back to article It's Terpin time: Bloke who was SIM jacked twice by Bitcoin thieves gets green light to sue telco for millions

A California judge has given the go-ahead for a $240m lawsuit against AT&T for porting a subscriber's phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency. Michael Terpin sued the mobile operator back in August 2018, revising his legal challenge a year later to make more specific allegations. This …

  1. Version 1.0 Silver badge
    Unhappy

    I hope he wins ...

    but I doubt it, AT&T have far more lawyers and their terms have pages of small print to cover their corporate asses.

    1. D@v3

      Re: I hope he wins ...

      Something tells me, if he is the kind of person that has (had) BTC 24m, that he probably has a lawyer or two at his disposal as well.

      That's not to say that The Big Guys won't win in the end, just that it might be a slightly more 'balanced' fight than it would be if it were you or I.

      1. 0laf Silver badge

        Re: I hope he wins ...

        A lot of businesses (i.e. banks) are relying on sms as a cheap form of MFA. They would not be happy to see this chap win and depreciate sms as an option.

      2. Sorry that handle is already taken. Silver badge

        Re: I hope he wins ...

        A lot of people who have millions worth of virtual currencies are those who got lucky after buying a bunch of the stuff in the early days for the purpose of buying drugs, illegal pornography etc. on the internet. There are also the enthusiasts who were lucky enough to mine a bunch in the early days.

        There are also those idealogues who, in spite of stories just like this one, still think the idea of "being your own bank" isn't the stupidest thing ever, and then those who think it's a hedge about the complete economic and societal collapse that's coming Real Soon Now™ (after which obviously everyone will want to buy their coins, for some reason?) There's a lot of overlap between these latter two.

        Not the kind of groups who usually have lawyers on call or retainer, I'd have thought. This guy might be different but that might also have been his entire savings.

    2. OldSod

      Re: I hope he wins ...

      I do not hope he wins. A telephone company's protections against unauthorized phone number hijacking should be sufficient for ordinary risks, not the pressure of a $24M payoff. If the phone company's protections must be proof against $24M, or $100M, or (what limit?) attack motivations, then the increased costs (both monetary and otherwise) will be borne by everyone all the time.

      If the number had just been hijacked for ordinary reasons (someone wanted that number, someone wanted to hassle the owner) then when the hijack was discovered AT&T would have been able to restore the number to its rightful owner. The only loss would have been some inconvenience to the owner, perhaps some social relationship repair.

      According to the story, AT&T didn't just fold and give away the number at the drop of a hat, but failed under sustained pressure by the baddies against the system. It wasn't just AT&T's failure that led to the loss of the $24M, it was a series of protections that failed. Ultimately much of this series of protections was the responsibility of the individual who lost the $24M to ensure that these protections were sufficient to the threat. I don't think it was reasonable for him to expect the AT&T protection against number hijacking to be designed to handle the pressure of a $24M threat.

      1. Prst. V.Jeltz Silver badge

        Re: I hope he wins ...

        You talk as if stealing someones phone number is just a bit of a jape.

        Untold damage could be done in a multitude of ways , not just the route described in the article.

        This is because having unique access to your own phone number is more and more relied upon as an authentication method, as other commentors , and the article , have noted.

        In addition to which , this had happened to the guy before , he and AT&T agreed on extra security policies that they totally failed to follow!

    3. RM Myers

      Re: I hope he wins ...

      The pages of small print may be true, but there is a good chance he will have the better lawyers. In this type of civil case, you are looking at a contingency fee of 25% to 33% of the final award, whereas AT&T lawyers are going to be getting an hourly fee. There is a reason that some plaintiff class action lawyers are billionaires - and this case is getting into the same dollar ranges. And the best lawyers are going to go where the most money is.

  2. Anonymous Coward
    Anonymous Coward

    Basically it comes down to...

    Basically it comes down to...

    Dick Terpin or Victim Terpin?

