Investor Sues AT&T Over Two-Factor Security Flaws, $23 Million Cryptocurrency Theft (fastcompany.com) 120
An anonymous reader quotes a report from Fast Company: Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company's negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He's also seeking punitive damages. Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin. The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin's account without providing the code or a "scannable ID" as AT&T requires, he says.
Re: (Score:1)
The court will most likely rule that he's owed BitCoins, not dollars if he wins... wonder how that'll pan out for him if that happens.
Re: Oh no! (Score:3)
Re: (Score:2)
You can only demand what the value of the gold was at time of theft + any interest or other benefits it would’ve brought you until the time you got it back + some punitive damages.
Only if you can prove you were selling it at the point of all-time high (I had an armored truck on standby and instructions with my accountant) can you recover any of that value.
Re:Oh no! (Score:5, Insightful)
It doesn't matter what got stolen. These could be collector's bottle caps just the same. Both of these have a monetary value that's unrelated to any intrinsic virtue such an item would have but to what the market pays. If that kind of old bottle caps is typically sold on collectors' auctions for X quatloos, the judge will assume a value somewhere around X. Bitcoin is just easier to appraise than most items.
The guy requested multiple additional means of protection, which AT&T agreed to implement. It's not the plaintiff who got repeatedly phished, it was AT&T.
Re: (Score:2)
I agree, but I wonder about of value.
Precisely what was crypto going for at the time of theft.
Can theft be proven?
Isn't crypto all about anonymity?
Re: (Score:2)
Arenâ(TM)t ... heâ(TM)s ...
Lern to tipe.
Re: (Score:2, Troll)
Re: (Score:2)
It's not the plaintiff who got repeatedly phished, it was AT&T.
No.... The perpetrator was the thief, and I would say they managed to scam BOTH the guy and ATT.
That is also another possible outcome for this case. (1) ATT is only Partially responsible for this loss: because the service they provided was Telephone, Data and SMS text message service --- The Terms of Service do not include a warranty that the SMS text message service is "Fit for the purpose of authenticating you", let-alone
Re: (Score:2)
Re: (Score:2)
Just use the same marketing technique that guy with the book about a false narrative of the history of the tulip market! Then there is no limit to the idiocy that people will believe as history. And if you can rewrite the history, then of course you can give your Bulbcoin all the gravitas of a Federation Credit!
Re: (Score:1)
Pretty much.
And having worked for one previous company that is now part of the current monster AT&T, I can pretty much tell you how this account hijack went, because every rep has a version of this story.
1) A male or female voice will have all the right VID (Verified Identification) and want to cut off this account from their abusive spouse
2) There will be notes on the account not to fuck with the account, sometimes multiple notes because it's happened multiple times
3) The representative (usually at the
I hope he wins (Score:2, Insightful)
Not because I think he deserves his money back...
That actually seems like a legit case (Score:4, Interesting)
He might win and in the process force ATT to stop sucking at security. That would be a win for everybody.
Re: (Score:2)
Re: (Score:2)
As far as I know, you cannot put something like:
> In the event of us being negligent we are not responsible
into A TOS and expect it to be enforced. IANAL though.
Re: (Score:2)
I expect AT&T has some sort of terms of service that limits or disclaims their liability.
Yup, it's in the TOS that no one ever reads [att.com].
Of course, if you have any sense to understand what you're getting into, you don't keep $23 million dollars worth of cryptocoins on an unregulated, uninsured crypto exchange either.
Re: (Score:1)
To the full extent allowed by law, you hereby release, indemnify, and hold AT&T and its officers, directors, employees and agents harmless from and against any and all claims of any person or entity for damages of any nature arising in any way from or relating to, directly or indirectly, service provided by AT&T or any person's use thereof (including, but not limited to, vehicular damage and personal injury), INCLUDING CLAIMS ARISING IN WHOLE OR IN PART FROM THE ALLEGED NEGLIGENCE OF AT&T, or any violation by you of this Agreement. This obligation shall survive termination of your Service with AT&T. AT&T is not liable to you for changes in operation, equipment, or technology that cause your Device or Software to be rendered obsolete or require modification.
