Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
AT&T The Courts Security The Almighty Buck

Investor Sues AT&T Over Two-Factor Security Flaws, $23 Million Cryptocurrency Theft (fastcompany.com) 120

An anonymous reader quotes a report from Fast Company: Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company's negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He's also seeking punitive damages. Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin. The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin's account without providing the code or a "scannable ID" as AT&T requires, he says.
This discussion has been archived. No new comments can be posted.

Investor Sues AT&T Over Two-Factor Security Flaws, $23 Million Cryptocurrency Theft

Comments Filter:
  • I hope he wins (Score:2, Insightful)

    by Anonymous Coward

    Not because I think he deserves his money back...

    .. but rather because if AT&T pays a penalty for lax security, then maybe (finally!) there will be incentive to improve security practices in the industry.

  • by Anonymous Coward on Wednesday August 15, 2018 @05:07PM (#57133890)

    He might win and in the process force ATT to stop sucking at security. That would be a win for everybody.

    • by Luthair ( 847766 )
      I expect AT&T has some sort of terms of service that limits or disclaims their liability. I similar problem is if you place valuable items in your luggage the airline has a fixed amount they will cover.
      • by ASDFnz ( 472824 )

        As far as I know, you cannot put something like:

        > In the event of us being negligent we are not responsible

        into A TOS and expect it to be enforced. IANAL though.

      • I expect AT&T has some sort of terms of service that limits or disclaims their liability.

        Yup, it's in the TOS that no one ever reads [att.com].

        Of course, if you have any sense to understand what you're getting into, you don't keep $23 million dollars worth of cryptocoins on an unregulated, uninsured crypto exchange either.

        • by Anonymous Coward

          To the full extent allowed by law, you hereby release, indemnify, and hold AT&T and its officers, directors, employees and agents harmless from and against any and all claims of any person or entity for damages of any nature arising in any way from or relating to, directly or indirectly, service provided by AT&T or any person's use thereof (including, but not limited to, vehicular damage and personal injury), INCLUDING CLAIMS ARISING IN WHOLE OR IN PART FROM THE ALLEGED NEGLIGENCE OF AT&T, or any violation by you of this Agreement. This obligation shall survive termination of your Service with AT&T. AT&T is not liable to you for changes in operation, equipment, or technology that cause your Device or Software to be rendered obsolete or require modification.

  • by ffkom ( 3519199 ) on Wednesday August 15, 2018 @05:07PM (#57133894)
    Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor.

    But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...
    • by AmiMoJo ( 196126 )

      Also by the time the suit gets to court the crypto currency will probably be worth 24 cents. How does it work in America, can you argue for the value as it was at the time or only the current value?

      • by sjames ( 1099 )

        It's the value at the time of the loss. That seems fair since he would have the opportunity to sell at that value but for AT&T screwing up.

      • Regardless of how it works he is currently not in a position to make any trades to prevent that loss. What if he wanted to sell it right now? I see no legal arguement for why value should be at the time of the case rather than at the time of the loss. Not for crypto currencies, not for other tradables, and not for physical items of value either.

        • by AmiMoJo ( 196126 )

          I imagine the defence argument would be that bitcoin or whatever is not currency, it's goods. Thus the bank should only have to buy him the amount of bitcoins he had at the time, which now only costs $78 because the price collapsed.

          In the same way that if you lost a car because of their mistake they wouldn't give you the purchase price of the car when you bought it five years ago, they would give you the value of a 5 year old replacement model today.

          This could be quite an interesting case because potentiall

          • I imagine the defence argument would be that bitcoin or whatever is not currency, it's goods. Thus the bank should only have to buy him the amount of bitcoins he had at the time, which now only costs $78 because the price collapsed.

            Again I still don't see that as a valid arguement unless he was able to freely sell the thing he didn't have. He was prevent from extracting the value of the item at the time of the loss.

            In the same way that if you lost a car because of their mistake they wouldn't give you the purchase price of the car when you bought it five years ago

            We're not talking about purchase price. We're talking about value at the time of the loss. If

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Usually, the problem is, it's not REALLY two-factor. You just click "I forgot my password" and the supposedly secure system instantly becomes one-factor and sends a link to your phone or email to reset the password!
      Or (even worse, in the case of Facebook) sends you a link that gives you access without even resetting the password. A friend of mine only discovered this by mistake after getting a new phone number, which promptly received a text that gave him access to some random dude's Facebook account. He

      • I came here to say this... the part about "forgot my password" changes two factor back to one factor... ridiculous. I am currently rooting for true two factor hardware fobs to improve cross platform usability, but I'm not sure it has the legs.