  3. knarf

    He'll win or lose then an appeal

    He'll be chasing this money for at least 10 years.

  4. JimBob01

    Do you outsource your security?

    The use of phones to ‘secure’ important, personal information has become widespread without any concern for fact that phone companies do not have strict and consistent rules about such things as SIM swapping - Particularly as this practice is considered a handy feature by many who would, no doubt, baulk at any reduction in this convenience.

    I have heard the "large orgs do technical security so much better than we ever could" mantra so many times but there never seems to be any consideration of the increased social engineering surface that a large organisation must have to manage huge numbers of anonymous clients. Also, as in this case it seems, a large organisation is much less well equiped to deal with rogue employees who are, again because of org size, pretty anonymous AND able to subvert any security protocols put in place.

    Maybe the new mantra should always be that "convenience and security are opposite ends of a scale, as one increases the other must decrease". You must prioritise what is most important. Anyone who claims different is ignorant or selling snake oil.

    1. JimboSmith Silver badge

      Re: Do you outsource your security?

      My last employer moved to using cloud storage for the thin clients used throughout the business. A manager for my (non technical) division who was informing us of this change at a meeting to explain what was happening said it would make us more secure. 'The cloud' is run by a large business and so more secure. Afterwards I spoke to her and said I was interested in knowing what made this more secure. I asked if she how it was more secure than our own servers which we had in our own buildings. If there's an attack we could physically take them offline by pulling cables etc.

      The poor woman clearly had no idea as she just said the cloud's obviously more secure isn't it. Before admitting that she didn't know and it was just what corporate had sent her in a glossy folder to read out to her staff. She did say don't worry about it though "You're not on the hook for this if this goes wrong Corporate are". To educate her I sent her a few links to this site and the multiple instances of e.g. poorly secured or even unprotected AWS buckets. She said that it was disturbing but not to worry as it wasn't my problem.

      1. FrogsAndChips Silver badge

        Re: Do you outsource your security?

        She said that it was disturbing but not to worry as it wasn't my problem

        Did she put that in writing and does her word carry enough weight?

        1. JimboSmith Silver badge

          Re: Do you outsource your security?

          The head of risk management was happy according to the folder so that made it okay for underlings like myself.

          1. Nonymous Crowd Nerd

            Re: Do you outsource your security?

            "head of risk management" = scapegoat in chief.

            A clear statement from CEO level should be required for this type of decision.

            1. 0laf Silver badge
              Facepalm

              Re: Do you outsource your security?

              Cloud based hosting, SAAS etc 'can' be much more secure than your on-prem setup. But the vanilla cheap assed entry level options will not be.

              MS 365 can be very very secure. But only if you give everyone a fucking expensive E5 licence and have dedicated and trained staff running the security consoles that MS have designed using the shifting sands of the Sahara desert as a model.

              If you think you're going to be secure by buying an F1 licence for everyone then sticking it in vanilla then you're going to be in a very bad place very soon.

              The analogy I use with the non techies is that if cloud was a car, MS and AWS can make a very very good car, but you're chosing the specification and you're still driving it, and if you spec it with 3 bicycle wheels or drive it off a cliff MS/AWS are not going to take the blame for your mangled corpse.

  5. Anonymous Coward
    Anonymous Coward

    File Encryption?

    If I had a file containing the password to $24 million dollars worth of assets I'd make sure that it was strongly encrypted. Not letting AT&T off the hook but having previously lost $24 million of crypto-currency you think he would have taken some slightly better precautions.

    1. Anonymous Coward
      Anonymous Coward

      Re: File Encryption?

      1) It was the second hack that lost the $24 million.

      2) Why do you not think the file wasn't strongly encrypted? I would think that it almost definitely was and there is nothing in the alleged theft that would suggest it wasn't.

      However I would counter for 2FA to work then two factors must always be used at every step of the chain and if they dodn't have access to his e-mail and/or password then the 2FA token should not have worked.

