Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
Bitcoin AT&T Communications Security The Almighty Buck The Courts

Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency (theverge.com) 85

Posted by BeauHD from the properly-allowed dept.
Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency More | Reply

Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency

Comments Filter:

  • Phone Authentication Isn't (Score:5, Insightful)

    by mentil ( 1748130 ) on Monday February 05, 2018 @08:50PM (#56074421)

    Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number. Using an encrypted channel rather than SMS helps, but there are still problems with e.g. IMEI spoofing and, as demonstrated, social engineering. This seems like a targeted attack, as the attacker knew his phone number and which websites he had cryptocurrency on, so 'security questions' likely wouldn't have helped, either.

    • Re: (Score:3)

      by msauve ( 701917 )
      "Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number."

      Well, no.

      The phone/SMS thing is supposed to be only one factor in a multi-factor ID system. And, since there are supposedly legal restraints in place to prevent unauthorized transfers of phone numbers, it's not unreasonable. When I read the title, I was inclined to think the guy was jus

      • Re: (Score:2)

        by tlhIngan ( 30335 )

        phone/SMS thing is supposed to be only one factor in a multi-factor ID system.

        Nope, it's not. NIST has officially delisted SMS and phone numbers as a valid factor - they note that you cannot control phone numbers and a phone number does not necessarily lead to the phone in question.

        And given the known vulnerabilities in SS7, it's entirely possible to take over a part of the phone network temporarily (especially cellular networks, which use SS7).

        Thus, SMS is no longer valid as a mechanism for multi-factor ID

    • This is exactly why I have two e-mail accounts. One for daily use on the phone and one for banking not on the phone. The annoying thing is that makes the banking one hard to check easily. I can't get notifications. And those might be time sensitive.

      I wish that banks could figure this out. What they need is to let you provide two e-mail accounts. One for all messages and one for anything that involves authorizing transactions or recovering passwords.

  • steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin,"

    WTF does the price of Bitcoin have to do with it? If someone stole $20 from me 5 years ago and bo

    • Re:Say what? (Score:4, Interesting)

      by mysidia ( 191772 ) on Monday February 05, 2018 @09:18PM (#56074497)

      WTF does the price of Bitcoin have to do with it?

      The price of Bitcoin and whatever business ventures the attackers spent the money on are irrelevent. The damages are the market value of exactly what was stolen at the time that it was stolen --- with the POTENTIAL of adding lost price appreciation between the time stolen and next statement period on the account; if the theft was not discovered immediately, since the accountholder was reviewing accounts infrequently only by reconciling statements with their accounting, Beyond that LOST PROFITS are theoretical and will be very difficult to claim, since the victim would have had the time to buy replacement crypto and chose not to..

      • The damages are the market value ...

        The play money has no value at all.

        It's like saying someone stole his pet rocks.

        • Re: (Score:3)

          by mysidia ( 191772 )

          The damages are the market value ...

          The play money has no value at all.

          It's like saying someone stole his pet rocks.

          The play money has no value at all.

          It's like saying someone stole his pet rocks.

          That's not true. The money had value at the time it was stolen Based on The fair market value (Or what the market would pay for the property at the time that property was stolen or changed without permission) and could have been sold by the legitimate owner for an amount of cash ---- therefore the lost property equal that amount of cash it could've been sold for instead (As of the point in time before the first unauthori

          • The money had value at the time it was stolen ...

            "Money," in your context is fiat

            In the pet rock analogy, the money had value at the time it was stolen ..

            The market value of the pet rocks was imaginary and emotions.

            You, know, like binary unicorns and stuff.

    • Re:Say what? (Score:4, Informative)

      by Comrade Ogilvy ( 1719488 ) on Monday February 05, 2018 @09:20PM (#56074503)
      In a civil case, it is always reasonable to suggest the replacement costs of that which was damaged or stolen. Judges and juries who agree with the plaintiff's argument regarding fault do not automatically accept such price numbers, for various reasons, including the prices swinging too much to set an obvious number.

  • Maybe (Score:4, Insightful)

    by Murdoch5 ( 1563847 ) on Monday February 05, 2018 @09:09PM (#56074465)
    It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure. If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP, then they are at fault for not providing a reasonable, and responsible security level for the account access.

