U.S. investor Michael Terpin has filed a lawsuit against AT&T, accusing the company of allowing thieves to change his phone number and then use it to steal $24 million worth of his cryptocurrency.
A Victim of SIM Swap Fraud
Terpin co-founded the first angel group for Bitcoin investors, called BitAngels, in 2013. A year later, he co-founded the first digital currency funding group, BitAngels/Dapps Fund.
In January, Terpin was robbed of millions of cryptocurrency tokens, worth $23.8 million at the time. According to Terpin’s lawsuit filing, the attack happened through what is called a “SIM swap fraud.” Criminals use this relatively common tactic to transfer a victim’s phone number to their own phone by contacting the wireless carrier and pretending to be the victim.
The complaint says:
"What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.”
Criminals employ this tactic because many internet services and their users continue to use SMS-based two-factor authentication (2FA) to protect their accounts, despite this method of authentication being declared no longer secure by the National Institute of Standards and Technology more than two years ago.
Terpin now wants AT&T, which he considers the sole responsible party for the attack, to give him the $24 million back, as well as pay him an additional $200 million as punitive damages. AT&T said that it disputes the allegations.
Yet Another Lesson In SMS 2FA Insecurity
What happened to Terpin is yet another lesson that you can no longer rely on just SMS 2FA codes to protect any of your online accounts, whether it’s for email, social media, or your banking services. SIM swap frauds and SS7 hacks have been demonstrated many times over the past few years, and the number for such incidents will likely keep rising in the coming years as more criminals learn how to do them.
In contrast, as Google recently unveiled, accounts protected by hardware security keys, such as Universal 2nd Factor (U2F) tokens, have proven to be “un-phishable.” That means accounts protected by U2F tokens no longer have to depend on the user or third-party’s vigilance to ensure they aren’t tricked by criminals into giving them account credentials.
The U2F tokens are cryptographically paired with the original websites so that they won't work with any other website that pretends to be those websites. Unlike mobile phone numbers that can be switched from one SIM card to another, the encryption keys on the U2F tokens can’t be transferred either, so they are always in your possession.