      Although the 2FA is a last line of defence if your login/password is compromised so should still provide security

      1. Anonymous Coward
        Anonymous Coward

        Re: File Encryption?

        You're right - I misread the article

        "At the heart of the matter is Terpin’s phone number. In June 2017, miscreants successfully managed, after no fewer than 11 attempts in AT&T retail stores, to transfer his number to a smartphone controlled by the criminals – a so-called SIM jacking attack. The phone was then used to gain access to cryptocurrency accounts, linked to his phone number, to steal an unspecified amount of Bitcoin, and impersonate him on Skype".

        However I still stand by the fact that the file probably wasn't encrypted as the thieves managed to open the file, retrieve the details and transfer the funds. Aren't we being told all the time about how government agencies want back doors to encryption? At the very least he should have split his credentials onto three different systems, password on one, user name on another and wallet ID on a third (or however many separate bits of info are needed) so that three hacks would be needed to get all of the required information , especially as he had been targeted in the past and lost funds.

      2. Muscleguy Silver badge

        Re: File Encryption?

        Exactly, I store forms of my pwords on a notepad app on my laptop. They are in forms even I struggle to decode sometimes. They point to initialled phrases and the numbers are in a form of Navaho code talk in a language from the other side of the world.

        The two factor in this is that the form only makes sense when I am reading them. So you would have to perfectly clone my brain with all its knowledge and understanding.

        I prefer this to a pword manager which is defeatable due to get the pword for it and you get the keys ot the kingdom.

        The munged pwords are ones I do not allow the browser to remember, ones that really matter and I have thought and learned carefully on that point.

        I do on some things use sms/email 2FA but only as a ‘yes I know my door lock can be picked but I still lock it’ basis (I have viewed a lot of the Lock Picking Lawyer’s YouTube videos).

    2. Brewster's Angle Grinder Silver badge
      Joke

      Re: File Encryption?

      In that situation, I wouldn't even commit my password to digital media. I'd write it on a piece of A4 and hide it with my fishing rod.

      1. CAPS LOCK Silver badge

        Re: File Encryption?

        Why the 'joke alert' icon, that scene you describe seems sound to me. A strong password written down on paper is very hard to compromise by a cyber-ne'er-do-well. Just don't hang the paper on your study wall where it can be seen from your web cam...

        1. My-Handle

          Re: File Encryption?

          It was a reference to an earlier article, in which a certain gent invested an amount of illicit cash in bitcoin, then stored the passwords on a piece of paper stored with his fishing rod.

          When the feds came looking, it turned out the paper had been thrown out by his landlord along with the rest of his gear

          https://www.theregister.co.uk/2020/02/25/drug_dealer_bitcoin/

        2. Brewster's Angle Grinder Silver badge

          The first thing you do when arresting Bruce Schneier is shave off his beard...

          And the consensus in the comments was it was inconceivable anyone would conceal their password alongside their fishing tackle.

          But this case shows exactly why downloading it onto unhackable media is not such a dumb idea. Although, personally, I would tattoo it onto a part of my body that is never normally visible in public - ideally a part that is covered in thick, curly, dark hair so even a strip search wouldn't reveal it.

          1. FrogsAndChips Silver badge

            Re: The first thing you do when arresting Bruce Schneier is shave off his beard...

            But then you realize you'd have to "silence" the tattoo artist, don't you?

            1. eldakka Silver badge

              Re: The first thing you do when arresting Bruce Schneier is shave off his beard...

              Not if you self-tattoo. Tattoo equipment (at its most basic a toothpick and a source of ink, like a ballpoint pen) isn't exactly restricted or hard-to-get equipment. I had a friend that had a professional tattoo 'gun' and needles at home. And this is just some characters that any unskilled, unartistic person (like me!) could do, not artwork (well, unless you wanted to also implement steganography).