Wo what was the first factor that failed? (Score:4, Interesting)
But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...
Re: (Score:2)
Also by the time the suit gets to court the crypto currency will probably be worth 24 cents. How does it work in America, can you argue for the value as it was at the time or only the current value?
Re: (Score:2)
It's the value at the time of the loss. That seems fair since he would have the opportunity to sell at that value but for AT&T screwing up.
Re: (Score:2)
Regardless of how it works he is currently not in a position to make any trades to prevent that loss. What if he wanted to sell it right now? I see no legal arguement for why value should be at the time of the case rather than at the time of the loss. Not for crypto currencies, not for other tradables, and not for physical items of value either.
Re: (Score:2)
I imagine the defence argument would be that bitcoin or whatever is not currency, it's goods. Thus the bank should only have to buy him the amount of bitcoins he had at the time, which now only costs $78 because the price collapsed.
In the same way that if you lost a car because of their mistake they wouldn't give you the purchase price of the car when you bought it five years ago, they would give you the value of a 5 year old replacement model today.
This could be quite an interesting case because potentiall
Re: (Score:2)
I imagine the defence argument would be that bitcoin or whatever is not currency, it's goods. Thus the bank should only have to buy him the amount of bitcoins he had at the time, which now only costs $78 because the price collapsed.
Again I still don't see that as a valid arguement unless he was able to freely sell the thing he didn't have. He was prevent from extracting the value of the item at the time of the loss.
In the same way that if you lost a car because of their mistake they wouldn't give you the purchase price of the car when you bought it five years ago
We're not talking about purchase price. We're talking about value at the time of the loss. If
Re: (Score:2, Informative)
Usually, the problem is, it's not REALLY two-factor. You just click "I forgot my password" and the supposedly secure system instantly becomes one-factor and sends a link to your phone or email to reset the password!
Or (even worse, in the case of Facebook) sends you a link that gives you access without even resetting the password. A friend of mine only discovered this by mistake after getting a new phone number, which promptly received a text that gave him access to some random dude's Facebook account. He
Re: (Score:2)
I came here to say this... the part about "forgot my password" changes two factor back to one factor... ridiculous. I am currently rooting for true two factor hardware fobs to improve cross platform usability, but I'm not sure it has the legs.
Re: (Score:1)
I am currently rooting for true two factor hardware fobs to improve cross platform usability, but I'm not sure it has the legs.
If we were talking a reputable financial institution holding on to your $23 million real dollars, of course they'd want to implement decent security measures. But this most likely involved a theft from a Bitcoin exchange, and thus it becomes a $23 million dollar lesson in the meaning of the word "unregulated".
Insecure exchanges, as usual (Score:1)
But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...
If the investor ("crypto gambler" sounds more apt) had their virtual tulip bulbs in their blockchain wallet, there would've been no heist. My best guess would be that the coins were stolen from an account on Coinbase, which uses this sort of 2FA.
So, as much as I loathe AT&T, this is really just another case of someone failing to heed the advice of "don't keep your Bitcoins on an exchange." There are so many ways that can end badly, and most of them don't involve AT&T.
Re: (Score:2)
Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor. But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...
Probably had password recovery to his phone. Since they had control of his phone, he didn't even get messages telling him that a password reset was requested for his email account
Re: (Score:3)
No, a phone number is not a second factor
NIST recommendations a few years ago have determined that a phone number is no longer eligible as a "second factor". This includes anything that involves using the phone number - SMS, phone calls, etc. NIST has forseen that phone numbers are not un
NEVER use a mobile number for two-factor (Score:1)
This has been a problem for years. I keep getting prompted to add my phone number to use for "extra security" when really all it does is increase the attack surface and make the account easier for a dedicated attacker to compromise. Considering that dedicated attackers are by far the worst kind, and knowing that not just AT&T but basically all carriers can easily be convinced, by a sob story about a lost phone or similar, to give anyone access to your number, you'd have to be pretty stupid to use that
Re: (Score:1)
Re: (Score:2)
You were very careful to say dedicated multiple times. Two factor auth does protect accounts from "random" brute force password attacks. It has some value.
