Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency

Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

Phone Authentication Isn't

[mentil]

Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number. Using an encrypted channel rather than SMS helps, but there are still problems with e.g. IMEI spoofing and, as demonstrated, social engineering. This seems like a targeted attack, as the attacker knew his phone number and which websites he had cryptocurrency on, so 'security questions' likely wouldn't have helped, either.

Re:Phone Authentication Isn't

[msauve]

"Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number."

Well, no.

The phone/SMS thing is supposed to be only one factor in a multi-factor ID system. And, since there are supposedly legal restraints in place to prevent unauthorized transfers of phone numbers, it's not unreasonable. When I read the title, I was inclined to think the guy was just trying to misplace blame. But, if the carrier was social engineered to do a number transfer, the onus is on them. Number portability should require effort, for good reason.

Banks are, by law, supposed to require two factor authentication. (Crypto is the WWW - Wild Wild West). Unfortunately, the rules allow one factor to be the the device used to access the account (e.g. web cookies). That makes it too easy for both factors to be present on a single device (re: password managers). Multi-factor authentication only really works if the factors are forced to be physically separate.

Re:Phone Authentication Isn't

[tlhIngan]

phone/SMS thing is supposed to be only one factor in a multi-factor ID system.

Nope, it's not. NIST has officially delisted SMS and phone numbers as a valid factor - they note that you cannot control phone numbers and a phone number does not necessarily lead to the phone in question.

And given the known vulnerabilities in SS7, it's entirely possible to take over a part of the phone network temporarily (especially cellular networks, which use SS7).

Thus, SMS is no longer valid as a mechanism for multi-factor ID - it's too vulnerable. It's part of the reason why everyone has moved to authentication apps.

Re:Phone Authentication Isn't

[msauve]

"Nope, it's not. NIST has officially delisted SMS and phone numbers as a valid factor"

You are wrong. Use of the PSTN is now "RESTRICTED". "Delisted" is not even a category. Further, the guidelines specifically include the use of SMS:

The out-of-band authenticator SHALL uniquely authenticate itself in one of the following ways when communicating with the verifier:
...
Authenticate to a public mobile telephone network using a SIM card or equivalent that uniquely identifies the device. This method SHALL only be used if a secret is being sent from the verifier to the out-of-band device via the PSTN (SMS or voice).

Re:Phone Authentication Isn't

[tirnacopu]

Actually you both have referred to the correct source of information, but at different times: when Bruce Schneier mentioned this in 2016 at https://www.schneier.com/blog/..., the SP800-63b draft said "deprecated", it's now "restricted". Goes to show how difficult is to stay informed and compliant in this constantly changing threatscape.

Re:Phone Authentication Isn't

[msauve]

A draft is never normative.

Say what?

[msauve]

steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin,"

WTF does the price of Bitcoin have to do with it? If someone stole $20 from me 5 years ago and bought a Bitcoin with it, it's unreasonable for me to claim $9K in damages today.

Maybe the thieves then bought some coke off Silkroad and snorted it. Net Present Value, $0.

Re:Say what?

[mysidia]

WTF does the price of Bitcoin have to do with it?

The price of Bitcoin and whatever business ventures the attackers spent the money on are irrelevent. The damages are the market value of exactly what was stolen at the time that it was stolen --- with the POTENTIAL of adding lost price appreciation between the time stolen and next statement period on the account; if the theft was not discovered immediately, since the accountholder was reviewing accounts infrequently only by reconciling statements with their accounting, Beyond that LOST PROFITS are theoretical and will be very difficult to claim, since the victim would have had the time to buy replacement crypto and chose not to..

Re:Say what?

[Comrade+Ogilvy]

In a civil case, it is always reasonable to suggest the replacement costs of that which was damaged or stolen. Judges and juries who agree with the plaintiff's argument regarding fault do not automatically accept such price numbers, for various reasons, including the prices swinging too much to set an obvious number.

Re:Say what?

[CaptainDork]

The damages are the market value ...

The play money has no value at all.

It's like saying someone stole his pet rocks.

Re:Say what?

[mysidia]

The damages are the market value ...

The play money has no value at all.

It's like saying someone stole his pet rocks.

The play money has no value at all.

It's like saying someone stole his pet rocks.

