back to article Bitcoin backer sues AT&T for $240m over stolen cryptocurrency

A bitcoin investor is suing AT&T for $240m after it allegedly ported his phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency. Michael Terpin is suing the phone giant [PDF] for the value of the three million electronic coins plus $216m in punitive damages after he claims an AT&T employee at a store …

  1. vir

    A Fool And His Money...

    I'm not saying that he deserved to have his money stolen, but safeguarding $24MM with SMS 2FA even after a previous attempt had been made by the same vector is not my version of smart. The fact that he's now trying to get a 10x return on investment via jackpot justice is the icing on the cake.

    1. Anonymous Coward
      Anonymous Coward

      Re: A Fool And His Money...

      If you had $24 million in gold or cash or Picassos in your house you'd hire an expert to help you secure your house, right? He was negligent in not doing the same here. I'd love to know if he paid taxes on the gains in cryptocurrency for whatever he cashed out pay living expenses etc. last year. I have to think this lawsuit will get someone at the IRS to have a quick look at his recent filings to see, so he might end up losing more than $24 million out of this deal...

      AT&T sucks for not properly protecting phone numbers, but this is well known even among Reg readers so anyone you hired to help you secure things would have made you stop using SMS auth as step one. His fault.

    2. leexgx

      Re: A Fool And His Money...

      he should of changed from 1FA SMS to 2FA codes , i would not trust my 25m in None reverse charge money on just 1FA SMS codes

      assuming what ever bad website he was using that was using SMS 2FA as 1 Factor as they should of not been able to log into the account unless they are using SMS 1FA as the password option to reset it witch is comicle

      what site was he using that allowed sms to be used to purely bypass password

      1. Youngone Silver badge

        Re: A Fool And His Money...

        comicle

        Yes.

        Yes it is.

    3. leexgx

      Re: A Fool And His Money..

      AT&T for its part has promised to fight the lawsuit. "We dispute these allegations and look forward to presenting our case in court," said a representative.

      well what does AT&T have to dispute they violated there own rules on there own security practices (if any thing that store employee should be fired fined and jailed for bypassing a high risk security measures )

      1. gnarlymarley

        Re: A Fool And His Money..

        well what does AT&T have to dispute they violated there own rules on there own security practices (if any thing that store employee should be fired fined and jailed for bypassing a high risk security measures )

        If this is true, then AT&T, while maybe not liable for the bitcoins directly, will be liable for the false sense of security.

        Also, (again if true) this may encourage AT&T to start block 2FA, to prevent further liability. Even if the guy was to walk away with only a few dollars, I would still think about the damage a case like this could make for 2FA.

  2. JeffyPoooh
    Pint

    So much for the "what you have" 2nd factor...

    Turns out it's effectively virtual.

    'Poof', and it's effectively transferred.

    Not exactly "what you have".

    1. eldakka

      Re: So much for the "what you have" 2nd factor...

      Turns out it's effectively virtual.

      It's not effectively virtual, it is virtual.

      The problem is, people think that in this sort of 2FA that the "what you have" is a phone. It's not. It's the phone number. And since phone numbers aren't a physical thing, and has been amply demonstrated can be transferred to someone else electronically, the antithesis of physical, then there is no "what you have" element in this type of 2FA.

      1. Cuddles

        Re: So much for the "what you have" 2nd factor...

        "there is no "what you have" element in this type of 2FA."

        True, but it's worth bearing in mind that that doesn't necessarily mean it's bad or useless. Something you know and something you have are the traditional factors used for 2FA, but they're not the only ones possible. In this case, the second factor is rather "something you have access to". In some ways it's less secure than a physical thing, since access can be transferred to someone else potentially without you even knowing. But in other ways it's potentially more secure - theft of physical things happens a lot, but stealing a locked phone doesn't get you access to the phone number.

        In particular, in a case like this which appears to be a clearly targetted attack, no amount of security is really enough. If he'd had a physical authenticator instead of using SMS, someone could have just hit him over the head and taken it.