Moral of the story: (Score:5, Insightful)
When your security matters, telecoms should not be trusted.
Re: (Score:2)
Fixed that for you.
Re: (Score:2)
I wish someone would tell my bank that. They keep bugging me to set up text messages to confirm transfers and payments. I keep telling them no.
Biometrics. But Irony runs deep. (Score:3)
You can't steal someone's identity, in actuality, unless you have their biometric signature within their physical body. This is how to responsibly authenticate access to hundreds of millions of dollars. However, if for some reason your real identity is better kept unknown and shrouded in cryptocurrency to evade taxes and hide the identity of your investors' insider hedges then I guess you get what you deserve from anonymity.
The real problem is the laws regarding banking is stuck in the late 20th Century when bank robbery became "identity theft".
In the 19th Century, they called it bank robbery when the Wells Fargo Stage Coach got robbed.
In the 21st Century, Wells Fargo robs the customer, outright.
As for AT&T, they've been stealing for years.
Make Lawsuits Great Again! (Score:1)
Yay! Sue their pants off. Bigly lawsuits may finally motivate such companies to reduce shortcuts and sloppiness.
Seems the only way to make them care is to kick them in their wallets.
He doesn't have a snowball's chance in hell (Score:1)
Some lawyer is trying this on spec. Maybe he's hoping they'll settle to avoid legal costs.
Re:He doesn't have a snowball's chance in hell (Score:5, Insightful)
Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.
You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!
Re: (Score:2)
It may be turtles all the way down, but that doesn't stop it from being assholes, all the way up.
Re: (Score:2)
Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.
You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!
Uh, the *primary* way SMS 2FS is insecure is 'SIM-swap fraud'. Here is an article from almost 5 years ago about the problem as it existed/exists where I currently live: https://mybroadband.co.za/news... [mybroadband.co.za]
From the article:
A SIM swap typically happens using the following methods:
* Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and
* Stealing passwords from employees at the mobile operators or mobile dealers.
Telcos need to do a better job of customer authentication. At the ISP I used to work for, our new customer service portal required call centre agents to authenticate the customer by selecting the correct values (from the correct one value, and 4 random fictitious ones generated from a list of
24 million secured by a phone ? (Score:2)
Cheapskate couldn't spring for an RSA token. The phone company isn't good at security and expecting them to be on a phone plan is ridiculous. If he wanted security he should have bought a plan that explicitly supplied it, instead of trying to create the obligation ex post facto.
Also insurance seems like it would have been in order here.
Re: (Score:2)
Password and security question are ironically more secure. It's how they're implemented that sucks. You'll never find a password on any billing statement, yet in many cases companies will happily display it to their agents.
No personal information should be displayed un-masked unless there is a need to update it (which should be individually re-authenticated and logged), because it might be used to secure the customer's account at a different business entity.
Re: (Score:2)
1. There's no insurance that will work with crypto
2. Most people don't understand RSA tokens, and there's a pretty good chance he would have lost access even to himself going that route.
This site used to have knowledgeable people
1. https://www.reuters.com/articl... [reuters.com]
2. If you are too stupid to use an RSA token your too stupid to have 24 million in bitcoin and the phone company can't do much to help you.
Re: (Score:2)
Everything can be insured.
If you think you found an exception, it only means your insurance agent doesn't think you can afford it!
Re: (Score:3)
OTOH, text messaging is a common 2FA method and AT&T needs to do better before someone gets their bank account hoovered.
