Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bitcoin AT&T Communications Security The Almighty Buck The Courts

Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency (theverge.com) 133

Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

This discussion has been archived. No new comments can be posted.

Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency

Comments Filter:
  • by mentil ( 1748130 ) on Monday February 05, 2018 @08:50PM (#56074421)

    Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number. Using an encrypted channel rather than SMS helps, but there are still problems with e.g. IMEI spoofing and, as demonstrated, social engineering. This seems like a targeted attack, as the attacker knew his phone number and which websites he had cryptocurrency on, so 'security questions' likely wouldn't have helped, either.

    • by msauve ( 701917 ) on Monday February 05, 2018 @10:54PM (#56074749)
      "Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number."

      Well, no.

      The phone/SMS thing is supposed to be only one factor in a multi-factor ID system. And, since there are supposedly legal restraints in place to prevent unauthorized transfers of phone numbers, it's not unreasonable. When I read the title, I was inclined to think the guy was just trying to misplace blame. But, if the carrier was social engineered to do a number transfer, the onus is on them. Number portability should require effort, for good reason.

      Banks are, by law, supposed to require two factor authentication. (Crypto is the WWW - Wild Wild West). Unfortunately, the rules allow one factor to be the the device used to access the account (e.g. web cookies). That makes it too easy for both factors to be present on a single device (re: password managers). Multi-factor authentication only really works if the factors are forced to be physically separate.
      • by tlhIngan ( 30335 )

        phone/SMS thing is supposed to be only one factor in a multi-factor ID system.

        Nope, it's not. NIST has officially delisted SMS and phone numbers as a valid factor - they note that you cannot control phone numbers and a phone number does not necessarily lead to the phone in question.

        And given the known vulnerabilities in SS7, it's entirely possible to take over a part of the phone network temporarily (especially cellular networks, which use SS7).

        Thus, SMS is no longer valid as a mechanism for multi-factor ID

        • by msauve ( 701917 )
          "Nope, it's not. NIST has officially delisted SMS and phone numbers as a valid factor"

          You are wrong. Use of the PSTN is now "RESTRICTED [nist.gov]". "Delisted" is not even a category. Further, the guidelines specifically include the use of SMS:

          The out-of-band authenticator SHALL uniquely authenticate itself in one of the following ways when communicating with the verifier:
          ...
          Authenticate to a public mobile telephone network using a SIM card or equivalent that uniquely identifies the device. This method SHALL only be

    • This is exactly why I have two e-mail accounts. One for daily use on the phone and one for banking not on the phone. The annoying thing is that makes the banking one hard to check easily. I can't get notifications. And those might be time sensitive.

      I wish that banks could figure this out. What they need is to let you provide two e-mail accounts. One for all messages and one for anything that involves authorizing transactions or recovering passwords.

  • steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin,"

    WTF does the price of Bitcoin have to do with it? If someone stole $20 from me 5 years ago and bo

    • Re:Say what? (Score:5, Insightful)

      by mysidia ( 191772 ) on Monday February 05, 2018 @09:18PM (#56074497)

      WTF does the price of Bitcoin have to do with it?

      The price of Bitcoin and whatever business ventures the attackers spent the money on are irrelevent. The damages are the market value of exactly what was stolen at the time that it was stolen --- with the POTENTIAL of adding lost price appreciation between the time stolen and next statement period on the account; if the theft was not discovered immediately, since the accountholder was reviewing accounts infrequently only by reconciling statements with their accounting, Beyond that LOST PROFITS are theoretical and will be very difficult to claim, since the victim would have had the time to buy replacement crypto and chose not to..

      • The damages are the market value ...

        The play money has no value at all.

        It's like saying someone stole his pet rocks.

        • by mysidia ( 191772 )

          The damages are the market value ...

          The play money has no value at all.

          It's like saying someone stole his pet rocks.

          The play money has no value at all.

          It's like saying someone stole his pet rocks.

          That's not true. The money had value at the time it was stolen Based on The fair market value (Or what the market would pay for the property at the time that property was stolen or changed without permission) and could have been sold by the legitimate owner for an amount of cash ---- therefore the lost property equal that amount of cash it could've been sold for instead (As of the point in time before the first unauthori

          • The money had value at the time it was stolen ...

            "Money," in your context is fiat

            In the pet rock analogy, the money had value at the time it was stolen ..

            The market value of the pet rocks was imaginary and emotions.

            You, know, like binary unicorns and stuff.

            • by mysidia ( 191772 )

              "Money," in your context is fiat

              The cryptocurrency is also considered a form of the money -- in terms of however much fiat the market says that cryptocurrency is worth during a particular day.

              The government has already recognized that cryptocurrencies are cash-equivalent; if common marketplaces exists for trading them that establish their pricing and worth in fiat.

              The market value of the pet rocks was imaginary and emotions.

