US investor sues AT&T for $224 million over loss of cryptocurrency

AT&T gets sued over two-factor security flaws and $23M cryptocurrency theft

AT&T gets sued over two-factor security flaws and $23M cryptocurrency theft

A bitcoin investor is suing AT&T for $240m after it allegedly ported his phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency. The damages sought include the $24 million Terpin lost and $200 million in punitive damages which, as the complaint notes, "might attract the attention of AT&T's senior management long enough to spend serious money on an acceptable customer protection program and measures to ensure that its own employees are not complicit in theft and fraud".

Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts.

That six-digit extra security step was introduced after Terpin says his account had been targeted - and hacked - six months earlier through the same approach. That being the case, it's not terribly surprising that a prominent crypto investor who lost almost $24 million in stolen tokens is suing AT&T for a whopping $224 million.

The precise details of the storage of Terpin's tokens are not now known.

The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in CT and managed to hijack Terpin's account without providing the code or a "scannable ID" as AT&T requires, he says. By the time he regained access, $23.8m in bitcoin had gone missing, he claims.

Ireland climb in latest Federation Internationale de Football Association rankings as England shoot above Spain
Beaten finalists Croatia ended England's run in Russian Federation , and they are fourth in the new list having climbed 16 spots. Martin O'Neill's men are up to 29th from 31st place since the last figures were released at the start of June.

The court documents claim the company's employees "actively cooperate with hackers in SIM swap frauds by giving hackers direct access to customer". Fraud can occur when a provider is tricked into transferring a victim's phone number to a SIM card that is run by a hacker, who can use access to the phone number to reset passwords and log in to the victim's online accounts.

The big legal question of course is whether AT&T is then liable for what is done with that access.

The insane part is that all of the above happened 5 months before the $24 million theft took place.

After all, a hacker would still have required Terpin's username and password to access a secure cryptocurrency wallet.

Last week, security journalist Brian Krebs reported that a 25-year-old Florida man was arrested for being part of a multistate SIM swap scam ring, using the technique to steal bank accounts. The lengthy claims for relief rely heavily on California business law and contractual arguments - which is rarely a good sign when going up against a huge corporation. Terpin claims that after the initial breach, he was promised "the highest level of security for his account".

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.