Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency (theverge.com) 133
Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.
The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.
The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.
Re: (Score:2)
From TFS: "The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it."
So, yes, in theory it is a great idea... when actually implemented.
Re: (Score:2)
Because his number was ported to AT&T.
All the criminal activity happened at the AT&T' side.
But it ridiculous to go after T-Mobile, they released the number after being given the correct info on the port request, and restored the number after netting told the request was fake.
Moral of the story is to keep your personal data private. Nobody did anything wrong here except for the hackers.
Did you really read TFA? You just assume that so called "hacker" in the story really did the hack? This is another misused case of the word "hacker"...
Carlos Tapang of Washington state accuses T-Mobile of having “improperly allowed wrongdoers to access” his wireless account on November 7th last year. The hackers then cancelled his number and transferred it to an AT&T account under their control. “T-Mobile was unable to contain this security breach until the next day,” when it finally got the number back from AT&T, Tapang alleges in the suit
The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang’s account prior to the incident, but didn’t actually implement it. Tapang also states that hackers are able to call T-Mobile’s customer support multiple times to gain access to customer accounts, until they’re able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.
The thief called up T-Mobile support and social engineered the right person to change all information and gain access to the number, and then the person transferred the number to AT&T. Now you tell me why AT&T should be responsible? Also, nobody give personal info to anyone. Most information you need to do this kind of thief is usually in public. It i
Re: (Score:2)
Re: (Score:2)
The suites are fleshies, silly. I really hope this term doesn't catch on.
Re: (Score:2)
https://support.coinbase.com/c... [coinbase.com]
"If you are a United States resident, your Coinbase USD Wallet is covered by FDIC insurance, up to a maximum of $250,000"
Phone Authentication Isn't (Score:5, Insightful)
Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number. Using an encrypted channel rather than SMS helps, but there are still problems with e.g. IMEI spoofing and, as demonstrated, social engineering. This seems like a targeted attack, as the attacker knew his phone number and which websites he had cryptocurrency on, so 'security questions' likely wouldn't have helped, either.
Re:Phone Authentication Isn't (Score:4, Insightful)
Well, no.
The phone/SMS thing is supposed to be only one factor in a multi-factor ID system. And, since there are supposedly legal restraints in place to prevent unauthorized transfers of phone numbers, it's not unreasonable. When I read the title, I was inclined to think the guy was just trying to misplace blame. But, if the carrier was social engineered to do a number transfer, the onus is on them. Number portability should require effort, for good reason.
Banks are, by law, supposed to require two factor authentication. (Crypto is the WWW - Wild Wild West). Unfortunately, the rules allow one factor to be the the device used to access the account (e.g. web cookies). That makes it too easy for both factors to be present on a single device (re: password managers). Multi-factor authentication only really works if the factors are forced to be physically separate.
Re: (Score:2)
Nope, it's not. NIST has officially delisted SMS and phone numbers as a valid factor - they note that you cannot control phone numbers and a phone number does not necessarily lead to the phone in question.
And given the known vulnerabilities in SS7, it's entirely possible to take over a part of the phone network temporarily (especially cellular networks, which use SS7).
Thus, SMS is no longer valid as a mechanism for multi-factor ID
Re: (Score:3)
You are wrong. Use of the PSTN is now "RESTRICTED [nist.gov]". "Delisted" is not even a category. Further, the guidelines specifically include the use of SMS:
Re: (Score:2)
Re: (Score:2)
e-mail notification problem (Score:2)
This is exactly why I have two e-mail accounts. One for daily use on the phone and one for banking not on the phone. The annoying thing is that makes the banking one hard to check easily. I can't get notifications. And those might be time sensitive.
I wish that banks could figure this out. What they need is to let you provide two e-mail accounts. One for all messages and one for anything that involves authorizing transactions or recovering passwords.
Say what? (Score:2)
WTF does the price of Bitcoin have to do with it? If someone stole $20 from me 5 years ago and bo
Re:Say what? (Score:5, Insightful)
WTF does the price of Bitcoin have to do with it?
The price of Bitcoin and whatever business ventures the attackers spent the money on are irrelevent. The damages are the market value of exactly what was stolen at the time that it was stolen --- with the POTENTIAL of adding lost price appreciation between the time stolen and next statement period on the account; if the theft was not discovered immediately, since the accountholder was reviewing accounts infrequently only by reconciling statements with their accounting, Beyond that LOST PROFITS are theoretical and will be very difficult to claim, since the victim would have had the time to buy replacement crypto and chose not to..
Re: (Score:2)
The damages are the market value ...