              No... the loss is similar to stolen gold. Your derogatory opinion regarding t

              • No... the loss is similar to stolen gold.

                TL;DR right after I thought, "How much, precisely, does binary weigh?"

    • Re:Say what? (Score:4, Informative)

      by Comrade Ogilvy ( 1719488 ) on Monday February 05, 2018 @09:20PM (#56074503)
      In a civil case, it is always reasonable to suggest the replacement costs of that which was damaged or stolen. Judges and juries who agree with the plaintiff's argument regarding fault do not automatically accept such price numbers, for various reasons, including the prices swinging too much to set an obvious number.
  • Maybe (Score:4, Insightful)

    by Murdoch5 ( 1563847 ) on Monday February 05, 2018 @09:09PM (#56074465) Homepage
    It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure. If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP, then they are at fault for not providing a reasonable, and responsible security level for the account access.

    However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.

    This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.
    • It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure.

      CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.

      This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security.

      If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.

      If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP ...
      I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.

      What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue

      • CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.

        Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.

        If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.

        I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology. The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of peo

        • Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.

          How do they send out bills, manage and provision access if they can't see into a persons account?

          I think you mean to say access controls or masking rather than encryption. Encryption makes no sense in this context. The carrier owns subscriber data NOT the customer.

          I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology.

          Hard to interpret the words "think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully" in any other way than a prayer for legal precedent.

          The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of people are working on.

          The IT community is NOT EVER going to discred

          • I'm going to take your reply out of order:

            Nobody is deploying key fobs or encryption keys to their customers by default and even if it did it wouldn't solve much. People will lose or destroy them and expect their service anyway. The chance of this changing any time soon is zero. The change of IT driving such change is zero.

            Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure. If we need to look into something, such as a product failure, the customer has to go into the software and send us a version of the key that is a one time hash. Once we have that we, we gain access to th

            • Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure.

              Good for you but TFA is about Telecom services provided to mortals not "IoT enhanced products". It's hard to parse any relevant point of similarity from this. The issue of encrypting data was in no way relevant to TFA.

              The issue was a CSR failing to authenticate account holder requesting an account change. The carrier was managing account information all mobile carriers are required to possess in order to provide service.

              I'm not the only person doing this, you can find many companies that will, for instance look at ProtonMail, they have the same approach and there are several electronic lab book tools that function the same way, amount others, which I'm not going to list. I've had customers complain about this level of security, but my answer is always the same, "This is how a responsible company handles security, if you want to use insecure devices, go ahead, but I'll never sell you one.".

              Sorry you lost your encryption key... the phone number you had for the last 40 years

              • Your entire reply sums up to: "It's hard, annoying and I'm going to cry about it"

                Everything I talked about is practical and reasonable, and security is the most important first consideration in todays society. People enjoy living easy, insecure lifestyles, that are a mess of digital footprints and poor electronic habits, and it's up to people who know better to get them to stop. If your entire argument is you're going to do what you want and no one should force you to do it in a secure way, then you're p
  • by gurps_npc ( 621217 ) on Monday February 05, 2018 @09:31PM (#56074515) Homepage

    But when I read they had promised they had put a security code in place but they had not done so, they lost it.

    This guy took the appropriate steps, the phone company should pay up.

    If you say you have security on your account but do not actually put it in, then you owe the customer money

    • The promise to pin-protect better be discoverable, otherwise it didn't happen.

      • If they made any effort at all to do it, there will be e-records of the attempt.
        If it was done on the phone, there should be some note to do it.

        • The pin is set at the carrier and they have precisely the same technology as you and I do, including a Delete key.

          A pin on the PHONE is not of any help. He didn't lose custody his hardware.

    • by vux984 ( 928602 )

      I see your argument, but I'm not sure the phone company can be held liable for losses unrelated and beyond the phone services.

      I mean, suppose you'd hired a locksmith to replace the lock on your car door. And he bungled it, and your car was ransacked, and its contents emptied, and then it was set on fire.

      Would the locksmith be liable? or is this going to land on your regular car insurance?

      I did a quick skim of what locksmith insurance coverage looks like, and it would cover damage or injury caused by the loc

      • If the locksmith physically helped a stranger gain access to your car, then they would be liable for the theft of the car and anything inside it.

        The phone company did a lot more than merely fail to provide a lock, they actively helped the guy steal stuff.

        If they hadn't promised a lock, than their help could be described as incidental - guy left things unlocked, they had a reasonable belief they were helping the actual owner. But when they promised the lock but fail to delier, any and everything they did to

        • by vux984 ( 928602 )

          "If the locksmith physically helped a stranger gain access to your car, then they would be liable for the theft of the car and anything inside it."

          Really? By that logic the bank teller cooperating with the guy with the gun is now an accomplice because 'they physically helped' with the crime. Obviously, the bar is a little higher than that.

