back to article T-Mobile US let hackers nick my phone number, drain my crypto-wallets, cries man who lost $20k

A bloke from Washington is suing T-Mobile USA after miscreants were able to steal his phone number and take all his crypto-coins. Carlos Tapang this week told the US state's western district court that the telco broke America's Federal Communications Act when, in November of last year, it allowed strangers to get control of …

  1. redpawn Silver badge

    That is not a Wallet

    It is a sieve. Use it to strain pasta.

    1. emmanuel goldstein

      Re: That is not a Wallet

      And the moral of the story is:

      do not store your crypto assets online.

      1. scrubber
        Headmaster

        Re: That is not a Wallet

        Online is the only place your crypto assets exist.

        If you mean the secure key then fair enough.

  2. Sorry that handle is already taken. Silver badge
    FAIL

    Be Your Own Bank!

    Whoops, and now it's all gone.

  3. Phil Kingston Silver badge

    Go on then, how were the crims able to do this? Are there any online crypto exchanges/wallets that only require a mobile phone number to get in? Surely a username/password was also required? How did the criminals get those? I wonder if he's not telling the whole story and is simply trying to put the blame for his own poor security practices onto someone else.

    1. ricegf

      "Surely a username/password was also required?"

      Yes. From the article:

      "From there, the thieves used the cell number to reset the password on Tapang's online cryptocurrency account – which was linked to that number – and then take over its wallets and drain his funds."

    2. Lord Elpuss Silver badge
      1. Phil Kingston Silver badge

        I must have missed that bit, thanks

  4. Mark 85 Silver badge
    Facepalm

    Cell Phone != secure

    There's the problem with this... someone thinks a cell phone is a secure device. If it had been stolen he'd still be up the same creek without an oar. Using it in certain hotspots means that someone is probably listening in and capturing your data going out over the airwaves. Cell phone and security aren't synonymous.

    I almost hope there's one or two IT people on the jury to explain it to the others.

    1. Ian Emery Silver badge

      Re: Cell Phone != secure

      And yet HMRC insist on access to accounts via a keycode sent to your mobile in a plain text message.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cell Phone != secure

        And yet HMRC insist on access to accounts via a keycode sent to your mobile in a plain text message.

        And a username/password. And some detail from documentation a scammer isn't likely to have, like your last P60. And you can choose a Verify provider instead of UK Government Gateway (in fact they're virtually insisting on it now) which uses better 2FA like TOTP.

        1. Ben Tasker Silver badge

          Re: Cell Phone != secure

          > And some detail from documentation a scammer isn't likely to have, like your last P60.

          I've not once had them ask for this during login (or submitting a return)

          > And you can choose a Verify provider instead of UK Government Gateway

          That reads to me like a justification on the basis that we've fucked up our own auth systems, so please instead provide your details to a 3rd party so that we can cop-out of doing things properly

        2. not.known@this.address Bronze badge
          Big Brother

          Re: Cell Phone != secure

          Credas, I had to take all my documentation to my nearest government office (the local Job Centre) for sending to HMRC because the Verify providers said I did not exist... and I wasn't the only one with the same issue.

          It was the same documentation the Verify provider said didn't exist...

  5. Dan 55 Silver badge

    SMS is SFA

    Use a HOTP or TOTP client.

    But not Google Authenticator for obvious reasons.

  6. Paul Westerman
    Coat

    Carlos Tapang

    Wasn't he in the Spanish Inquisition sketch?

  7. Bucky 2

    I'm suspicious

    Is there any genuine legal use for cryptocurrency that isn't better served with normal currency? They sure don't take it at the supermarket.

    Criminals stealing from criminals doesn't really bother me that much.

    Criminals stealing from rich people that can afford to accumulate a startling $20K in useless cryptocurrency against its possible future use doesn't bother me either.

  8. Anonymous Coward
    Anonymous Coward

    You have to call T-Mobile Customer Care

    Based on this article I called T-Mobile. When I had called before (for an unrelated issue), they forced me to set up a numeric PIN that _should_ be validated whenever someone calls T-Mobile asserting to be me.

    So today (after verifying my PIN) the representative simply checked a box that said my numeric PIN would be required before a port-out would be processed. This is not an option you can tick through the website.

    The representative was very surprised that I was calling in response to an "article". Apparently they are sending texts to customers and she was not aware that the public would be calling unbidden.

    1. Androgynous Cupboard Silver badge

      Re: You have to call T-Mobile Customer Care

      Have an uptick for original research

    2. garou1674
      FAIL

      Re: You have to call T-Mobile Customer Care

      Here is the text message they are sending out (for any that are curious):

      T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: t-mo.co/secure

      I had a pin on my account to begin with, had to set a stronger one. My original pin was 4 digits, they upped it to 6 digits. If the 4 digit pin will not save me, WTH will a 6 digit??

  9. Yukatory

    Do most people not know about this?

    Surprised that more people don't know that there is a simple solution to this. Payfone (full disclosure: I work there) has an API that prevents account takeover through direct partnerships with mobile carriers:

    https://www.payfone.com/press/payfone-secures-patent-for-first-of-its-kind-sim-swap-fraud-fighting-tech/

    It's up to crypto companies themselves to implement the technology but I'm hoping that more of them wisen up so that they can protect they customers and reputations.

    Thanks for reading.

  10. Eddy Ito Silver badge
    Facepalm

    In traditional T-Mob speed, I received the text this morning which is a full week after this article. Oh yeah, it's already been taken care of assuming the fix actually does more that sweet FA.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019