The play money has no value at all.
It's like saying someone stole his pet rocks.
Re: (Score:3)
The damages are the market value ...
The play money has no value at all.
It's like saying someone stole his pet rocks.
The play money has no value at all.
It's like saying someone stole his pet rocks.
That's not true. The money had value at the time it was stolen Based on The fair market value (Or what the market would pay for the property at the time that property was stolen or changed without permission) and could have been sold by the legitimate owner for an amount of cash ---- therefore the lost property equal that amount of cash it could've been sold for instead (As of the point in time before the first unauthori
Re: (Score:2)
The money had value at the time it was stolen ...
"Money," in your context is fiat
In the pet rock analogy, the money had value at the time it was stolen ..
The market value of the pet rocks was imaginary and emotions.
You, know, like binary unicorns and stuff.
Re: (Score:2)
"Money," in your context is fiat
The cryptocurrency is also considered a form of the money -- in terms of however much fiat the market says that cryptocurrency is worth during a particular day.
The government has already recognized that cryptocurrencies are cash-equivalent; if common marketplaces exists for trading them that establish their pricing and worth in fiat.
The market value of the pet rocks was imaginary and emotions.
No... the loss is similar to stolen gold. Your derogatory opinion regarding t
Re: (Score:2)
No... the loss is similar to stolen gold.
TL;DR right after I thought, "How much, precisely, does binary weigh?"
Re: (Score:2)
A lot of binary goods have value despite being purely nothing more than a number.
e-books.
e-books would have been a better analogy that failed.
Re: (Score:2)
This is a stupid and naive point of view. Law enforcement will never eliminate black markets, so we need practical ways to address loss.
The assets controlled by that key have a market value. Theft of the key easily translates to theft of the assets. You can recover the value of lost assets either from the thief or from a party who was responsible for securing them. This is why most parking garages explicitly disclaim responsibility on the tickets---they do not want to be legally responsible for securing you
Re: (Score:2)
How much does a cryptocoin weigh?
Re: (Score:2)
The first thing the guy has to do is show damages.
That requires discoverable evidence.
Also, he has to show violation of contract on the part of the service provider.
Time will tell.
Re: (Score:2)
Hmm if it's like auto insurance, it would only concern the cost to replace the lost item.
That's because your auto insurance policy is actually a contract that specifies how the loss is to be determined and what insurance will pay you.
Generally if you are a business or investor --- then your loss from theft will be the retail dollar amounts on the lost item to include your Lost profits since you would or could have sold those items but the theft got in the way, or at least the number of dollars you paid
Re:Say what? (Score:4, Informative)
Maybe (Score:4, Insightful)
However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.
This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.
Re: (Score:2)
Oooh, big claim. No evidence offered. Probably because it's absolute bollocks.
Maybe they have an old code, but it checks out, right?
Re: (Score:2)
It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure.
CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.
This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security.
If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.
If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP ...
I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.
What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue
Re: (Score:2)
CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.
Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.
If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.
I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology. The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of peo
Re: (Score:2)
Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.
How do they send out bills, manage and provision access if they can't see into a persons account?
I think you mean to say access controls or masking rather than encryption. Encryption makes no sense in this context. The carrier owns subscriber data NOT the customer.
I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology.
Hard to interpret the words "think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully" in any other way than a prayer for legal precedent.
The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of people are working on.
The IT community is NOT EVER going to discred
Re: (Score:2)
Nobody is deploying key fobs or encryption keys to their customers by default and even if it did it wouldn't solve much. People will lose or destroy them and expect their service anyway. The chance of this changing any time soon is zero. The change of IT driving such change is zero.
Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure. If we need to look into something, such as a product failure, the customer has to go into the software and send us a version of the key that is a one time hash. Once we have that we, we gain access to th
Re: (Score:2)
Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure.
Good for you but TFA is about Telecom services provided to mortals not "IoT enhanced products". It's hard to parse any relevant point of similarity from this. The issue of encrypting data was in no way relevant to TFA.
The issue was a CSR failing to authenticate account holder requesting an account change. The carrier was managing account information all mobile carriers are required to possess in order to provide service.
I'm not the only person doing this, you can find many companies that will, for instance look at ProtonMail, they have the same approach and there are several electronic lab book tools that function the same way, amount others, which I'm not going to list. I've had customers complain about this level of security, but my answer is always the same, "This is how a responsible company handles security, if you want to use insecure devices, go ahead, but I'll never sell you one.".
