searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Related topics

  • SIM Swap fraud is gaining momentum

Featured news

  • Alexa Skills: Security gaps and data protection problems
  • Cybercriminals continue to target trusted cloud apps
  • Customers willing to share personal data in exchange for personalized services
  • Critical flaw in Rockwell PLCs allows attackers to fiddle with them (CVE-2021-22681)
  • Most IT security leaders lack confidence in their company’s security posture
Zeljka Zorz
Zeljka Zorz, Managing Editor, Help Net Security
August 16, 2018
Share

AT&T sued for enabling SIM swap fraud

A cryptocurrency investor is suing AT&T because criminals were able to empty his accounts through SIM swap fraud (aka account port out fraud), even though he had already asked for additional protections to be set up on his AT&T account.

SIM swap fraud lawsuit

He is asking the US District Court for the Central District of California to find in his favor and award him $24 million of compensatory damages and over $200 million of punitive damages.

“Given all the carrier’s hype about protecting customer security, [Michael Terpin] believed that it would keep its promises about absolutely safeguarding him from a data breach that could lead to the theft of tens of millions of dollars of crypto currency. In reality, however, Plaintiff was victimized by not one, but two hacks within seven months,” his lawyers claim.

“Even after AT&T had placed vaunted additional protection on his account after an earlier hacking incident, an imposter posing as Mr. Terpin was able to easily obtain Mr. Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password. The purloined telephone number was accessed to hack Mr. Terpin’s accounts, resulting in the loss of nearly $24 million of cryptocurrency coins. It was AT&T’s act of providing hackers with access to Mr. Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur.”

SIM swap fraud

Porting targets’ phone number to another device to be able to receive the second authentication factor (usually via SMS) is an approach that has been used by hackers for many years and, with the rising popularity of cryptocurrency, criminals have focused on compromising and emptying victims’ cryptocurrency accounts.

And the “earnings” are big, which allows the attackers to recruit telecom employees and reward them handsomely when they perform the porting for them.

“Mr. Terpin is a prominent member of the blockchain and cryptocurrency community,” the lawyers explained. “In 2013, he started Bit Angels, the first angel group for investing in bitcoin companies, and CoinAgenda, the first high-end investor series for family offices and funds investing in digital assets. Mr. Terpin also runs the preeminent public relations firm in the cryptocurrency sector. Like others in the cryptocurrency community, Mr. Terpin is a high-profile hacker target because of his publicized involvement in cryptocurrency enterprises.”

Six months before this last successful SIM swap attack Terpin was hit with a similar one and had, therefore, made sure that the same thing wouldn’t happen again: he protected his account with an extra security step – a six digit number that had to be provided if significant changes were to be made on the account.

But it was all for nought, he says. “On Sunday January 7, 2018, an employee in an AT&T store cooperated with an imposter committing SIM swap fraud,” the lawyers claim.

It now remains to be seen whether the court will side with Terpin or AT&T, or will dismiss the lawsuit altogether on account of the arbitration clause included in the AT&T account contract.

More about
  • account hijacking
  • account protection
  • AT&T
  • crypto currency
  • fraud
  • telecommunications
  • USA
Share this
tools

Protecting the digital workplace with an integrated security strategy

  • How do I select a cloud security solution for my business?
  • Closing the data divide: How to create harmony among data scientists and privacy advocates
Free certification Exam Action Plan from (ISC)²

What's new

industrial

Critical flaw in Rockwell PLCs allows attackers to fiddle with them (CVE-2021-22681)

analyst

Most IT security leaders lack confidence in their company’s security posture

world

Insights for navigating a drastically changing threat landscape

tools

Protecting the digital workplace with an integrated security strategy

Don't miss

industrial

Critical flaw in Rockwell PLCs allows attackers to fiddle with them (CVE-2021-22681)

tools

Protecting the digital workplace with an integrated security strategy

cloud

How do I select a cloud security solution for my business?

world

Insights for navigating a drastically changing threat landscape

search

Closing the data divide: How to create harmony among data scientists and privacy advocates

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • How do I select a cloud security solution for my business?
  • Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations
  • How do I select a network monitoring solution for my business?
  • Tips for boosting the “Sec” part of DevSecOps

(IN)SECURE Magazine ISSUE 67 (November 2020)

  • Hardware security: Emerging attacks and protection mechanisms
  • Justifying your 2021 cybersecurity budget
  • Cooking up secure code: A foolproof recipe for open source
  • Mapping the motives of insider threats
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise