Investor Sues AT&T Over Two-Factor Security Flaws, $23 Million Cryptocurrency Theft

An anonymous reader quotes a report from Fast Company: Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company's negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He's also seeking punitive damages. Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin. The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin's account without providing the code or a "scannable ID" as AT&T requires, he says.

Oh no!

[Rei]

"Your security weaknesses allowed someone to steal my pretend money!"

I imagine that in his lawsuit he's valuing the currency at the then-value (as of early January) rather than the present value. Because if it was present value, not only would the losses be much smaller, but AT&T could just keep dragging the lawsuit out until the losses would be so small as to be meaningless ;)

Re:Oh no!

[The+New+Guy+2.0]

The court will most likely rule that he's owed BitCoins, not dollars if he wins... wonder how that'll pan out for him if that happens.

Re: Oh no!

[tysonedwards]

This is the literal case of intellectual property being stolen and rendered unusable by its owner. From a precedent standpoint, would this be functionally different than industrial espionage or destruction of property? Further, as he only had a contractual relationship with AT&T, who was the responsible party to facilitate the transfer of service.

Re:Oh no!

[KiloByte]

It doesn't matter what got stolen. These could be collector's bottle caps just the same. Both of these have a monetary value that's unrelated to any intrinsic virtue such an item would have but to what the market pays. If that kind of old bottle caps is typically sold on collectors' auctions for X quatloos, the judge will assume a value somewhere around X. Bitcoin is just easier to appraise than most items.

The guy requested multiple additional means of protection, which AT&T agreed to implement. It's not the plaintiff who got repeatedly phished, it was AT&T.

Re:Oh no!

[arglebargle_xiv]

That's actually one legitimate way to monetise your TulipBulbEtherCoin, you set up your own exchange and do an ICO and all the other stuff, value your imaginary money at eleventy googleplex dollars, sue someone with deep enough pockets, and eventually settle for a few billion or so as compensation. Profit!

Re:Oh no!

That is certainly what they would rule if he wins. He ins't allowed to pretend he was going to sell at each coins all time high.

If they did that, he would given enough money to cover whatever Bitcoin's cost is at the time of judgement.

Re:Oh no!

Very true. That being said, AT&T isn't the only party to blame. A "2-factor authentication" that can be defeated by hijacking a phone number isn't 2-factor at all - it's just replacing one attack vector with a new one that's easier to exploit.

Re:Oh no!

Yea- not only that but AT&T's liability for protecting his account or failure thereof is or otherwise should be limited to the assets thereof in which are being protected- not some third party loss that occurred because of his use of poor third party products that utilized a phone which was never advertised by AT&T as being a authentication mechanism. AT&T is at best guilty of making a contract (promise to secure the account) they didn't live up to- but there is or should be little if any financial liability here for AT&T.

Re:Oh no!

[CaptainDork]

I agree, but I wonder about of value.

Precisely what was crypto going for at the time of theft.

Can theft be proven?

Isn't crypto all about anonymity?

Re:Oh no!

"but I wonder about of value."

Crammar detected.

Re:Oh no!

Pretty much.

And having worked for one previous company that is now part of the current monster AT&T, I can pretty much tell you how this account hijack went, because every rep has a version of this story.

1) A male or female voice will have all the right VID (Verified Identification) and want to cut off this account from their abusive spouse
2) There will be notes on the account not to fuck with the account, sometimes multiple notes because it's happened multiple times
3) The representative (usually at the store) can't see these notes because they're at the wrong part of the account, either the billing account (the one that is your "AT&T" account, or the service account (the one attached to the actual phone number)

When AT&T Wireless switched from AXYS (for 2G) to Siebel (for 2.5G+) all the notes and stuff disappeared. So if there were notes on the 2G system about not to fuck with the account, they were gone if they migrated to the GSM system.

Now if AT&T after they were purchased by Cingular, and them subsequently became AT&T again, likely had yet another billing system migration, or after they upgraded to 4G (LTE) and the notes were lost again.

