Man Sues AT&T, Saying He Lost $1.8 Million In Cryptocurrency With SIM Card Hack

A California man is suing AT&T after he says one of its employees allowed a hacker to access his cell phone number that resulted in his data being compromised and more than $1.8 million in cryptocurrency stolen from his accounts. ABC News reports: Seth Shapiro says that an AT&T employee allowed a hacker to swap his phone number from his phone to a separate device, which resulted in "the compromise of highly sensitive personal and financial information and the theft of more than $1.8 million," according to court documents. The process of so-called "SIM swapping" allows hackers a way to gain access to all the information tied to a phone number potentially giving them access to every email, photo, app and more on the phone.

The complaint filed on Oct. 17 claims that while third parties had control over his AT&T wireless number, "they used that control to access and reset the passwords for Mr. Shapiro's accounts on cryptocurrency exchange platforms, including KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex." The digital currency "was accessed by the hackers utilizing their control over Mr. Shapiro's AT&T wireless number," the court documents added. The lawsuit alleges that hackers were able to access "accounts on various cryptocurrency exchange platforms, including the accounts he controlled on behalf of his business venture. The hackers then transferred Mr. Shapiro's currency from Mr. Shapiro's accounts into accounts that they controlled." "In all, they stole more than $1.8 million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16, 2018," the complaint added. AT&T told ABC News in a statement that they dispute the Shapiro's allegations and shared information on how customers can help keep themselves safe from SIM swaps.

"We dispute these allegations and look forward to presenting our case in court," the statement said. "Customers can learn how to help protect themselves from this scam by going here -- https://about.att.com/sites/cyberaware/ni/blog/sim_swap."

Re:

[Narcocide]

I think we should watch AT&T closely here too, however it is possible. Note that he alleges that an AT&T employee carried out the hack, and AT&T responded with a guide on how to protect against such hacks that completely ignores the possibility of malicious AT&T employees using their superior level of access to the account management interfaces to carry out the identity theft themselves.

Wow that sucks

[crgrace]

I'm a little confused. So Mr. Shapiro kept his Bitcoin sitting on exchanges? I don't know much about Bitcoin but even I know that is a bad idea. Not your keys not your coins and all that.

Or, did he keep his keys on his mobile phone? Also a bad idea. But, if he had his coins in a software wallet on his phone, why did the hackers have to get access to his accounts on the exchanges? It seems like he must have kept his Bitcoin there.

I guess losing $1.8 million with no hope of getting it back is a downside of "b

Re:

[Narcocide]

Well it depends on the type of risks you're expecting, too. There's links to child pornography in the permanent Bitcoin transaction log, so if you store your own wallet you're also technically guilty of distributing child pornography.

Re:

[Powercntrl]

There's links to child pornography in the permanent Bitcoin transaction log, so if you store your own wallet you're also technically guilty of distributing child pornography.

Wrong. Your “wallet” is just a short key pair. One is the public key for receiving, and the other is the private key for spending. It looks like this:

Public: 12QvKovmhy4LyBfFkhdD896KXpY1P5SJyj
Private: 5KbGeky8ufx8rtsCuKPeU914Djqaymg7C21PjukUB2HBh6eT25g
(Obviously, since posting this, this is a wallet no one should use since anyone would be able to spend from it)

The thing you’re thinking about with the kiddie porn is the Blockchain, which at this point is too large for most people to down

Re:

[Powercntrl]

What happened was, the exchange the guy kept his crypto currency on utilizes SMS for two-factor-authentication.

It’s like locking your bank vault with a TSA luggage lock (which are inherently insecure by design), then being surprised when someone breaks in.

AT&T specifically has disclaimers in their TOS that inform you you’re not supposed to use their services as a means of securing access. It’s again, like suing the manufacturer of a TSA lock because your diamond got stolen from your l

Re:

[msauve]

" the exchange the guy kept his crypto currency on utilizes SMS for two-factor-authentication."

OK, that's one factor. How did the thief get the other? Unless all those exchanges allow full credential resets to anyone who has SMS (i.e. single factor) related to the account?

I could see it if someone stole a phone which didn't have an access lock, and also had unprotected passwords stored on it. But simply getting access to SMS???

Re:

[Rockoon]

Probably because the first thing the hackers would do is reset his email password, using that same SMS reception.

Then, they have both his email account and "his" cell phone, which is two factor.

Re:

[Megane]

If one of the factors (the cell number as the origin of SMS messages) can be used to reset the other without human intervention, is it really two-factor authorization?

Re:

[crgrace]

Why the hell did the guy keep almost $2 million in an exchange. After Mt. Gox, that guy who faked his death in India, and various other exit schemes who could be that stupid?