        1. israel_hands

          Re: So much for the "what you have" 2nd factor...

          theft of physical things happens a lot, but stealing a locked phone doesn't get you access to the phone number.

          Yes it does. You take the SIM out and swap it into a phone you can unlock. That's just a low-tech version of the same attack detailed in the article.

          I agree though that SMS is not a secure form of 2FA. Too easy to compromise, whether through social-engineering, theft or SS7 attacks.

          1. gnarlymarley

            Re: So much for the "what you have" 2nd factor...

            I agree though that SMS is not a secure form of 2FA. Too easy to compromise, whether through social-engineering, theft or SS7 attacks.

            And this is why SMS will *never* be a secure method of authenication in my mind.

    2. big_D Silver badge

      Re: So much for the "what you have" 2nd factor...

      That has always been my contention, it has been common knowledge for several years that using SMS for banking TANs or 2FA is a security no-no.

      Using a code generator on a smartphone is okay, as long as the service you are trying to access isn't running on the same smartphone, because that is the single point of failure. If the phone is lost or stolen, they have access to the service and the code.

      I use hardware OTP generators. My bank uses a card reader and reads a visual, flashing barcode on the screen (destination account + transaction amount), combines it with the readers unique key, the chip on my debit card and generates a one time token, which I have to type in. This works on my PC or my phone.

      Likewise, for password security, I use a Yubikey Neo (USB + NFC means I can use it on a PC or on my smartphone). That means that even if my password is hacked, without the pyhsical token, they can't access my account. If the key is stolen, they can't hack the account without the password. If I lose the Yubikey, I have a second Yubikey and printed OTPs in my safe to access the account.

      Any bank or website doing SMS 2FA in 2018 is doing it wrong.

      1. Nate Amsden

        Re: So much for the "what you have" 2nd factor...

        You seem to be focusing too much on hacking your account via their website because you use fancy 2FA, and not mentioning hacking the account via social engineering through the phone lines or in person.

        For example I have a pass code on one of my bank accounts, if I call in they are supposed to ask me for the pass code before they can do anything. Though there is a way around that pass code if you provide enough personal information about yourself to verify you are who you say you are.. I can imagine without this the companies would be bombarded with complaints from users who do forget their shit. Can be a tough balancing act.

        In the case of a bank account, or even a bitcoin site with millions of dollars of your own funds.. I have to believe there are ways around fancy 2FA in the event such tokens are lost/stolen/something. I mean I can't imagine an organization saying "sorry we can't authorize you because you lost your token(s) so your $24M gone forever".

        Had this money been stolen from a FDIC insured account (knowing there are limits to the $/account that are insured) would FDIC and/or the bank cover the losses (at least to the limit of the insured value)? Or is FDIC only used for things like in person bank robberies?

  3. Dropper

    Maginot Line

    Ironic he should mention the "Maginot Line" line.. because as with the original, what cost him was his unshakeable faith in what he believed couldn't possibly happen.. did happen.

    The Maginot Line if anyone is interested, is not where the Germans crushed French troops. It was an impervious system of bunkers and fortifications that forced the Germans to re-evaluate and invade France via Holland and Belgium. The British and French had expected this and therefore set up a defensive front in Belgium, part of which included the Ardennes forest, which the French left undermanned. They believed it would be impossible for the Germans to move quickly enough through that region and could therefore reinforce at leisure. Unfortunately they were "wrong". The Germans successfully pushed through, encircled Allied forces and forced the British to retreat to Dunkirk.

  4. whitepines
    Paris Hilton

    Expectations

    Phone service provider fails at being bank. Who knew?

    1. DontFeedTheTrolls
      Boffin

      Re: Expectations

      Phone service was never attempting to be a bank. AT&T has no association to the bitcoin, to the wallet, or to the 2FA application securing the bitcoin, they were simply providing the customer with a data channel.

      It's like buying a season pass for your local bus company then suing them because they can't drop you off on the moon, even although the moon is not one of their published routes.

  5. Anonymous Coward
    Anonymous Coward

    Or maybe an insider job

    How to double your money and then some. Nick it yourself and then sue someone else. Nice.