That's not true. The money had value at the time it was stolen Based on The fair market value (Or what the market would pay for the property at the time that property was stolen or changed without permission) and could have been sold by the legitimate owner for an amount of cash ---- therefore the lost property equal that amount of cash it could've been sold for instead (As of the point in time before the first unauthorized transaction) MINUS the worth of any amounts of $$$ or property that were successfully salvaged or returned.

Re:Say what?

[CaptainDork]

The money had value at the time it was stolen ...

"Money," in your context is fiat

In the pet rock analogy, the money had value at the time it was stolen ..

The market value of the pet rocks was imaginary and emotions.

You, know, like binary unicorns and stuff.

Re: Say what?

[CaptainDork]

The first thing the guy has to do is show damages.

That requires discoverable evidence.

Also, he has to show violation of contract on the part of the service provider.

Time will tell.

Re:Say what?

[mysidia]

"Money," in your context is fiat

The cryptocurrency is also considered a form of the money -- in terms of however much fiat the market says that cryptocurrency is worth during a particular day.

The government has already recognized that cryptocurrencies are cash-equivalent; if common marketplaces exists for trading them that establish their pricing and worth in fiat.

The market value of the pet rocks was imaginary and emotions.

No... the loss is similar to stolen gold. Your derogatory opinion regarding the fundamental worth of the cryptocurrency has no relevance to the case; the way it is decided what the monetary value of what was stolen is what people were willing to pay for that thing at the time of the theft by quoting its price from public marketplaces, if they exist --- marketplace quoted prices are verifiable and thus not imaginary, since they show the price of the goods for trade....

Just because the value of gold may fluctuate after the theft, or the thief may have traded the gold to something else before robbing the account does not mean the loss is something other than the fair market value the gold had at the time it was stolen --- the loss is not replacement value of the property LATER months after the theft, either, after the price may have gone to zero, anymore than the $$$ stolen would be reduced if the property was perishable goods such as milk that went sour while they were in the thief's possession.

Re: Say what?

[mysidia]

Hmm if it's like auto insurance, it would only concern the cost to replace the lost item.

That's because your auto insurance policy is actually a contract that specifies how the loss is to be determined and what insurance will pay you.

Generally if you are a business or investor --- then your loss from theft will be the retail dollar amounts on the lost item to include your Lost profits since you would or could have sold those items but the theft got in the way, or at least the number of dollars you paid for them ---- But if you are a consumer whose purpose for holding the property is not to hold as investment and/or resell at a higher price, or you make personal use instead, then the loss IS the lesser of the cost to restore the item by repairing the damage OR the cost on the aftermarket to replace your lost item with one of similar type and condition and remaining value to the one you lost - fulfilling the same personal use and remaining lifetime ---- for example, If your car was 10 years old at the time it was lost, for example, its value on the market depreciated over that 10 years from $30,000 to less than $1,000, that's what you would have gotten if you sold it -- when your car worth $1000 today is totalled: you're not entitled to a brand new car that is worth the original $30k, before your mileage and normal use came into play.

On the other hand, if you hold a classic car or a painting you bought for $100k as a collector's piece or investment, then that is an appreciating asset purchased not to be used or consumed --- but with the intention of profiting from it, and the loss from a theft would be an estimate of Fair Market Value based on expert opinions that would be more than you paid for it.

Re: Say what?

[EndlessNameless]

This is a stupid and naive point of view. Law enforcement will never eliminate black markets, so we need practical ways to address loss.

The assets controlled by that key have a market value. Theft of the key easily translates to theft of the assets. You can recover the value of lost assets either from the thief or from a party who was responsible for securing them. This is why most parking garages explicitly disclaim responsibility on the tickets---they do not want to be legally responsible for securing your vehicle and its contents.

The question here is whether TMobile is legally responsible for ensuring the integrity of his account and SMS communications. I'm not a lawyer so I'm not going to guess at the outcome of a trial. If I were TMobile, I'd probably just pay the ~$20K to avoid court and bad publicity.

Re:Say what?

[CaptainDork]

A lot of binary goods have value despite being purely nothing more than a number.

e-books.

e-books would have been a better analogy that failed.

Re:Say what?

[CaptainDork]

No... the loss is similar to stolen gold.

TL;DR right after I thought, "How much, precisely, does binary weigh?"

Re:Say what?