That's the only direct explanation why the notes were not followed. Indirectly however, you can socially engineer pretty much any phone representative by giving them a bleeding heart story, usually one of the following:
A) My Divorce is final and I need to prevent my ex from accessing this account, please do X, Y, Z and then password protect the account (this is something that is only in billing account level notes, and hence why it may not get read)
B) I am a (Law enforcement, FBI, NSA, CIA, Secret Service, etc) and need access to X, account, here is the (whatever bogus info) , and the representative doesn't know they have to go through a specific law enforcement channel to get this information, so the person on the phone ups the urgency that it's life-or-death, eg someone's been kidnapped, being held at gunpoint, or something that the representative can not verify.
C) I am the lawyer of (name on account). Thus they presumably have authority, but again, the representative can not verify this.

And Store reps are the worst for it, because at the time I worked for AT&T Wireless, the third party store guys would call in and impersonate the real customer and have them do things like cancel the account for invalid reasons, so they could get their commission by selling them a new service. Fortunately LNP has put an end to that, but yeah it was a big thing where third party store reps would say the customer is dead or on military service and to cancel the account without charging an ETF.

All in all, nobody should use SMS based 2FA, use a temporal authenticator, like a physical one if you really are protecting financial things, or MMO game accounts, because there is no way someone can emulate something that they can't physically access.

Overall, until there is some kind of international electronic ID standard that is NOT the passport (passport is for your physical citizenship, it's ID purposes end there as there is no financial connection to it) for financial transactions, these issues will continue to exist.

Like the kind of thing that needs to exist is a kind of block-chain transaction ledger for ID verification. The phone or store rep asks to verify, you push your thumb on the fingerprint pad, or the faceid, or plug in your usb dongle into the phone/computer, and representative on the other end sees the last 10 verification requests with them, and matches it to their system contact dates. If it doesn't match, it's not the right person.

Re: Oh no!

That type of ID system will never get traction with all the religious nuts thinking it will be the mark of the beast.

Re:Oh no!

[Aighearach]

Just use the same marketing technique that guy with the book about a false narrative of the history of the tulip market! Then there is no limit to the idiocy that people will believe as history. And if you can rewrite the history, then of course you can give your Bulbcoin all the gravitas of a Federation Credit!

Re: Oh no!

Arenâ(TM)t you the guy who admitted heâ(TM)s 50 with less than $10k of retirement savings?

Re:Oh no!

[gravewax]

Only partly agree, sure AT&T has some liability here, but seriously what sort of idiot relies on a phone number and phone company as the source of authentication to secure your assets? obviously he wasn't serious about security in the first place.

Re:Oh no!

Clearly and provably AT&T's fault.

It made him unable to cash his cryptocurrency when he could have made the highest profits, and that's their fault.

So they'll have to pay.

Re:Oh no!

Same as if you have gold. It gets stolen while gold prices fluctuate wildly. After some time, they get caught. Give the gold back? Or if it is nowhere to be found, the price at the time it was stolen? But perhaps a crash was expected, and you were planning on selling before that - but they stole it first?

If you can't demand the 'highest price point after theft', then the thieves may profit even after compensating you. They may very well have sold at 'all times high'.

Re: Oh no!

The price at the moment it was stolen is fair-- that was the point the user lost control of their property due to negligence.

Alternatively, the price the customer paid to buy the coins would also be fair -- the user is repaid for their direct investment.

Re:Oh no!

Using an SMS message as a second factor is arguably worse than nothing. Far better security to have a strong password that such a piss weak method which is probably part of password reset.

Re:Oh no!

[guruevi]

You can only demand what the value of the gold was at time of theft + any interest or other benefits it would’ve brought you until the time you got it back + some punitive damages.

Only if you can prove you were selling it at the point of all-time high (I had an armored truck on standby and instructions with my accountant) can you recover any of that value.

Re:Oh no!

[mysidia]

It's not the plaintiff who got repeatedly phished, it was AT&T.