          2. Anonymous Coward
            Anonymous Coward

            Re: The first thing you do when arresting Bruce Schneier is shave off his beard...

            Have fun changing your password.

            1. Brewster's Angle Grinder Silver badge

              The security services may have wised up to this after that Michael Scofield incident.

              Tattoo remove is a thing. Besides, the area in question is big enough to take a good few passwords.

              As to silencing the tattoo artist: steganography. Or just make the password "I love mum".

              1. Twanky Bronze badge

                Re: The security services may have wised up to this after that Michael Scofield incident.

                "personally, I would tattoo it onto a part of my body that is never normally visible in public - ideally a part that is covered in thick, curly, dark hair"

                ...make the password "I love mum"

                There's a word for this sort of thing.

        3. phuzz Silver badge

          Re: File Encryption?

          Written on a piece of paper, and then stored in a fireproof safe would be fine. The vast majority of password attempts are online. Storing a password on a physical piece of paper secures it against any online attack.

          After all, if someone knows where you live and can break into your house, they can just stand over you with a rubber hose until you give them all your passwords, online or offline. (Or they could install cameras and record you typing in your password).

          (oblig xkcd)

    3. Mike 137 Silver badge

      Re: File Encryption?

      "I'd make sure that it was strongly encrypted"

      I wouldn't link it to a mobile phne number either - indeed any phone number, or any comms or storage device reaching beyond my immediate control.

  6. Anonymous Coward
    Anonymous Coward

    Hey, you know all those super 'secure' instant messengers, that use all kinds of super powerful encryption and stuff? Signal, Telegram, etc?

    They'll all linked to your phone number. So all the Regime need do is request a new device or password reset, and since they own the telcos, they can get into your account.

    Real secure. Allow the option of userid/password authentication rather than just a phone number you say? You wish. Signal and Telegram don't want to allow that. For Reasons.

    1. Chris Hills

      Telegram allows you to set a password for your account so it is not quite as trivial as just getting access to your phone number.

      1. Anonymous Coward
        Anonymous Coward

        Does Telegram also allow you to request a password reset when you forget it? SMS'd to your registered phone number or emailed to your tapped email address?

    2. Anonymous Coward
      Anonymous Coward

      Signal will be a clean sheet, completely blank

      Unless you also have a copy of the user's backups and know the 64 character backup key to restore it, which is shown only once when you enable backups.

      Telegram, pah, last I checked it didn't even default to e2e and sent messages unencrypted.

      So, for reasons, you're completely wrong

  7. Anonymous Coward
    Anonymous Coward

    It's abut time phone companies across the world were held responsible for this.

    I mean, how hard would it be to call the number and try to verify that the owner wants the sim changed as a first step. Or not allow sim swaps in store, etc.

    1. Aristotles slow and dimwitted horse Silver badge

      Still not going to stop a bribed "rogue employee" from making the changes even if they had previously contacted him though is it.

    2. JimboSmith Silver badge

      When I called T-Mobile UK years ago when I lost my phone on holiday they were very security concious. Asked me questions about what phone models I'd had in the past with that number. Also what top up amounts I'd done and when. Plus when (because it was recent) I'd ported the number over from another network and what network was it. After answering all that was she happy to confirm it was me and arrange a new Sim with my number.

      Wouldn't have stopped a rogue employee but seemed fairly good against a member of the public.

      1. iron Silver badge

        Sounds like a nightmare. Whenever organisations (usually my bank) try to use such questions to determine if I am who I say I am my replies consist of "I don't know", "I can't remember" and "maybe xxxx?" After much humming and hawing I usually pass the check but it always leaves me feeling that I'd be much hapier if they refused than taking my awful non-answers as good enough.

        1. Anonymous Coward
          Anonymous Coward

          Once my dad, who was abroad and somewhat "off grid" asked me to ring up his credit card company to make a couple of chnages.