[CaptainDork]

How much does a cryptocoin weigh?

Maybe

[Murdoch5]

It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure. If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP, then they are at fault for not providing a reasonable, and responsible security level for the account access.

However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.

This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.

Re: Maybe

[WaffleMonster]

It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure.

CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.

This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security.

If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.

If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP ...
I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.

What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue.

Re: Maybe

[Maritz]

Oooh, big claim. No evidence offered. Probably because it's absolute bollocks.

Maybe they have an old code, but it checks out, right?

Re: Maybe

[Murdoch5]

CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.

Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.

If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.

I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology. The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of people are working on.

What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue.

If you give someone an account and nothing stops a customer service rep from getting into that account, or resetting access to that account, that would be a major security violation. Accounts should always be stored in such a way as to prevent anyone but the user of that account from gaining access, or changing access details, 2FA and encryption help to stop this problem through validation of the account holder.

Re: Maybe

[WaffleMonster]

Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.

How do they send out bills, manage and provision access if they can't see into a persons account?

I think you mean to say access controls or masking rather than encryption. Encryption makes no sense in this context. The carrier owns subscriber data NOT the customer.

I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology.

Hard to interpret the words "think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully" in any other way than a prayer for legal precedent.

The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of people are working on.

The IT community is NOT EVER going to discredit ITSELF. I've had a front row seat for centuries as the entire industry blissfully got away with doing stupid shit. Low hanging fruit stupid it knows full well is wrong yet they can't help themselves. They hide behind "EVERYONE DOES IT". The "IT community" is a bunch of spineless followers.

Perhaps 1000 years from now when:

- EVERYONE is no longer entering passwords into adhoc web forms
- Give up insecure authentication protocols (e.g. CHAP/Kerberos).
- No longer rely entirely on automated procedures based on feedback from insecure protocols (eg DNS and HTTP) to establish trust relationships (PKI)
- When banks and ecommerce sites stop filling their pages with faux padlock gifs and meaningless assertions of security.
- When anyone in the world can't put whatever the hell they please in the FROM line of an email with an executable payload and the recipient have no clue.

In 1000 years come back and talk to me about security and IT community discrediting itself. Until then I'll keep laughing my ass off at any and all such assertions.

If you give someone an account and nothing stops a customer service rep from getting into that account, or resetting access to that account, that would be a major security violation.

I agree from what is know about T-Mobile case if the customer went out of their way to setup a security procedure to authenticate themselves and T-Mobile failed to live up to their end they should be on the hook for something.

Yet to assert customer service reps bringing up accounts is a major security violation is not something I agree with.

Accounts should always be stored in such a way as to prevent anyone but the user of that account from gaining access, or changing access details, 2FA and encryption help to stop this problem through validation of the account holder.

The account MUST be available in a form accessible to the provider in order to provide and manage service. It can't as a practical matter be encrypted and accessible to nobody but the end customer. This is not a reasonable position to have. It's a complete nonstarter.

If a provider offers enhanced security for CSR access to accounts and the user takes them up on it... god bless. If you think everyone should be required to OFFER some kind of enhanced security... physical token cards, encryption keys then god bless... work to build consensus for that position.

Otherwise in the real world EVERYONE does stupid shit.. check caller id, ask for an SSN or PIN...etc. The only credible alternative are physical trips to a physical office with government issued IDs in hand. This wastes a tremendous amount of everyone's time and resources and simply isn't worth doing by default even if it prevents some fraud.

Nobody is deploying key fobs or encryption keys to their customers by default and even if it did it wouldn't solve much. People will lose or destroy them and expect their service anyway. The chance of this changing any time soon is zero. The change of IT driving such change is zero.

Re: Maybe

[Murdoch5]

I'm going to take your reply out of order:

Nobody is deploying key fobs or encryption keys to their customers by default and even if it did it wouldn't solve much. People will lose or destroy them and expect their service anyway. The chance of this changing any time soon is zero. The change of IT driving such change is zero.

Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure. If we need to look into something, such as a product failure, the customer has to go into the software and send us a version of the key that is a one time hash. Once we have that we, we gain access to the key and read the log files. Once we're done, the key is automatically regenerated and once again we're locked out. You can't say, "Nobody is deploying keys fobs or encryption keys", when responsible companies are.

