Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency

Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

Phone Authentication Isn't

[mentil]

Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number. Using an encrypted channel rather than SMS helps, but there are still problems with e.g. IMEI spoofing and, as demonstrated, social engineering. This seems like a targeted attack, as the attacker knew his phone number and which websites he had cryptocurrency on, so 'security questions' likely wouldn't have helped, either.

Re:Say what?

[mysidia]

WTF does the price of Bitcoin have to do with it?

The price of Bitcoin and whatever business ventures the attackers spent the money on are irrelevent. The damages are the market value of exactly what was stolen at the time that it was stolen --- with the POTENTIAL of adding lost price appreciation between the time stolen and next statement period on the account; if the theft was not discovered immediately, since the accountholder was reviewing accounts infrequently only by reconciling statements with their accounting, Beyond that LOST PROFITS are theoretical and will be very difficult to claim, since the victim would have had the time to buy replacement crypto and chose not to..

I was expecting to favor the phone company

[gurps_npc]

But when I read they had promised they had put a security code in place but they had not done so, they lost it.

This guy took the appropriate steps, the phone company should pay up.

If you say you have security on your account but do not actually put it in, then you owe the customer money

How does he get around mandatory arbitration?

[schwit1]

T-Mobile isn't going to want this anywhere near a jury.