          During the security "frisking" they asked "date of birth?" which left me momentarily stumped , but after a very lengthy pause . some frantic mental arithmetic and a correct answer , all was well.

      2. sofaspud

        T-Mobile in the US was... significantly different.

        My friend had gotten a new phone and it needed a new SIM. His old phone was deader than a doornail (hence him getting a new one). He wasn't able to get the new SIM arranged because the online portal wanted him to confirm with his existing phone.

        So I called in to the phone folks, talked to a bored-sounding lady with an accent I couldn't place, told her "sorry, can't verify the text because the phone is smashed" and with no confirmation of anything beyond the old phone number (!!) got a new SIM issued. To a different address than he had on file, because he'd never bothered updating them when he moved and he was on autopay and emailed statements anyway.

        I didn't even have to dust off any 'social engineering' skills from my younger, more troublesome days. The state of security at telcos is just sad.

      3. Anonymous Coward
        Anonymous Coward

        I asked for a new SIM, they sent it to my old address. They assured me that if someone at that address tried to use it it wouldn’t work without some unspecified “activation”. Not true, of course.

        It didn’t really matter at the time; in those days we had pin-pad devices to authenticate for online banking. But now, banks just send codes to the mobile phone numbers they hope we have control of. I hope the people at the banks responsible for that change have read this story.

  8. j.bourne
    FAIL

    Weakest link security

    Storing the password(s?)/credentials to access $24million in a cloud service?? Might as well try suing the cloud service. Or self for prime stupidity. Better off a password that is only stored in one place - your head: even if it is technically weaker. At least doing that social engineering the password out of you becomes a very difficult proposition.

    1. doublelayer Silver badge

      Re: Weakest link security

      If it's stored in your head, you stand a good chance of forgetting it. If that means you lose your money, you probably decide not to store it only in your head. If there's a method of resetting a forgotten password, that method can then be attacked. The same provisos hold for all the typical methods of storing sensitive information--the better they are at making sure other people can't get in, the more complex or difficult they are to use. Eventually, you reach a point where what you're really doing is making it hard for yourself to get in without doing much to an attacker. This is why 2FA is so important--if for any reason one method becomes compromised, the attackers still can't get in for the time being. The story here is about the failure of 2FA to have two factors that work well enough. That can of course be argued, but "memorize a long password and why not the private key while you're at it" isn't going to solve anything.

  9. adam payne Silver badge

    Terpin is suing AT&T for not following its own agreed security protocol, and he wants punitive damages. AT&T denies it is responsible for any loss

    Well they would.

    AT&T are going to drag this out for as long as possible until Mr Terpin finally runs out of money.

    1. Anonymous Coward
      Anonymous Coward

      or someone steals what he has left...

    2. lowwall

      Normal practice in the USA for a case like this is for the law firm to absorb most or all of the costs against their expected share (typically 30%) of the eventual payout. This is known as a contingency fee basis. If his law firm is insisting on a pay as you go basis, that's a good indication they don't believe there is a reasonable chance of a large verdict or settlement.

      Speaking of settlements, usually once pre-trial maneuvers like the one reported on here have failed, the defendant company will seek to settle. All the lawyers want to settle, the plaintiff's for the certainty of a payout and the defendant to avoid a major business risk. Sometimes the sides will let it go to a trial if they feel they have a potentially decisive argument. But if this actually goes all the way to a jury or judge's final decision, it means one of the parties has decided to overrule their lawyers to prove a point.

  10. Zarno Bronze badge
    Joke

    Tinfoil Hat Time

    "Hey, Boss, I found how we can plug that $20 mill budget shortfall that the executive bathroom breath mint and canape service ran up..."

    Icon because otherwise someone would think I was serious...

  11. heyrick Silver badge

    the big question is: are we solely responsible for making sure they are secure

    This doesn't make sense. If a miscreant can go to the operator and effectively hijack somebody's phone, what exactly is the end user supposed to do? Surely it is entirely the responsibility of the telco to verify (beyond any reasonable doubt) that the person making the demand is the legitimate owner.