I'm not the only person doing this, you can find many companies that will, for instance look at ProtonMail, they have the same approach and there are several electronic lab book tools that function the same way, amount others, which I'm not going to list. I've had customers complain about this level of security, but my answer is always the same, "This is how a responsible company handles security, if you want to use insecure devices, go ahead, but I'll never sell you one.".

The account MUST be available in a form accessible to the provider in order to provide and manage service. It can't as a practical matter be encrypted and accessible to nobody but the end customer. This is not a reasonable position to have. It's a complete nonstarter.

I answered this above, but this is very doable and reasonable. There is no reason I have to access one of my customers accounts, without their consent. If there is an issue they need to resolved or something they would like looked into, they have to go provide us access, much in the same way as the device access I explained above. This system would be great for mobile carriers, as they have no reason to go into my account, unless I allow it.

I agree from what is know about T-Mobile case if the customer went out of their way to setup a security procedure to authenticate themselves and T-Mobile failed to live up to their end they should be on the hook for something.

I don't want to say your lying, but it sounds like you don't agree at all to this point. The measures I'm explaining are to make sure that the person who can access the account, does access the account. If the customer doesn't want someone in their account, then it should be so, but currently, as far as I'm aware, no North American carrier allows anything close to this level of reasonable protection.

- EVERYONE is no longer entering passwords into adhoc web forms
- Give up insecure authentication protocols (e.g. CHAP/Kerberos).
- No longer rely entirely on automated procedures based on feedback from insecure protocols (eg DNS and HTTP) to establish trust relationships (PKI)
- When banks and ecommerce sites stop filling their pages with faux padlock gifs and meaningless assertions of security.
- When anyone in the world can't put whatever the hell they please in the FROM line of an email with an executable payload and the recipient have no clue.

There are points that need to be driven home to the average person, there good points to make, and people in the technology field should be driving them home.

-You really shouldn't be using passwords, unless it's as a first factor method of authentication, and even then, use something like a YubiKey.
- Excellent point on insecure authentication protocols, they should be activity discontinued and even blocked.
- A good firewall should block all HTTP request and as people move onto Secu

Re: Maybe

[WaffleMonster]

Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure.

Good for you but TFA is about Telecom services provided to mortals not "IoT enhanced products". It's hard to parse any relevant point of similarity from this. The issue of encrypting data was in no way relevant to TFA.

The issue was a CSR failing to authenticate account holder requesting an account change. The carrier was managing account information all mobile carriers are required to possess in order to provide service.

I'm not the only person doing this, you can find many companies that will, for instance look at ProtonMail, they have the same approach and there are several electronic lab book tools that function the same way, amount others, which I'm not going to list. I've had customers complain about this level of security, but my answer is always the same, "This is how a responsible company handles security, if you want to use insecure devices, go ahead, but I'll never sell you one.".

Sorry you lost your encryption key... the phone number you had for the last 40 years doesn't work anymore and there is nothing you can do to get it back. Sorry but hey at least we are serious about handling security...?

I hope you can see how a niche Email service whose raison deter is SECURITY has nothing on earth to do with practical issues facing mobile carriers with normal human beings as customers.

I answered this above, but this is very doable and reasonable. There is no reason I have to access one of my customers accounts, without their consent.

You seem to be mapping your experience on to something else entirely and assuming they are the same.

The point is that there should be no way for a customer service rep, to see the account, or preform control functions, without the account user letting them.

The point of contention from TFA is modalities surrounding "account holder letting them".

When you setup one of my devices, it warns you a number of times to backup your password, as if you lose it, we can't do anything to get you into your account.

While it may well work for your purposes this is a nonstarter for mobile telecom with millions of mortals as customers.

-You really shouldn't be using passwords, unless it's as a first factor method of authentication, and even then, use something like a YubiKey.

Who are you to tell me what I should or should not be doing? Security is a set of TRADEOFFs. Everyone has different value judgments.

A good firewall should block all HTTP request and as people move onto Secure DNS.

Secure DNS is currently a massive unpatched DDOS amplification vector that puts the network at considerable risk while solving nothing PKI hasn't already addressed.

It's not like anything resolved by DNS queries are themselves secure. BGP isn't secure and the network is inherently untrustworthy. What difference does secure naming service really make?