No.... The perpetrator was the thief, and I would say they managed to scam BOTH the guy and ATT.
That is also another possible outcome for this case. (1) ATT is only Partially responsible for this loss: because the service they provided was Telephone, Data and SMS text message service --- The Terms of Service do not include a warranty that the SMS text message service is "Fit for the purpose of authenticating you", let-alone "Fit for the purpose of strongly authenticating you so as to secure access to $23 million".

And (2) The plaintiff, despite not having a warranty that this SMS Text messaging service was usable for sending high-value messages that could not be intercepted decided to rely upon it for such, with no contract to ATT promising it suitable for that purpose and entitling them to rely upon it for such, And,
(3) Therefore, ATT's liability should be limited to the first $1,000,000 of the claimed loss.

These could be collector's bottle caps just the same. Both of these have a monetary value that's unrelated to any intrinsic virtue

Correct... The loss will be evaluated in USD... damages are valued in currency, not in Bitcoins. The loss is either the value of the personal property at the time stolen, OR if the cost to replace the personal item is higher now --- then the plaintiff can potentially claim the cost to replace their property with like property in the same condition as necessary to "make them whole"; For example, if their car was stolen and destroyed, they can seek whatever cost is necessary to get the same make of car in same age and condition --- even if that cost is higher than what their lost property was worth when stolen.

Re:Oh no!

"value your imaginary money"

sigh. so many opinions formed, so little actual programming of cryptocurrency software. are we programmers in this forum anymore? maybe not.

you don't value your own coin. you create them, they're worth 0 dollars. you get a bunch of people running your nodes. then everybody has coins, they're still worth 0 dollars. then they start trading them on the exchanges, and the amount the PAY when averaged over multiple exchanges is what sets the value of a coin.

they often pay more based on whims and irrational emotions and news stories and scams...but SO DOES THE STOCK MARKET. crypto is the new stock.

Re: Oh no!

[CaptainDork]

Arenâ(TM)t ... heâ(TM)s ...

Lern to tipe.

Re: Oh no!

Slashdot has trouble with rich people phones.

Re:Oh no!

You sound bitter, sweet tits.

I hope he wins

Not because I think he deserves his money back...

.. but rather because if AT&T pays a penalty for lax security, then maybe (finally!) there will be incentive to improve security practices in the industry.

Re: I hope he wins

Every security breach should be fined for each type of data stolen per user. No volume discount.

For example, Equifax really deserved about $100B fine.

Aside from forcing to improve security, the amount of personal data acquired and retained would be dramatically different. (Almost) No need for GDPR!

Re: I hope he wins

nice, i agree, the MAFIAA policy should apply to corporations too,

That actually seems like a legit case

He might win and in the process force ATT to stop sucking at security. That would be a win for everybody.

Re:That actually seems like a legit case

[Luthair]

I expect AT&T has some sort of terms of service that limits or disclaims their liability. I similar problem is if you place valuable items in your luggage the airline has a fixed amount they will cover.

Re:That actually seems like a legit case

A win for him would most likely result in unexpected consequences. Monetarily punishing security failures will not result in better security. Companies will fall back to beefing up their user terms and conditions which protect them from lawsuits. In court a company could defend themselves by pointing out that 100% security cannot be achieved since no body has ever demonstrated that 100% security is even possible.

The plain and simple truth is that everybody is vulnerable to security failures. To date no one has created 100% secure systems. This includes software, hardware, peripherals, and anything else dependent on software or network connectivity. And the number one cause of security breeches are the users. You can't solve user stupidity no matter how much time and money you throw at the problem.

Re:That actually seems like a legit case

Bzzt! Thanks for playing. Enjoy these fine parting gifts.
You might want to read up on the difference between not having "perfect" security, and this type of gross negligence.
Monetarily punishing security failures, has, can and will result in better security. I have no idea why you think it hasn't or won't, but you're wrong.
Taking security seriously, and spending money on it actually does help the problem as well. I have no idea why you think it can't. Apple is a decent example here. They don't absolutely force people to secure their devices but they certainly make it easy to do so, and it actually takes extra effort to avoid doing it.