I hope AT&T loses big considering that they screwed up once, agreed to an additional security measure, then ignored the extra measure entirely in the process of screwing up again.
Re: (Score:3)
Isn't it an open question whether using the AT&T phone service as a critical authentication component puts a duty on AT&T to secure their phone service?
Doesn't the organization that decided to use the AT&T phone service as a critical authentication component bear some responsibility for their choice?
If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my go
Re:Oh no, lost monopoly money (Score:5, Insightful)
If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my gold?
No, but if the thieves asked Masterlock to open it and they did, you'd have a much better case.
Re: Oh no, lost monopoly money (Score:2)
The difference is that security companies will have an agreement about how much they're willing to protect, and insurance policies to cover loses up to that amount. Your contract with them will spell out the maximum amount that they will protect or transport for you, and if it goes missing then your losses will be covered.
AT&T is not a security company and has not agreed to protect your valuables. You can certainly sue them for failing to provide the service which you purchased, but expecting them to
An interesting question. Wrong tool for the job? (Score:4, Insightful)
That is indeed an interesting question. There are two different factors at play.
I expect a certain amount of security from a $5 Masterlock.
I expect a greater amount of security from a American Lock Company shrouded shackle that costs $60.
I expect even more security from a $500 Medeco.
Similarly, I expect a pickup truck to be able to carry a 400 pound load. I expect a semi truck to be able to carry a 10,000 pound load. Ford isn't responsible if I put a 10,000 pound load on my F-150 and it doesn't work well. Wrong tool for the job.
Aside from how much security is expected, how much LIABILITY is there? The maker of a $5 lock might reasonably foresee that their lock would be used to secure a $50 item. Medeco knows their locks are used to secure $20,000 jewelry. If you use a $5 to "secure" a $10,000 item, that's on you. You used the wrong lock for the job.
Is a text message designed or expected to secure $xx million? Is it the right tool for the job?
PS it's the thief's fault (Score:3)
BTW people are talking about how much fault AT&T may have vs if this guy is at fault for using the wrong tool for the job. Let us not forget, really it's the thief's fault.
Whenever bad guys hack something, everyone wants to go after the company that got hacked. *IF* the company was reckless, that makes sense to a degree. There's also a criminal involved. That's who REALLY, obviously did something very wrong.
Re: (Score:3)
Is a text message designed or expected to secure $xx million? Is it the right tool for the job?
+1 but out of mod points. That is exactly the right question. And I'm hoping banks are taking notice: over here there seems to be a shift away from air-gapped 2FA (PIN protected challenge/response through a chip on bank cards) because people find it "inconvenient" having to carry the pocket card reader. SMS based 2FA is all the rage now.
Re: (Score:2)
At the least, AT&T agreed to implement an additional security measure which they then ignored entirely (as if it didn't exist). That constitutes a specific promise made and then reneged.
It's notable that at one time, AT&T took security VERY seriously. They still enjoy the reputation even though increasingly it seems undeserved.
Car analogy time (Score:2)
OTOH, text messaging is a common 2FA method and AT&T needs to do better before someone gets their bank account hoovered.
Car door locks are a common way of securing your vehicle, and they can be easily defeated with a wedge, an inflatable bag, and a bent coat hanger. Car manufacturers need to do better, before someone gets their valuables stolen.
Or perhaps, you can realize the security is inherently shitty and don't rely on a locked car to protect your valuables.
Re: (Score:2)
This is more like you order an extra door security package and then a car thief calls the dealer and they send someone out who gives them a spare key, no questions asked, and wishes them a nice day as they drive off with your car.
Re: (Score:1)
No, this is like Amazon telling you the glove box of your car is a safe place to keep your Amazon stock. Then some criminal gets the car dealer to give them a copy of your car key, and uses it to pilfer your stock.
Re: (Score:2)
Amazon in that analogy was wrong (since they didn't realize glove boxes are no longer made of steel), but that hardly excuses the dealership for their extreme negligence.