        • I am currently rooting for true two factor hardware fobs to improve cross platform usability, but I'm not sure it has the legs.

          If we were talking a reputable financial institution holding on to your $23 million real dollars, of course they'd want to implement decent security measures. But this most likely involved a theft from a Bitcoin exchange, and thus it becomes a $23 million dollar lesson in the meaning of the word "unregulated".

    • But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

      If the investor ("crypto gambler" sounds more apt) had their virtual tulip bulbs in their blockchain wallet, there would've been no heist. My best guess would be that the coins were stolen from an account on Coinbase, which uses this sort of 2FA.

      So, as much as I loathe AT&T, this is really just another case of someone failing to heed the advice of "don't keep your Bitcoins on an exchange." There are so many ways that can end badly, and most of them don't involve AT&T.

    • Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor. But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

      Probably had password recovery to his phone. Since they had control of his phone, he didn't even get messages telling him that a password reset was requested for his email account

    • by tlhIngan ( 30335 )

      Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor.

      But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

      No, a phone number is not a second factor

      NIST recommendations a few years ago have determined that a phone number is no longer eligible as a "second factor". This includes anything that involves using the phone number - SMS, phone calls, etc. NIST has forseen that phone numbers are not un

  • by Anonymous Coward

    This has been a problem for years. I keep getting prompted to add my phone number to use for "extra security" when really all it does is increase the attack surface and make the account easier for a dedicated attacker to compromise. Considering that dedicated attackers are by far the worst kind, and knowing that not just AT&T but basically all carriers can easily be convinced, by a sob story about a lost phone or similar, to give anyone access to your number, you'd have to be pretty stupid to use that

    • That's one of the areas where humans should be replaced with some clever biometrics or AI. Human emotions, subjective judgements and not following procedures would be entirely taken out of equation.
    • by laffer1 ( 701823 )

      You were very careful to say dedicated multiple times. Two factor auth does protect accounts from "random" brute force password attacks. It has some value.

  • by Gravis Zero ( 934156 ) on Wednesday August 15, 2018 @05:21PM (#57133966)

    When your security matters, telecoms should not be trusted.

    • Telecoms should not be trusted

      Fixed that for you.

    • by AmiMoJo ( 196126 )

      I wish someone would tell my bank that. They keep bugging me to set up text messages to confirm transfers and payments. I keep telling them no.

  • by Bob_Who ( 926234 ) on Wednesday August 15, 2018 @05:26PM (#57133996) Journal

    You can't steal someone's identity, in actuality, unless you have their biometric signature within their physical body. This is how to responsibly authenticate access to hundreds of millions of dollars. However, if for some reason your real identity is better kept unknown and shrouded in cryptocurrency to evade taxes and hide the identity of your investors' insider hedges then I guess you get what you deserve from anonymity.

    The real problem is the laws regarding banking is stuck in the late 20th Century when bank robbery became "identity theft".

    In the 19th Century, they called it bank robbery when the Wells Fargo Stage Coach got robbed.

    In the 21st Century, Wells Fargo robs the customer, outright.

    As for AT&T, they've been stealing for years.

  • Yay! Sue their pants off. Bigly lawsuits may finally motivate such companies to reduce shortcuts and sloppiness.

    Seems the only way to make them care is to kick them in their wallets.

  • He was obviously hacked. It's his fault.
    Some lawyer is trying this on spec. Maybe he's hoping they'll settle to avoid legal costs.
    • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Wednesday August 15, 2018 @06:09PM (#57134204) Homepage

      Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.

      You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!

      • Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.

        You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!

        Uh, the *primary* way SMS 2FS is insecure is 'SIM-swap fraud'. Here is an article from almost 5 years ago about the problem as it existed/exists where I currently live: https://mybroadband.co.za/news... [mybroadband.co.za]

        From the article:

        A SIM swap typically happens using the following methods:
        * Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and
        * Stealing passwords from employees at the mobile operators or mobile dealers.

        Telcos need to do a better job of customer authentication. At the ISP I used to work for, our new customer service portal required call centre agents to authenticate the customer by selecting the correct values (from the correct one value, and 4 random fictitious ones generated from a list of

  • Cheapskate couldn't spring for an RSA token. The phone company isn't good at security and expecting them to be on a phone plan is ridiculous. If he wanted security he should have bought a plan that explicitly supplied it, instead of trying to create the obligation ex post facto.

    Also insurance seems like it would have been in order here.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...