Maybe the whole story is BS.

Re:

[rtb61]

That individual also has to try to prove it was stolen. Anonymous account stuff, trying to prove it was stolen near impossible. Same as for anonymous tax haven bank account, anyone who gets the account details and password owns that account, end of story and yeah monitor comings and goings at tax havens and the computers and phones, well, hack those you gain access to those accounts, the first time the tax cheat et al tries to use them. How do you prove you own bitcoin, how can you sue for it, what value ca

Re:

[Xenx]

When looking at the value of a bitcoin it's no different than any other item that is given worth beyond it's material components by humans. In fact, in the case of bitcoins, it's even easier than in some other cases. The coins are being traded at a specific rate at a specific time. You can even look at how it's trending if he wants to make an argument of lost earnings based on projected worth. You can estimate the maximum value between when the hack occurred and a reasonable future date.

Re:

[Powercntrl]

The coins are being traded at a specific rate at a specific time.

Bitcoin's value is based on the number of available buy orders on the exchanges. If you had 10,000 Bitcoin, you wouldn't actually have $95,168,200 worth in Bitcoin (as of this posting), because there isn't enough liquidity in the market to sell that many Bitcoin at once.

Re:

[Xenx]

I oversimplified, both for simplicity sake and because I'd have to read up more. While the math is more complex, it still sounds easy enough to determine a reasonable price. Also, based on his claimed loses, I would estimate his number of coins to be closer to 200. I imagine it would be a bit easier to sell than 10,000.

Re:

[war4peace]

If you had 10,000 Bitcoin, you wouldn't actually have $95,168,200 worth in Bitcoin (as of this posting), because there isn't enough liquidity in the market to sell that many Bitcoin at once.

That's an assumption. There might or might not be enough liquidity to buy them all, we just don't know.
Insurance works the same way. A house, for example, has an estimated value, no matter whether there is enough liquidity to sell it. Another example is a sports celebrity leg (for soccer) or hand (for tennis), they can't be sold but that doesn't mean they don't have a certain estimated value.

Re:

[DrXym]

Sounds like the thieves did a password reset on his email account using the jacked phone number and then nosed through his email looking for accounts elsewhere and did the same to those. If he did hold currency on websites then more fool him. Either the thieves hit paydirt or this was a targeted attack.

Aside from his questionable investments, these websites clearly have garbage security. Typically banks and other financial institutions will use multi factor authentication before you can log in and may hav

Duty of care

[spinitch]

As we move to a digital economy these risks increase. Banks use tokens and other multi factor authentication while not fool proof they do minimize a mobile compromise. The carriers do need to step up security options. Joe six pack can not afford advanced protection but there should be moderate insurance. Crypto folks need to protect them selves better and thus will push up costs. Carriers can offer enterprise accounts with higher verification options.

Re:

[Narcocide]

It strikes me as highly a highly dysfunctional and abusive state of affairs that online account management interfaces across the board are leaning towards using cellphones for a secondary authentication factor because it's the only practical and universally standardized option on the market right now, but cellular providers have such a helplessly inept approach to security that it actually makes people more vulnerable, and this is only not common knowledge because the criminals are well enough informed to f

Carrier not responsible for unforseeable losses

[mysidia]

The 1.8 million in damages is not caused directly by a failure on ATT's part, but indirectly or consequently.

The theft is by a 3rd party hacker.

The theft is probably unforseeable to ATT at the time of contract formation -- as in the buyer does not notify the carrier of their intention to use their telephone as a security device to protect 1.8 million in crypto AND Negotiate suitable services, pricing and contractual terms with ATT taking this reliance into account.

Hadley Vs. Baxendale - 1854 [legaldictionary.net]

The court held that in order for a non-breaching party to recover damages arising out of any special circumstances, the special circumstances must be communicated to and known by all parties at the time of formation. Since Hadley failed to disclose his special circumstances to Baxendale, he was barred from the award of lost profits.

Re:

[Strill]

Of course it's forseeable by AT&T. They already forsaw it and wrote a guide. They specifically mention adding additional authentication factors for securing financial accounts in their own guide. https://about.att.com/pages/cy... [att.com]

Re:

[Rick Zeman]

...complete with weasel words: "The company encourages customers to add extra security measures to their accounts by creating unique passcodes. “If you create a unique passcode on your AT&T account, in most cases we'll require you to provide that passcode before any significant changes can be made,” the company said."

Re:

[mysidia]

Of course it's forseeable by AT&T.

Do you read? Most people don't own anything close to a million in crypto, let-alone rely on ATT to in any manner secure it.
Your special circumstance is not reasonably forseeable to ATT if you are one of those few people and you have not informed ATT of your special circumstance and had their acknowledgement of this as part of contract at the time you are forming the contract with ATT.