All email should be encrypted, PERIOD! All of my customers have to use secure mail to contact my companies.

Who are you to decide this for me? Maybe a cryptographic signature is sufficient for my purposes. Perhaps I WANT content to be public or be evident on the network for management/transparency purposes. Telling people what they should or should not do because of what you personally think is important misses the reality people only care about what is important to them.

In regards to billing, the system should watch the usage data and bill based on that, which wouldn't affect the account security

To bill usage you need to know who th

Re: Maybe

[Murdoch5]

Your entire reply sums up to: "It's hard, annoying and I'm going to cry about it"

Everything I talked about is practical and reasonable, and security is the most important first consideration in todays society. People enjoy living easy, insecure lifestyles, that are a mess of digital footprints and poor electronic habits, and it's up to people who know better to get them to stop. If your entire argument is you're going to do what you want and no one should force you to do it in a secure way, then you're part of the problem, everything I listed is reasonable and any reasonable tech company or electronic service company should strive towards and beyond it.

Re:Well sure

[BronsCon]

Buy T Mobile, our phones suck and our prices are high

T-Mobile has the same Samsung Galaxy S8 and iPhone X as AT&T, Sprint, and Verizon and, with Sprint as the possible exception, has better pricing than the rest. The fuck you talkin' about?

I was expecting to favor the phone company

[gurps_npc]

But when I read they had promised they had put a security code in place but they had not done so, they lost it.

This guy took the appropriate steps, the phone company should pay up.

If you say you have security on your account but do not actually put it in, then you owe the customer money

Re:I was expecting to favor the phone company

[CaptainDork]

The promise to pin-protect better be discoverable, otherwise it didn't happen.

Re:I was expecting to favor the phone company

[gurps_npc]

If they made any effort at all to do it, there will be e-records of the attempt.
If it was done on the phone, there should be some note to do it.

Re:I was expecting to favor the phone company

[CaptainDork]

The pin is set at the carrier and they have precisely the same technology as you and I do, including a Delete key.

A pin on the PHONE is not of any help. He didn't lose custody his hardware.

Re:I was expecting to favor the phone company

[vux984]

I see your argument, but I'm not sure the phone company can be held liable for losses unrelated and beyond the phone services.

I mean, suppose you'd hired a locksmith to replace the lock on your car door. And he bungled it, and your car was ransacked, and its contents emptied, and then it was set on fire.

Would the locksmith be liable? or is this going to land on your regular car insurance?

I did a quick skim of what locksmith insurance coverage looks like, and it would cover damage or injury caused by the lock. (e.g. if you left an exposed edge and it cut someone, or the tock wasn't aligned properly and damaged the door itself and the door needed replacing, that would be covered. But it doesn't look like the locksmith is liable for losses due to theft if the lock is faulty. That would be your regular theft insurance.

But even, if we think a case against the locksmith is viable then suppose then that inside the glove box you had left the account information and passwords for your offshore bank accounts worth 200 million, and they get drained.

Is the locksmith really liable for that loss too? I'm not buying it.

Re:I was expecting to favor the phone company

[CaptainDork]

If it was done on the phone ...

vs

If it was done over the phone ...

Re:I was expecting to favor the phone company

[gurps_npc]

If the locksmith physically helped a stranger gain access to your car, then they would be liable for the theft of the car and anything inside it.

The phone company did a lot more than merely fail to provide a lock, they actively helped the guy steal stuff.

If they hadn't promised a lock, than their help could be described as incidental - guy left things unlocked, they had a reasonable belief they were helping the actual owner. But when they promised the lock but fail to delier, any and everything they did to help the criminal makes them an accessory.

Re:I was expecting to favor the phone company

[vux984]

"If the locksmith physically helped a stranger gain access to your car, then they would be liable for the theft of the car and anything inside it."

Really? By that logic the bank teller cooperating with the guy with the gun is now an accomplice because 'they physically helped' with the crime. Obviously, the bar is a little higher than that.

If the locksmith assisted the theives that's quite different from the thieves taking advantage of a mistake the locksmith made.

" But when they promised the lock but fail to delier, any and everything they did to help the criminal makes them an accessory."

Yes, to an extent I DO see that.

But if you gaurd something really valuable, would you hire a few illegal day laborers off the street as your security?