    However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.

    This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.

    • It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure.

      CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.

      This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security.

      If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.

      If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP ...
      I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.

      What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue

  • I was expecting to favor the phone company (Score:5, Insightful)

    by gurps_npc ( 621217 ) on Monday February 05, 2018 @09:31PM (#56074515) Homepage

    But when I read they had promised they had put a security code in place but they had not done so, they lost it.

    This guy took the appropriate steps, the phone company should pay up.

    If you say you have security on your account but do not actually put it in, then you owe the customer money

    • The promise to pin-protect better be discoverable, otherwise it didn't happen.

      • If they made any effort at all to do it, there will be e-records of the attempt.
        If it was done on the phone, there should be some note to do it.

        • The pin is set at the carrier and they have precisely the same technology as you and I do, including a Delete key.

          A pin on the PHONE is not of any help. He didn't lose custody his hardware.

    • Re: (Score:2)

      by vux984 ( 928602 )

      I see your argument, but I'm not sure the phone company can be held liable for losses unrelated and beyond the phone services.

      I mean, suppose you'd hired a locksmith to replace the lock on your car door. And he bungled it, and your car was ransacked, and its contents emptied, and then it was set on fire.

      Would the locksmith be liable? or is this going to land on your regular car insurance?

      I did a quick skim of what locksmith insurance coverage looks like, and it would cover damage or injury caused by the loc

  • T-mobile's security is shit (Score:3)

    by MatthiasF ( 1853064 ) on Monday February 05, 2018 @09:51PM (#56074577)

    I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.

    They need to let you choose your own login account names and some security questions.

    Just way too lax helping you keep your account secure.

    • Just way too lax helping you keep your account secure.

      Hey, it's better, at least. At one point they were relying on client-side javascript for security.

      They need to let you choose your own login account names

      As many cell services do, they run an SMS/email gateway. It USED to be that you could select your own username. E.g., foobear@tmomail.net. You could give that to someone so they could send you SMS via email and they wouldn't have your phone number, too. You could change it if they became a problem. They dropped that with little to no notice, so now if you tell someone your cell's email address they also have y

    • Re: (Score:2)

      by mentil ( 1748130 )

      It's far too easy for people to break in since all you need is the phone number and some personal information.

      Good thing the security is rock-solid for the gatekeepers of people's personal information: TransUnion, Experian, and Equifax.
      Oh, wait...

      Also, answers to security questions tend to boil down to 'personal information'. What's REALLY needed is some kind of interactive test that gets at the core of how someone thinks, in a way that's stable over time, and the exact test can be slightly randomized each time yet the results will always be verifiable as a particular person. Like imagine the Google 'choose all the

    • Re: (Score:1)

      by kyncani ( 873884 )

      They could call and send you an email at least, asking if you really want to make the change.

  • Now there's a match made in heaven! The least secure form of "currency" or "investment" managed via the least secure form of electronic surveillance / communications device.

    Who could have foreseen this sort of problem?

  • How does he get around mandatory arbitration? (Score:3)

    by schwit1 ( 797399 ) on Monday February 05, 2018 @11:41PM (#56074879)

    T-Mobile isn't going to want this anywhere near a jury.

    • Some states don't allow mandatory arbitration, like California. I'm not sure if Washington does, but its a possibility.

  • Do you really think the phone company enjoys your grandmother calling them and saying she lost her phone and then trying to get her new phone working with her old number? That is the typical phone customer. You can't have good security with most people because they have no good way of authenticating themselves. I spend an hour on the phone with Revenue Canada last week and the first 3 people I spoke to couldn't authenticate themselves, the first thought giving me a number to call them back at was good en

  • People are being mislead enmasse into believing 2FA exists to protect them and enhance security when reality is this technology is pushed almost exclusively in public settings as a means to not have to deal with people forgetting their passwords.

    Automated reset facilities result effectively in factor x OR factor y rather than factor x AND factor y. This predictably results in a significant reduction of security in the name of not having to deal with considerable administrative burden of "I forgot my passwo

Slashdot Top Deals

"If you want to know what happens to you when you die, go look at some dead stuff." -- Dave Enyeart

Close