    1. aks

      Re: Or maybe an insider job

      Insider job where you'd tried it once, found out the weaknesses in the system then went for the big one.

  6. Craig 2

    You would think AT&T could look at the existing sim activity and see that it's still valid & working. A least send a text saying "do you really want to port? 24 hours to respond..."

    1. Anonymous Coward
      Anonymous Coward

      Why wait 24 hours? If it really is you wanting to do the port, you should be able to respond immediately while you in the store / on the phone with them.

      Not that this is 100% reliable, as there are SS7 exploits that let you redirect calls/texts without needing a new SIM. So don't ever use phone or SMS auth to protect anything worth enough money that someone might find it worth their while to target you to steal.

      1. Remy Redert

        Pretty much this. If I want a new SIM, I have to go the provider's store, show my ID and then they will send me a text message with a code. If I have a working phone with that number I can obviously enter the code immediately in the store to unlock the SIM to be programmed to my number and can then immediately activate and use that SIM.

        If I do not have a working phone with that number, the text is still sent and I have to wait 24 hours before corporate will make the SIM and send it to my registered home address. Of course if someone else tries to get a SIM for my number, they'll need an ID that matches mine for the computer to accept it and they'll need that text or a way to intercept or redirect my mail.

        That's a lot of work for something that I'm liable to notice and put an end to as soon as you try to use it.

        1. Nick Stallman

          All that assumes that the underpaid staff at the stores with essentially root access follow that elaborate secure procedure.

          How staff in stores can override a procedure like that I'll never know. It should be automated for them and if the user can't verify themselves then it should be escalated to a special department with tighter controls.

          1. leexgx

            yep it should be asking for the pin that the customer had set and if its Not provided Sim swap will be prevented and they should not be able to override that (not a random underpaid store rep who going to be looking for a new job soon unless that's sweeping floors at the jail)

        2. aks

          Not in the stores I've used. Simply go in, get a pay-as-you-go SIM and pay the minimum. In fact, you don't even need to pay the minimum. Once you know the number, it will receive SMS without having any credit.

          1. T. F. M. Reader

            @aks: I am missing something. How exactly will a pay-as-you-go SIM receive an SMS sent to a number assigned to the SIM you lost? What's the point of sending a verification code to a different number?

        3. gnarlymarley

          If I do not have a working phone with that number, the text is still sent and I have to wait 24 hours before corporate will make the SIM and send it to my registered home address.

          Anyone desperate enough to hack this will still make it through. They just might be watching your home address for incoming mail. The IRS scams have seen fake police cars waiting outside a person's home, so by saying for corporate to send the SIM to your home address can be pointless if the hacker knows to watch your mailbox.

      2. T. F. M. Reader

        @DougS: you should be able to respond immediately while you in the store / on the phone with them.

        Not if you've lost the SIM, which I suspect is the most common legitimate cause of a transfer request.

  7. Mark 85

    ... and look forward to presenting our case in court,"

    Ah, that's something only a lawyer would say.

  8. xyz123 Silver badge

    If AT&T loses, they're out over 200 million dollars

    if they WIN, they could be out BILLIONS because they'll effectively have said they have ZERO security for customers and aren't liable for losses. Business will HAVE to switch.

    1. Anonymous Coward
      Holmes

      Although I do agree with the sentiment, the actuality will probably be far less of an effect. Can anyone here raise their hand/pint having seen blowback on some corporation after proving they have ineffective/useless security? I'm trying hard to remember a case.

      That's why, "We take our/your security seriously" is such a joke.

      1. really_adf

        Can anyone here raise their hand/pint having seen blowback on some corporation after proving they have ineffective/useless security?

        Not sure it meets your criterion, but "TalkTalk lost 101,000 customers and suffered costs of £60m as a result of a cyber-attack".

        However, I think it was a relatively short-term effect (the article suggests the effect was partly due to suspending online sales but I think short memory is probably also relevant).