Likewise, trusting minimum wage outsourced randos in customer service at a telco to be the lynchpin in your personal security chain is pretty stupid.

I don't trust those guys not to screw up my voicemail when I change rate plans. I wouldn't put them on the critical path of security for my investment accounts.

You want to hold someone accountable? Might as well hold the idiot company that suggested using your phone SMS as 2FA; THEY also should have known that the sanctity of your cellular account is in the hands of minimum wage outsourced randos.

Your phone company though, never promised you much of anything; except that if they do fuck up, they'll give you a few bucks credit on your bill and fix it. That's my issue here, much as I hate the telcos... they didn't promise they were competent to be THE lynch-pin in your personal security system protecting all your most valuable assets.

Re:I was expecting to favor the phone company

[Obfuscant]

But when I read they had promised they had put a security code in place but they had not done so, they lost it.

Yesterday (the day after this story was posted), I got an SMS from T-Mobile:

T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: ...

Re:It's a phone.

[avandesande]

That's not what is happening here. People will set up account recovery with their phone used as a relay for a recovery pin. Most likely he has some kind of online wallet linked to it.

T-mobile's security is shit

[MatthiasF]

I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.

They need to let you choose your own login account names and some security questions.

Just way too lax helping you keep your account secure.

Re:T-mobile's security is shit

[Obfuscant]

Just way too lax helping you keep your account secure.

Hey, it's better, at least. At one point they were relying on client-side javascript for security.

They need to let you choose your own login account names

As many cell services do, they run an SMS/email gateway. It USED to be that you could select your own username. E.g., foobear@tmomail.net. You could give that to someone so they could send you SMS via email and they wouldn't have your phone number, too. You could change it if they became a problem. They dropped that with little to no notice, so now if you tell someone your cell's email address they also have your phone number. Makes the service a lot less usable.

and some security questions.

Be careful what you ask for. United Airlines decided to add "security questions" to their website, and they appear almost every time you go there to do something urgent. They set the system up with a handful of questions with a PRESET list of answers. "What's your favorite musical instrument?" Things that I can't remember the "right" answer to because none of them are right to begin with. You also cannot just remember "first one on the list" because they scramble the order every time they ask. Sigh.

Re:T-mobile's security is shit

[mentil]

It's far too easy for people to break in since all you need is the phone number and some personal information.

Good thing the security is rock-solid for the gatekeepers of people's personal information: TransUnion, Experian, and Equifax.
Oh, wait...

Also, answers to security questions tend to boil down to 'personal information'. What's REALLY needed is some kind of interactive test that gets at the core of how someone thinks, in a way that's stable over time, and the exact test can be slightly randomized each time yet the results will always be verifiable as a particular person. Like imagine the Google 'choose all the pictures of Roads' only more subjective, like 'choose all the randomly-generated images you find to be very pleasing'.

Re:T-mobile's security is shit

[kyncani]

They could call and send you an email at least, asking if you really want to make the change.

Re:T-mobile's security is shit

[sh00z]

I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.

They need to let you choose your own login account names and some security questions.

Just way too lax helping you keep your account secure.

If you're stuck with crappy pre-defined security questions for which a hacker could find the correct answer, you just need to use "secure" answers! Father's middle name? Oldsmobile! First school you attended? Burrito!

Re:T-mobile's security is shit

[Khyber]

Why are you using a shitty NVMO when you should use a good MVNO instead?

Re:It's a phone.

You stored thousands in coins on your phone. YOUR PHONE! Stupid is as stupid does.

No, he didn't store it on his phone. HIS PHONE!
It was however his two factor number used for the SMS to verify it was him logging in.
Let that be a lesson to anyone that thinks using your phone number for two factor is a good idea.

Re:It's a phone.

[sg_oneill]

You stored thousands in coins on your phone. YOUR PHONE! Stupid is as stupid does.

Before throwing around accusations of stupidity I suggest actually reading the article.

Re:T-Mobile is not a bank

[gravewax]

regardless you should not be using your phone number to secure something of value. that is just braindead on the part of the user.

Re:It's a phone.

[gravewax]

That's not what is happening here. People will set up account recovery with their phone used as a relay for a recovery pin. Most likely he has some kind of online wallet linked to it.

and that is somehow better? if anything that is even worse. at least a phone you can have encryption, password/pin protection etc.