The holding is to protect against cross-subsidization, that means protect low-ris

Re:

[Strill]

It's completely forseeable. Two-factor authentication via phone is an industry standard for pretty much everything across the board.

Re:

[Retired ICS]

No, it is not a "standard". It is just what a bunch of morons do.

There are also bunches of morons who write their passwords on post-it-notes and stick them to the monitor. Is this an "Industry Standard" for remembering your passwords?

There are bunches of morons who write the PINs for their Bank Card on the back of the card. It this an "Industry Standard" for remembering and protecting the PIN?

Just because a bunch of morons do the same thing does not mean that it is an "Industry Standard".

Re:

[snowshovelboy]

There are also bunches of morons who write their passwords on post-it-notes and stick them to the monitor

Whoa there, a good password on a post-it is more secure than a bad password you can remember. Often having physical access to the post-it means also having physical access to the system anyway. If you can read a post-it on a monitor, you could have installed a keylogger instead if the post-it wasn't there.

If I had....

[AndyKron]

If I had $1.8 million in crypto currencies I sure as hell wouldn't have access to it on my freakin phone.

Re:

[fibonacci8]

This is obviously something that you'd store on your fridge instead.

Re:

[easyTree]

Purely out of interest:
  * where do you live?
  * which side of your house has your kitchen window?

Re:

[Cederic]

Here, and that one.

But you can't see my fridge through the window, or via reflection from the glass door of my microwave. Sorry.

Re:

[Cmdln Daco]

I don't keep anything financially critical on my 'smart' phone. There's a PayPal account that I siphon a few hundred dollars at a time into. Nothing else.

We Don't Need Banking Institutions!

[KermodeBear]

Cryptocurrency is absolutely superior. It's private and decentralized! It's a great way to keep The Man out of your life. All you need to do is have thousands of computers crunching numbers all over the world. And if you lose your account keys, that's okay! Your money is still there - you just can't ever access it again! Wow! And if your account is compromised and your FooCoins are stolen, that's okay! They're not gone, they're just in someone else's account - you'll never get them back, but they're out there somewhere! It's great! But at least money transfers only work if you have an Internet connection and they can take minutes or hours to complete "for real" because a confirmation isn't always really a confirmation, y'know. You gotta confirm that transfer a couple of times.

Yup, banks with a simple transfer system and some kind of authority to correct and reverse criminal activity sure is archaic and stupid.

Re:

[qubezz]

The exchanges hacked into are "banks", just like how bank accounts and systems are hacked all the time but don't make huge headlines. Bitcoins in your own wallet are quite secure if you take rudimentary steps to secure them.

blaming others for his incompetence.

[bloodhawk]

Change headline, careless moron loses 1.8 million as he couldn't be bothered to learn very basics of keeping it secure and tries to blame others for his incompetence. Seriously using a phone number/SMS for anything beyond a chat forum has been the height of stupidity for years. It is like putting a Do not rob me sign on your front door and then suing the makers for the poor security it provided.

What's his business?

[VeryFluffyBunny]

What's he doing with $1.8 million in criminal assets? Drug dealing? Human trafficking? "Consulting" for Trump &/or Giuliani?

Anyone with more than a few thousand $ in crypto currencies should be investigated by the DEA & FBI.

Re:

[VeryFluffyBunny]

Also, anyone who relies on minimum wage employees in call centres working for telecos to protect their financial information & access to their bank accounts should get a prize for stupidity.

Suing the phone company? Seriously?

[vbdasc]

I'm not an AT&T fan, but honestly, everyone who hides his money behind the "security" provided by his mobile phone number, is a hopeless fool, who deserves to part ways with his money. As for these tech firms that tout various "n-factor authentication" schemes integrating the aforementioned mobile phone number "security", it's them that deserve to be sued into bankruptcy.

Bitcoin

[Red Arrow]

Well, I am only getting familiar with cryptocurrencies now but even at this point the whole thing is just fascinating. And I am really glad that I am on this path now. Managed to find the best crypto trading bots [safetrading.today] and I make some money on the market already. Isn't it just great?

get you lost or stolen investments back!

[mstrwest]

Hello everyone, My biggest loss was back in the days of the dot-com bubble. I thought I could time the market and that buying momentum stocks was the road to riches. I went from around $300k in the early 90s to $660k in 1999. In 2000, I watched my assets drop by $100k in one day. I sold everything and bought into some tech mutual funds when I thought we had hit bottom. We hadn’t. My assets bottomed out at $70k by 2014. I think it was around August 2018 that I found Eddie Hendrix and the low-cost reco