high school.
and he was 15 years old, he admitted his direct involvement in the SIM swap.
Turpin's lawyer Tim Toohey hopes that after this decision, AT&T will still take responsibility for the failure in its security system that led to the hacking.

Source: https://www.coindesk.com/business/2022/10/14/crypto-hacker-agrees-to-pay-22m-in-att-sim-swap-case/