Re:Don't Worry T-Mobile

[_Sharp'r_]

I'm sure T-Mobile will use some weasel words in their terms on conditions to say they aren't responsible for anything beyond the lost wireless service time.

The thing which will argue against that is in your example of the security guard only able to lose his job, to better fit the circumstances the security guard would have agreed to require a secret code (say, a PIN) to validate visitors and instead he told the burglars to come right in, no code required, let me open the door for you. That may still get him in trouble as an accessory, because at that point he's actively assisting the criminals against what he agreed to do as his job.

T-Mobile, as represented by their employees, took a proactive measure to assist the criminals in violation of what they had agreed with the customer to do. Damages directly attributable to that action have a decent shot at an equitable remedy where T-Mobile has to make the guy whole, i.e. pay for his losses.

Mmmmm. Bitcoin and Cellphones...

[mark_reh]

Now there's a match made in heaven! The least secure form of "currency" or "investment" managed via the least secure form of electronic surveillance / communications device.

Who could have foreseen this sort of problem?

Re:A simple, effective security precaution

[darkain]

From TFS: "The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it."

So, yes, in theory it is a great idea... when actually implemented.

How does he get around mandatory arbitration?

[schwit1]

T-Mobile isn't going to want this anywhere near a jury.

Re:How does he get around mandatory arbitration?

[sizzlinkitty]

Some states don't allow mandatory arbitration, like California. I'm not sure if Washington does, but its a possibility.

Re:How does he get around mandatory arbitration?

[schwit1]

SCOTUS upheld federal law permitting mandatory arbitration, which trumps state law

https://www.reuters.com/articl...

e-mail notification problem

[goombah99]

This is exactly why I have two e-mail accounts. One for daily use on the phone and one for banking not on the phone. The annoying thing is that makes the banking one hard to check easily. I can't get notifications. And those might be time sensitive.

I wish that banks could figure this out. What they need is to let you provide two e-mail accounts. One for all messages and one for anything that involves authorizing transactions or recovering passwords.

Phone customers want poor security

[FeelGood314]

Do you really think the phone company enjoys your grandmother calling them and saying she lost her phone and then trying to get her new phone working with her old number? That is the typical phone customer. You can't have good security with most people because they have no good way of authenticating themselves. I spend an hour on the phone with Revenue Canada last week and the first 3 people I spoke to couldn't authenticate themselves, the first thought giving me a number to call them back at was good enough. (My MP is looking into it)

T-mobile knew this so they claimed to add a real layer of security, except according to the plaintiff they never followed through in enforcing it.

As for the price of bitcoin, it is hard to sell OmiseGo tokens for cash but easy to sell them for bitcoin. The thieves stole the OmiseGo, converted them to bitcoin and then sold the bitcoin. That is why the plaintiff is claiming the value of the bitcoin sold.

Re: Well sure

[BronsCon]

Don't worry about that idiot; he hasn't actually looked at T-Mobile in over a decade. Sure, their network used to suck, but so did every other network at some point or another; T-Mo has put more into expanding their network in the last 5 years than the other 3 combined and it's paid off big time.

Multifactor authentication is a scam

[WaffleMonster]

People are being mislead enmasse into believing 2FA exists to protect them and enhance security when reality is this technology is pushed almost exclusively in public settings as a means to not have to deal with people forgetting their passwords.

Automated reset facilities result effectively in factor x OR factor y rather than factor x AND factor y. This predictably results in a significant reduction of security in the name of not having to deal with considerable administrative burden of "I forgot my password".

Those marketing 2FA as an enhancement to security deserve to be on the receiving end of lawsuits for their deceptions.

Re:Multifactor authentication is a scam

[WaffleMonster]

You are an idiot.

No shit.

2FA has nothing to do with what you described.

This should be obvious to all. My comments had absolutely nothing to do with 2FA as an idea or technology.

They were limited exclusively to IMPLEMENTATION of technology.

2FA as actually deployed in majority of public facing environments is provably LESS SECURE than passwords alone.

Re:Multifactor authentication is a scam

[WaffleMonster]

2FA is more secure than username/password authentication. Take a break from arguing reality.

Had you have RTFA you would have found out second factor (Smartphone) was used to bypass having to know users password by leveraging automated password reset facility.