    I don't know about how things work in the US, but here in France the telco demands a copy of my passport/identity card, and it's a lot less hassle if you go to one of the telco shops so somebody can see that you match the identity photo. Also, when my mother lost her phone, the old SIM was blocked immediately, and after showing identification, she was told that a new SIM would be mailed by courier to the address on record (which was neither confirmed nor disclosed) and it would arrive in under a week (took three days). It's, you know, not hard...

    1. My other car WAS an IAV Stryker

      Re: the big question is: are we solely responsible for making sure they are secure

      "[D]o the companies that make money from the sale of phones and related data plans" *and manage your sole access point to their network* "also share a degree of responsibility?"

      There, added the key text that *makes* them responsible.

      Credit card companies are getting pretty good at owning up to failures. I had one of my credit cards misused a couple of times. Both times, I reported it, got fully identified before they said they'd take care of it and send a new card. And they did: charges reversed and new card (new acct numbers) sent out both times. Backend handled it just fine and I didn't even have to create a new online account, but the second time I finally changed my username and password (shame on me). (My only complaint is that I specifically asked for rush shipping the second time but they sent it the slower way.)

    2. Anonymous Coward
      Anonymous Coward

      Re: the big question is: are we solely responsible for making sure they are secure

      "I don't know about how things work in the US, but here in France the telco demands a copy of my passport/identity card"

      Here in the UK , they dont ask many questions , but somehow it still takes them about a week.

      Last time i did it my number switched from one sim to the other in the middle of a job interview call.

  12. Anonymous Coward
    Anonymous Coward

    While AT&T has plenty of blame

    This guy shoulders a lot of the blame too for setting things up so that someone who has control of his cell phone number can steal $24 million from him. That's a risk not only of being technologically clueless while trusting technology for your "assets", but also from the fact that bitcoin has no safeguards in place. If I had $24 million in the bank and they allowed "me" to change my password and transfer that $24 million away with a simple text message confirmation the bank's insurance would reimburse me (and they'd probably be forced to install more robust authentication by their insurance carrier after such a big loss)

    My bank currently requires me to input a code sent by phone or text message if I'm logging in from a new device, but if you forget your password your only recourse is to appear to the branch in person. I know because my mom banks at the same place and when my dad died we couldn't access the online account and that's what she had to do to reset the password. As it should be!

    1. Prst. V.Jeltz Silver badge

      Re: While AT&T has plenty of blame

      so all it take is someone to install a key logger on any of the machines u use , maybe at your desk , then do the sim thing in the article , and you're totally boned!

  13. Nifty

    Everyone's bank acct is protected by 2FA when a new payee is created. Secured by a mobile number only.

    Maybe time for everyone to consider using an authenticator app instead, or maybe 3FA?

  14. Anonymous Coward
    Anonymous Coward

    AT&T = No1 EvilCorp..

    Its always a fun game, which is the worst EvilCorp at the moment. Its one of those knock out games..

    Oracle v MIcrosoft - Microsoft wins

    Microsoft v Apple - Apple Wins

    Apple v Facebook - Facebook Wins

    .. but Facebook v AT&T (a.k.a SBC) - no contest, AT&T wins by engaging in lying and thieving and fraudulent practices for at least three more decades than Facebook

    So for most EviCorps you know that everything they say is self serving lies. You know they are lying because their lips are moving. But with AT&T them just being in the same room is an act of mendacity. Even their body language is an outright lie. Shades of "Hello, he lied"...

    So in situations like the above the natural reaction should always be when someone claims "AT&T did something bad... " no need to even finish the sentence. AT&T is Guilty as Hell on all counts. Because you have to go back to the pre-consent decree years to find even the slightest bit of honesty in AT&T's business practices. Some of the Baby Bells were not too awful. PacBell for example was OK. But South Western Bell in its pre SBC heyday added a whole new dimension to bottom feeder predatory practices. Which it elaborated on when it became SBC. And then the bigger shark SBC devoured the lesser shark AT&T. Which is what we have today.