Re:That actually seems like a legit case

The problem is his loss is the result of a third party implementing a "security" mechanism that relies on a party (AT&T) that has never advertised itself as being an authentication product. If anybody is liable it would be the party for which he has an account that held crypto, not AT&T. The extent that AT&T is liable for anything is to the extent of the data or service that was being protected. AT&T's reverting of service once discovered would suffice to correct the issue on AT&T's part and $10 credit for the service interruption (if even that).

Re:That actually seems like a legit case

[ASDFnz]

As far as I know, you cannot put something like:

> In the event of us being negligent we are not responsible

into A TOS and expect it to be enforced. IANAL though.

Re:That actually seems like a legit case

IANAL but even I know that's not how negligence and liability work at all. As a _direct_ result of AT&T's negligence, and incorrect/unlawful actions, their customer was significantly harmed. There are a LOT of potential harms that can be caused by a carrier randomly deciding to give your phone number to someone else, without any verification, and in direct contradiction to your stated wishes and their own policy. You could lose your job, have your professional reputation destroyed, miss out on a huge financial deal, even lose your home, etc, under the right circumstances. "Too bad, you shouldn't have depended on your phone number for anything, here's $10" isn't going to cut it. That's not to say AT&T can be expected to always guarantee 100% security on your account. They just need to take reasonable measures and comply with the law and their stated policies and agreements. BUT if they fail miserably and spectacularly (are negligent) they can then become liable for far more than just the value of the lost service itself.

Re:That actually seems like a legit case

Actually you can, As long as it is worded as a maximum liability and an instruction that you CANNOT/should not use them to secure goods above that value. At that point you are taking the liability and risk on yourself by using them. many institutions have such liability limits for goods and assets as they are not insured for assets greater than those amounts.

Re:That actually seems like a legit case

The problem there is he also has to show he took the necessary steps to adequately secure his goods. Using a phone service provider as that protection is a pretty far stretch to say he had taken appropriate measures to protect the goods. AT&T sell phones not authentication devices.

Re:That actually seems like a legit case

[Powercntrl]

I expect AT&T has some sort of terms of service that limits or disclaims their liability.

Yup, it's in the TOS that no one ever reads.

Of course, if you have any sense to understand what you're getting into, you don't keep $23 million dollars worth of cryptocoins on an unregulated, uninsured crypto exchange either.

Re:That actually seems like a legit case

To the full extent allowed by law, you hereby release, indemnify, and hold AT&T and its officers, directors, employees and agents harmless from and against any and all claims of any person or entity for damages of any nature arising in any way from or relating to, directly or indirectly, service provided by AT&T or any person's use thereof (including, but not limited to, vehicular damage and personal injury), INCLUDING CLAIMS ARISING IN WHOLE OR IN PART FROM THE ALLEGED NEGLIGENCE OF AT&T, or any violation by you of this Agreement. This obligation shall survive termination of your Service with AT&T. AT&T is not liable to you for changes in operation, equipment, or technology that cause your Device or Software to be rendered obsolete or require modification.

Wo what was the first factor that failed?

[ffkom]

Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor.

But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

Re:Wo what was the first factor that failed?

[AmiMoJo]

Also by the time the suit gets to court the crypto currency will probably be worth 24 cents. How does it work in America, can you argue for the value as it was at the time or only the current value?

Re:Wo what was the first factor that failed?

Usually, the problem is, it's not REALLY two-factor. You just click "I forgot my password" and the supposedly secure system instantly becomes one-factor and sends a link to your phone or email to reset the password!
Or (even worse, in the case of Facebook) sends you a link that gives you access without even resetting the password. A friend of mine only discovered this by mistake after getting a new phone number, which promptly received a text that gave him access to some random dude's Facebook account. He reported it to Facebook as a security bug and they blew him off, so he got it published on a few news sites, and still pretty much nothing.

Re:Wo what was the first factor that failed?

But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

The reality is, you can bypass the first factor by getting control of the second (from TFA):

Once they control the number, they can intercept texts for two-factor authentication programs and password resets, quickly hijacking other accounts.