        1. Anonymous Coward
          Anonymous Coward

          TalkTalk was the first one to come to mind while I thought but, as you say, the effects were short-lived looking at recent reports in El Reg. TBS might count if you look at the cock up with people seeing other's accounts. If the ICO does something, which isn't going to be month. That was pre-GDPR. And no one, not even myself, pays attention to the small firms that get wiped out.

  9. DontFeedTheTrolls
    Flame

    While I'm not currently a millionaire, I suspect even when I am I won't keep millions in my physical wallet, it will be held somewhere that is relatively secure and where loss is underwritten.

    A bitcoin wallet with a couple of passwords doesn't seem to meet the criteria. Keyword "wallet" - either the system was never designed to store high values securely, or people are using it the wrong way to store high values. Coins in a wallet for everyday transactions.

    1. EveryTime

      When I'm a millionaire...

      > "While I'm not currently a millionaire, I suspect even when I am I won't keep millions in my physical wallet, it will be held somewhere that is relatively secure and where loss is underwritten."

      That's probably not what you would do, at least not immediately.

      That $24M in bitcoins likely had a negligible cost basis. So all $24M is taxable, probably at a short-term cap gains rates. Depending on exact location that could result in over 50% tax to cash in.

      Combined with the rapid increase in bitcoin value (ignoring the recent dip/crash), it looks like a sound financial choice to not cash out and diversify. Instead you plan to establish residence in a lower tax area, wait for the gains to be classify as long-term, look for tax shelters and let the full amount of the bet ride.

  10. adam payne

    AT&T for its part has promised to fight the lawsuit. "We dispute these allegations and look forward to presenting our case in court," said a representative.

    Well you can't dispute that you ported the number. You can dispute that you aren't responsible for the things that happened after the porting but the porting certainly helped the criminals.

  11. This post has been deleted by its author

    1. Velv

      Re: One thing I don't get though...

      The trouble with using mobile numbers as 2FA...

      is that the mobile number is used as the out of band communication for ANY verification.

      1. Criminal gains control of mobile number.

      2. Criminal goes to website and clicks “forgot password”

      3. Website sends out of band password confirmation to mobile number to verify person requesting password reset is the person on record.

      4. Criminal receives request on mobile number and confirms they requested the password reset.

      5. Criminal logs on with new password

      6.Website sends out of band logon verification to mobile number

      7.Criminal receives request on mobile number and confirms they requested the logon

  12. nobatron

    In a way it would be good if he wins this case. SMS 2FA aside the phone companies need a kick up the arse to properly implement process to stop this stuff from happening.

  13. Anonymous Coward
    Anonymous Coward

    $24m

    Surely he should only sue for the loss - $24m - the other damages - what are they for? Was he injured, defamed etc?

    If he was high-risk and his coins worth $24m then why didn't he spend '00's protecting his asset? The whole point of risk is you mitigate it. For $24m, I would have personally had that as an offline store with several levels of protection.

  14. Maelstorm Bronze badge
    Trollface

    Stinking Stocks

    AT&T stock has been stinking lately. Now it's going to stink even more regardless of the outcome of this case. Time to move my investment somewhere else. Oh, and stinking is not a city, county, or state in the USA.

    Seriously though, AT&T has had problems with employees in the past who took bribes or did not follow procedures which then enabled further security breaches. The person who did this will most definitely lose their job, and may even face prosecution if it can be proven that they took a bribe. ASSet Protection (also known as Corporate Security) is staffed with former FBI agents who conduct these investigations internally.

    I have a few stories if anyone is interested.

  15. aks

    Where's the evidence

    I'd be very interested in knowing how he can prove how much was in the wallet before the transfer and how much remains.

    Why is this AT&T's issue rather than the coin repository? They are the ones with the 2FA security that's allegedly been broken.

  16. Anonymous Coward
    Anonymous Coward

    Yeahbut who uses SMS for 2FA on a critical account anyway?

    PSNs (public switched networks) use the SS7 signalling protocol which was standardized in 1976 (or thereabouts). In 1976, a telephone exchange authenticated another exchange because they were connected by a length of copper.

    That hasn't been the case since VoIP services connected to the PSN.

    See this El Reg article https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like