Sorry you lost your encryption key... the phone number you had for the last 40 years
Re: (Score:2)
Everything I talked about is practical and reasonable, and security is the most important first consideration in todays society. People enjoy living easy, insecure lifestyles, that are a mess of digital footprints and poor electronic habits, and it's up to people who know better to get them to stop. If your entire argument is you're going to do what you want and no one should force you to do it in a secure way, then you're p
Re: (Score:2)
I was expecting to favor the phone company (Score:5, Insightful)
But when I read they had promised they had put a security code in place but they had not done so, they lost it.
This guy took the appropriate steps, the phone company should pay up.
If you say you have security on your account but do not actually put it in, then you owe the customer money
Re: (Score:3)
The promise to pin-protect better be discoverable, otherwise it didn't happen.
Re: (Score:2)
If they made any effort at all to do it, there will be e-records of the attempt.
If it was done on the phone, there should be some note to do it.
Re: (Score:2)
The pin is set at the carrier and they have precisely the same technology as you and I do, including a Delete key.
A pin on the PHONE is not of any help. He didn't lose custody his hardware.
Re: (Score:2)
If it was done on the phone ...
vs
If it was done over the phone ...
Re: (Score:2)
I see your argument, but I'm not sure the phone company can be held liable for losses unrelated and beyond the phone services.
I mean, suppose you'd hired a locksmith to replace the lock on your car door. And he bungled it, and your car was ransacked, and its contents emptied, and then it was set on fire.
Would the locksmith be liable? or is this going to land on your regular car insurance?
I did a quick skim of what locksmith insurance coverage looks like, and it would cover damage or injury caused by the loc
Re: (Score:2)
If the locksmith physically helped a stranger gain access to your car, then they would be liable for the theft of the car and anything inside it.
The phone company did a lot more than merely fail to provide a lock, they actively helped the guy steal stuff.
If they hadn't promised a lock, than their help could be described as incidental - guy left things unlocked, they had a reasonable belief they were helping the actual owner. But when they promised the lock but fail to delier, any and everything they did to
Re: (Score:2)
"If the locksmith physically helped a stranger gain access to your car, then they would be liable for the theft of the car and anything inside it."
Really? By that logic the bank teller cooperating with the guy with the gun is now an accomplice because 'they physically helped' with the crime. Obviously, the bar is a little higher than that.
If the locksmith assisted the theives that's quite different from the thieves taking advantage of a mistake the locksmith made.
" But when they promised the lock but fail t
Re: (Score:2)
But when I read they had promised they had put a security code in place but they had not done so, they lost it.
Yesterday (the day after this story was posted), I got an SMS from T-Mobile:
T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: ...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's not what is happening here. People will set up account recovery with their phone used as a relay for a recovery pin. Most likely he has some kind of online wallet linked to it.
and that is somehow better? if anything that is even worse. at least a phone you can have encryption, password/pin protection etc.
Re: (Score:2)
Re: (Score:1)
You stored thousands in coins on your phone. YOUR PHONE! Stupid is as stupid does.
No, he didn't store it on his phone. HIS PHONE!
It was however his two factor number used for the SMS to verify it was him logging in.
Let that be a lesson to anyone that thinks using your phone number for two factor is a good idea.
Re: (Score:2)
Before throwing around accusations of stupidity I suggest actually reading the article.
Re: (Score:2)
I'm sure T-Mobile will use some weasel words in their terms on conditions to say they aren't responsible for anything beyond the lost wireless service time.
The thing which will argue against that is in your example of the security guard only able to lose his job, to better fit the circumstances the security guard would have agreed to require a secret code (say, a PIN) to validate visitors and instead he told the burglars to come right in, no code required, let me open the door for you. That may still get hi
T-mobile's security is shit (Score:3)
I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.
They need to let you choose your own login account names and some security questions.
Just way too lax helping you keep your account secure.
Re: (Score:2)
Why are you using a shitty NVMO when you should use a good MVNO instead?
Re: (Score:2)
Just way too lax helping you keep your account secure.
Hey, it's better, at least. At one point they were relying on client-side javascript for security.
They need to let you choose your own login account names
As many cell services do, they run an SMS/email gateway. It USED to be that you could select your own username. E.g., foobear@tmomail.net. You could give that to someone so they could send you SMS via email and they wouldn't have your phone number, too. You could change it if they became a problem. They dropped that with little to no notice, so now if you tell someone your cell's email address they also have y
Re: (Score:2)
It's far too easy for people to break in since all you need is the phone number and some personal information.
Good thing the security is rock-solid for the gatekeepers of people's personal information: TransUnion, Experian, and Equifax.
Oh, wait...