    1. My other car WAS an IAV Stryker

      Re: AT&T = No1 EvilCorp..

      I think Comcast still "wins" that distinction over AT&T.

      Anyone else want to name a sleazier telco?

      1. Anonymous Coward
        Anonymous Coward

        Re: AT&T = No1 EvilCorp..Comcast is a also ran.

        Nah,Comcast dont even come close. They are just a typical local monopoly courtesy of you local government and the FCC. I found when dealing with Comcast customer support that if you are very polite and take the attitude that the person at the other end of the phone is just some poor schmuck who gets grief all day for a situation they did not create, just like with the DMV for example, most of the time it can be a not unpleasant experience dealing with them. In fact being friendly and not getting angry at them personally for whatever outrage Comcast has most recently done usually get a very sympathetic and helpful result. That has been my experience over the last 25 plus years in dealing with them.

        Whereas AT&T has always hired script droids whose sole purpose is to read from the script without deviation and the superiors are even less helpful. Pure stonewalling from start to finish. So there is a special level in Hell just for AT&T. They dont quite qualify for the NKVD level, which is one below.

        In my experience AT&T is easily Evil Corp No1.

  15. Anonymous Coward
    Anonymous Coward

    If "SMS hijacking" proved sufficient to steal the coin pile -- evidently the latter was parked at an exchange house. That is, the victim did not in fact have cryptographic control of the coins, only (putative) "title" (and the whole point of cryptocoinism is to reduce control to "who has the key"; enforcement of titles in this context is rather similar to a hypothetical attempt to serve a lawsuit to a tectonic plate for earthquake damages.)

    Victim learned nothing from the MtGox implosion or any of the subsequent smoking craters?

    If you don't hold the key, it isn't "your" coin.

    1. Prst. V.Jeltz Silver badge

      so , if im reading that right ..

      He's gone to bit-wallets-R-us and said:

      " 'scuse me mister , can you put these bitcoins i'm being given in one of your bags , and look after this key thingy for me? Gee I hope your security is good , remember = I'm the only one allowed access ok? lets set up a password."

  16. TomPhan

    Weasel words

    The phrase “cannot guarantee that your Personal Information will never be disclosed in a manner inconsistent with Policy” sounds like they want an out for everything.

  17. HildyJ Silver badge
    FAIL

    SIM hijacking should be almost impossible

    Your Telco knows your name and address and last payment amount and every freakin number you've ever called or been called by. Surely if you have a contract a local store could require a photo ID that matches the name and address they have in their system. If you don't have a contract they could ask for the number you last called and a number you called multiple times over the last month.

  18. Paul Hovnanian Silver badge

    After the first time ....

    ... my SIM got swiped, I'd clear all of the important stuff off my phone and out of any cloud backup servers.

    Actually, this isn't correct. I wouldn't go walking around in public with $24 million in a wallet sticking invitingly out of the back pocket of my pants.

  19. Jason Bloomberg Silver badge
    Pirate

    Lose $24 million, win $240 million

    As I see it the case is no different to "I gave X the key to my safe, they promised to look after it, but handed it to a crook who emptied the safe". There's no doubt 'X' is responsible for the amount stolen, and then some for failure to fulfil their obligations, but ten times the amount stolen? Really?

    If those are the sort of returns one anticipates it becomes worth having $24 million stolen. And, as much as I believe in innocent until proven guilty, it does make me wonder.

  20. Dolvaran

    About time some action was taken

    This type of fraud is common, and has been common for years now. The Telcos don't care - or report it to the Police. The same goes for the banks who are also involved. Even where there is clear evidence of collusion between employees from both organisation types. Is that a generalisation? Yes, but it doesn't make it not true.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020