          If the locksmith assisted the theives that's quite different from the thieves taking advantage of a mistake the locksmith made.

          " But when they promised the lock but fail t

    • But when I read they had promised they had put a security code in place but they had not done so, they lost it.

      Yesterday (the day after this story was posted), I got an SMS from T-Mobile:

      T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: ...

  • by MatthiasF ( 1853064 ) on Monday February 05, 2018 @09:51PM (#56074577)

    I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.

    They need to let you choose your own login account names and some security questions.

    Just way too lax helping you keep your account secure.

    • Just way too lax helping you keep your account secure.

      Hey, it's better, at least. At one point they were relying on client-side javascript for security.

      They need to let you choose your own login account names

      As many cell services do, they run an SMS/email gateway. It USED to be that you could select your own username. E.g., foobear@tmomail.net. You could give that to someone so they could send you SMS via email and they wouldn't have your phone number, too. You could change it if they became a problem. They dropped that with little to no notice, so now if you tell someone your cell's email address they also have y

    • by mentil ( 1748130 )

      It's far too easy for people to break in since all you need is the phone number and some personal information.

      Good thing the security is rock-solid for the gatekeepers of people's personal information: TransUnion, Experian, and Equifax.
      Oh, wait...

      Also, answers to security questions tend to boil down to 'personal information'. What's REALLY needed is some kind of interactive test that gets at the core of how someone thinks, in a way that's stable over time, and the exact test can be slightly randomized each time yet the results will always be verifiable as a particular person. Like imagine the Google 'choose all the

    • by kyncani ( 873884 )

      They could call and send you an email at least, asking if you really want to make the change.

    • by sh00z ( 206503 )

      I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.

      They need to let you choose your own login account names and some security questions.

      Just way too lax helping you keep your account secure.

      If you're stuck with crappy pre-defined security questions for which a hacker could find the correct answer, you just need to use "secure" answers! Father's middle name? Oldsmobile! First school you attended? Burrito!

  • Now there's a match made in heaven! The least secure form of "currency" or "investment" managed via the least secure form of electronic surveillance / communications device.

    Who could have foreseen this sort of problem?

  • by schwit1 ( 797399 ) on Monday February 05, 2018 @11:41PM (#56074879)

    T-Mobile isn't going to want this anywhere near a jury.

  • Do you really think the phone company enjoys your grandmother calling them and saying she lost her phone and then trying to get her new phone working with her old number? That is the typical phone customer. You can't have good security with most people because they have no good way of authenticating themselves. I spend an hour on the phone with Revenue Canada last week and the first 3 people I spoke to couldn't authenticate themselves, the first thought giving me a number to call them back at was good en
  • People are being mislead enmasse into believing 2FA exists to protect them and enhance security when reality is this technology is pushed almost exclusively in public settings as a means to not have to deal with people forgetting their passwords.

    Automated reset facilities result effectively in factor x OR factor y rather than factor x AND factor y. This predictably results in a significant reduction of security in the name of not having to deal with considerable administrative burden of "I forgot my passwo

  • This type of attack is quick common in South Africa, where it is called SIM swap fraud.

    In most cases, a corrupt employee at a store of the network assists criminals to obtain a new sim for a customer's account. They then use that, with credentials obtained elsewhere (likely phishing) to get into the user's internet banking and transfer money away.

    Using push notifications to an app prevents this. Other things that work is to use HOTP or TOTP tokens instead.

    • by MoHaG ( 1002926 )

      This seems to be a case of a fraudulent port of the number though... Here the subscriber needs to confirm before a port is allowed to take place.

      It also seems to be a password reset token, not a normal 2-factor auth...

      (The main way to deal with that, would likely be to send a code/confirmation link to both the user's email and phone) (Chances that both are compromised is much lower...)

  • by BlueCoder ( 223005 ) on Tuesday February 06, 2018 @07:31AM (#56075835)

    The way it should work is that you confirm you identity with an identity provider. Other companies verify with them. Authorization has to be digitally signed by multiple parties. These companies would have specific procedures for recovering identities and would free other companies from having to deal with it. The procedures you agree to with the identity company are binding and chosen by you.

    This is why you have key fobs which can even be Bluetooth. Unhackable as they only receive and transmit data. Which you should only use like a digital signature. How often would a person use their signature back when people used checks? Don't let web sites to force you to use them for signing in or accepting EULA's.

  • If I had that much money backed by a phone number, I'd get a $10/month PAYG (Pay As You Go) phone under an assumed name. Say your name is "Joe Blow". Bad guys know it, and can find the number associated with that name. They know which phone number they have to socially engineer.

    But if you have a burner phone, under the name "Jane Doe", that you use to receive SMS confirmations, that'll be more secure. Obviously, have the phone rooted, and Google/Facebook/etc "cr-apps" removed, and don't give out that phone

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...