Also, answers to security questions tend to boil down to 'personal information'. What's REALLY needed is some kind of interactive test that gets at the core of how someone thinks, in a way that's stable over time, and the exact test can be slightly randomized each time yet the results will always be verifiable as a particular person. Like imagine the Google 'choose all the
Re: (Score:1)
They could call and send you an email at least, asking if you really want to make the change.
Re: (Score:1)
I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.
They need to let you choose your own login account names and some security questions.
Just way too lax helping you keep your account secure.
If you're stuck with crappy pre-defined security questions for which a hacker could find the correct answer, you just need to use "secure" answers! Father's middle name? Oldsmobile! First school you attended? Burrito!
Mmmmm. Bitcoin and Cellphones... (Score:2)
Now there's a match made in heaven! The least secure form of "currency" or "investment" managed via the least secure form of electronic surveillance / communications device.
Who could have foreseen this sort of problem?
How does he get around mandatory arbitration? (Score:5, Interesting)
T-Mobile isn't going to want this anywhere near a jury.
Re: (Score:1)
Some states don't allow mandatory arbitration, like California. I'm not sure if Washington does, but its a possibility.
Re: (Score:2)
SCOTUS upheld federal law permitting mandatory arbitration, which trumps state law
https://www.reuters.com/articl... [reuters.com]
Phone customers want poor security (Score:2)
Multifactor authentication is a scam (Score:2)
People are being mislead enmasse into believing 2FA exists to protect them and enhance security when reality is this technology is pushed almost exclusively in public settings as a means to not have to deal with people forgetting their passwords.
Automated reset facilities result effectively in factor x OR factor y rather than factor x AND factor y. This predictably results in a significant reduction of security in the name of not having to deal with considerable administrative burden of "I forgot my passwo
Re: (Score:2)
You are an idiot.
No shit.
2FA has nothing to do with what you described.
This should be obvious to all. My comments had absolutely nothing to do with 2FA as an idea or technology.
They were limited exclusively to IMPLEMENTATION of technology.
2FA as actually deployed in majority of public facing environments is provably LESS SECURE than passwords alone.
Re: (Score:2)
2FA is more secure than username/password authentication. Take a break from arguing reality.
Had you have RTFA you would have found out second factor (Smartphone) was used to bypass having to know users password by leveraging automated password reset facility.
SIM swap fraud (Score:1)
This type of attack is quick common in South Africa, where it is called SIM swap fraud.
In most cases, a corrupt employee at a store of the network assists criminals to obtain a new sim for a customer's account. They then use that, with credentials obtained elsewhere (likely phishing) to get into the user's internet banking and transfer money away.
Using push notifications to an app prevents this. Other things that work is to use HOTP or TOTP tokens instead.
Re: (Score:1)
This seems to be a case of a fraudulent port of the number though... Here the subscriber needs to confirm before a port is allowed to take place.
It also seems to be a password reset token, not a normal 2-factor auth...
(The main way to deal with that, would likely be to send a code/confirmation link to both the user's email and phone) (Chances that both are compromised is much lower...)
This is why we need identity companies. (Score:3)
The way it should work is that you confirm you identity with an identity provider. Other companies verify with them. Authorization has to be digitally signed by multiple parties. These companies would have specific procedures for recovering identities and would free other companies from having to deal with it. The procedures you agree to with the identity company are binding and chosen by you.
This is why you have key fobs which can even be Bluetooth. Unhackable as they only receive and transmit data. Which you should only use like a digital signature. How often would a person use their signature back when people used checks? Don't let web sites to force you to use them for signing in or accepting EULA's.
Use a burner phone under assumed name? (Score:2)
If I had that much money backed by a phone number, I'd get a $10/month PAYG (Pay As You Go) phone under an assumed name. Say your name is "Joe Blow". Bad guys know it, and can find the number associated with that name. They know which phone number they have to socially engineer.
But if you have a burner phone, under the name "Jane Doe", that you use to receive SMS confirmations, that'll be more secure. Obviously, have the phone rooted, and Google/Facebook/etc "cr-apps" removed, and don't give out that phone
Re: (Score:2)
Buy T Mobile, our phones suck and our prices are high
T-Mobile has the same Samsung Galaxy S8 and iPhone X as AT&T, Sprint, and Verizon and, with Sprint as the possible exception, has better pricing than the rest. The fuck you talkin' about?
Re: (Score:2)
Re: (Score:2)
But the important thing is that diverse babies are really important. Anybody that doesn't think diverse babies are really awesome must be Hitler. Buy T Mobile, our phones suck and our prices are high, but diverse babies.
What is that drivel supposed to mean?