Re:Well sure

[Maritz]

But the important thing is that diverse babies are really important. Anybody that doesn't think diverse babies are really awesome must be Hitler. Buy T Mobile, our phones suck and our prices are high, but diverse babies.

What is that drivel supposed to mean?

Re:Good luck with that, dude

[Maritz]

If he can show that they were supposed to apply a PIN but did not, he's got a fairly solid case. Will cost him an awful lot though, the US judicial system is not supposed to be utilised by ordinary plebs unless they're in the dock.

SIM swap fraud

[MoHaG]

This type of attack is quick common in South Africa, where it is called SIM swap fraud.

In most cases, a corrupt employee at a store of the network assists criminals to obtain a new sim for a customer's account. They then use that, with credentials obtained elsewhere (likely phishing) to get into the user's internet banking and transfer money away.

Using push notifications to an app prevents this. Other things that work is to use HOTP or TOTP tokens instead.

Re:SIM swap fraud

[MoHaG]

This seems to be a case of a fraudulent port of the number though... Here the subscriber needs to confirm before a port is allowed to take place.

It also seems to be a password reset token, not a normal 2-factor auth...

(The main way to deal with that, would likely be to send a code/confirmation link to both the user's email and phone) (Chances that both are compromised is much lower...)

This is why we need identity companies.

[BlueCoder]

The way it should work is that you confirm you identity with an identity provider. Other companies verify with them. Authorization has to be digitally signed by multiple parties. These companies would have specific procedures for recovering identities and would free other companies from having to deal with it. The procedures you agree to with the identity company are binding and chosen by you.

This is why you have key fobs which can even be Bluetooth. Unhackable as they only receive and transmit data. Which you should only use like a digital signature. How often would a person use their signature back when people used checks? Don't let web sites to force you to use them for signing in or accepting EULA's.

Re:Just call up BitConnect's fraud protection numb

[djrosen]

https://support.coinbase.com/c...
"If you are a United States resident, your Coinbase USD Wallet is covered by FDIC insurance, up to a maximum of $250,000"

Re: T-mobile?

[parkinglot777]

Because his number was ported to AT&T.

All the criminal activity happened at the AT&T' side.

But it ridiculous to go after T-Mobile, they released the number after being given the correct info on the port request, and restored the number after netting told the request was fake.

Moral of the story is to keep your personal data private. Nobody did anything wrong here except for the hackers.

Did you really read TFA? You just assume that so called "hacker" in the story really did the hack? This is another misused case of the word "hacker"...

Carlos Tapang of Washington state accuses T-Mobile of having “improperly allowed wrongdoers to access” his wireless account on November 7th last year. The hackers then cancelled his number and transferred it to an AT&T account under their control. “T-Mobile was unable to contain this security breach until the next day,” when it finally got the number back from AT&T, Tapang alleges in the suit

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang’s account prior to the incident, but didn’t actually implement it. Tapang also states that hackers are able to call T-Mobile’s customer support multiple times to gain access to customer accounts, until they’re able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

The thief called up T-Mobile support and social engineered the right person to change all information and gain access to the number, and then the person transferred the number to AT&T. Now you tell me why AT&T should be responsible? Also, nobody give personal info to anyone. Most information you need to do this kind of thief is usually in public. It is all about skills to find the right person to talk to on the other line.

Re:It's a phone.

[avandesande]

How am I saying this is better? I am just explaining what happened.

Re:T-mobile?

[wardrich86]

AT&T-Mobile

Re:This is a problem always

[JackieBrown]

The suites are fleshies, silly. I really hope this term doesn't catch on.

Use a burner phone under assumed name?

[knorthern+knight]

If I had that much money backed by a phone number, I'd get a $10/month PAYG (Pay As You Go) phone under an assumed name. Say your name is "Joe Blow". Bad guys know it, and can find the number associated with that name. They know which phone number they have to socially engineer.

But if you have a burner phone, under the name "Jane Doe", that you use to receive SMS confirmations, that'll be more secure. Obviously, have the phone rooted, and Google/Facebook/etc "cr-apps" removed, and don't give out that phone number to anybody except the service you're securing with it.

And if the bad guys can find out your "Jane Doe" number from the digital coin company that you use it for, I'd say they've already been pwnd to the max.