Slashdot Mirror
Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency (theverge.com)
Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.
The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.
The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.
Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number. Using an encrypted channel rather than SMS helps, but there are still problems with e.g. IMEI spoofing and, as demonstrated, social engineering. This seems like a targeted attack, as the attacker knew his phone number and which websites he had cryptocurrency on, so 'security questions' likely wouldn't have helped, either.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure. If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP, then they are at fault for not providing a reasonable, and responsible security level for the account access.
However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.
This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.
WTF does the price of Bitcoin have to do with it?
The price of Bitcoin and whatever business ventures the attackers spent the money on are irrelevent. The damages are the market value of exactly what was stolen at the time that it was stolen --- with the POTENTIAL of adding lost price appreciation between the time stolen and next statement period on the account; if the theft was not discovered immediately, since the accountholder was reviewing accounts infrequently only by reconciling statements with their accounting, Beyond that LOST PROFITS are theoretical and will be very difficult to claim, since the victim would have had the time to buy replacement crypto and chose not to..
In a civil case, it is always reasonable to suggest the replacement costs of that which was damaged or stolen. Judges and juries who agree with the plaintiff's argument regarding fault do not automatically accept such price numbers, for various reasons, including the prices swinging too much to set an obvious number.
But when I read they had promised they had put a security code in place but they had not done so, they lost it.
This guy took the appropriate steps, the phone company should pay up.
If you say you have security on your account but do not actually put it in, then you owe the customer money
excitingthingstodo.blogspot.com
I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.
They need to let you choose your own login account names and some security questions.
Just way too lax helping you keep your account secure.
The damages are the market value ...
The play money has no value at all.
It's like saying someone stole his pet rocks.
The play money has no value at all.
It's like saying someone stole his pet rocks.
That's not true. The money had value at the time it was stolen Based on The fair market value (Or what the market would pay for the property at the time that property was stolen or changed without permission) and could have been sold by the legitimate owner for an amount of cash ---- therefore the lost property equal that amount of cash it could've been sold for instead (As of the point in time before the first unauthorized transaction) MINUS the worth of any amounts of $$$ or property that were successfully salvaged or returned.
T-Mobile isn't going to want this anywhere near a jury.
The way it should work is that you confirm you identity with an identity provider. Other companies verify with them. Authorization has to be digitally signed by multiple parties. These companies would have specific procedures for recovering identities and would free other companies from having to deal with it. The procedures you agree to with the identity company are binding and chosen by you.
This is why you have key fobs which can even be Bluetooth. Unhackable as they only receive and transmit data. Which you should only use like a digital signature. How often would a person use their signature back when people used checks? Don't let web sites to force you to use them for signing in or accepting EULA's.