So, imagine someone now has hijacked your phone number, and knows your email address. They click the "forgot my password" link, it sends something to 'your' phone, the bad guy now has the keys to the kingdom. Since the second factor is blindly trusted, once it's compromised you're screwed.

The entire value of two-factor falls apart when someone can gain control over the second part because a third party hands it to them.

The fact that most people use their phone for this (like I'd give Google my fucking phone number) means that if you can get control of the phone, you can just click on those "lost my password" things, and the new password will be texted to you. The problem is, it's no longer you.

I've always though the way most places are doing two-factor is stupid, because you treat an insecure channel as if it was secure.

If you're not using something like a soft-token which is device locked and requires a password, all you're really doing is doing an exchange on an open channel, and if someone can control that channel, they can defeat all of your security.

Honestly, the only thing surprising here is just how easy it is to manipulate AT&T into turning over control of a phone number without proper ID.

Re:Wo what was the first factor that failed?

[Lab+Rat+Jason]

I came here to say this... the part about "forgot my password" changes two factor back to one factor... ridiculous. I am currently rooting for true two factor hardware fobs to improve cross platform usability, but I'm not sure it has the legs.

Re:Wo what was the first factor that failed?

[sjames]

It's the value at the time of the loss. That seems fair since he would have the opportunity to sell at that value but for AT&T screwing up.

Re:Wo what was the first factor that failed?

[Powercntrl]

I am currently rooting for true two factor hardware fobs to improve cross platform usability, but I'm not sure it has the legs.

If we were talking a reputable financial institution holding on to your $23 million real dollars, of course they'd want to implement decent security measures. But this most likely involved a theft from a Bitcoin exchange, and thus it becomes a $23 million dollar lesson in the meaning of the word "unregulated".

Re:Wo what was the first factor that failed?

[jittles]

Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor. But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

Probably had password recovery to his phone. Since they had control of his phone, he didn't even get messages telling him that a password reset was requested for his email account

Re:Wo what was the first factor that failed?

But this most likely involved a theft from a Bitcoin exchange, and thus it becomes a $23 million dollar lesson in the meaning of the word "unregulated".

However, I'll be curious to see how AT&T's culpability plays out.

It was their people who made the change, despite him actually having taken measures to ensure that wasn't possible.

Surely they have better controls in place than because someone fast talks a retail clerk. If they don't, that's pretty pathetic.

It's not infeasible they have some liability here.

Re:Wo what was the first factor that failed?

Basically it's all circumvented by:
        "To Reset your password, give your email and we'll text you the reset code"

Fucked from the start. Telcos plainly can't be trusted and should be sued for not securing personal information, having decent security, and a multitude of other shortcomings and 'dont cares' - especially when banks even use the above for authentication

Secure USB crypto keys, a-la-google-stuff is probably the only feasable solution against stupid companied (when all your options are equally shit -verizon, att, etc ,etc)

Re:Wo what was the first factor that failed?

[tlhIngan]

Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor.

But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

No, a phone number is not a second factor

NIST recommendations a few years ago have determined that a phone number is no longer eligible as a "second factor". This includes anything that involves using the phone number - SMS, phone calls, etc. NIST has forseen that phone numbers are not unique identifiers and cannot be "something you have" - because it's something other people can have as well. Basically, a phone number does not identify a unique phone.

And with hacks to SS7 and all that, things can be hijacked.

The only way to use a phone as a second factor is through authentication apps that basically generate a unique key per device and thus cannot be cloned.

Chances are, the AT&T service terms will let him claim only direct damages - damages caused by loss of service so things like a replacement SIM card, the days of service he missed and perhaps any bills that got run out. Indirect damages are almost always excluded, so if loss of service causes you to miss a stock trade or something, those losses wouldn't be eligible.

And this is nevermind the ineffective "2FA" used by the exchange. (And likely, coinbase will be indemnified on that loss as well).

Re:Wo what was the first factor that failed?

[thegarbz]

Regardless of how it works he is currently not in a position to make any trades to prevent that loss. What if he wanted to sell it right now? I see no legal arguement for why value should be at the time of the case rather than at the time of the loss. Not for crypto currencies, not for other tradables, and not for physical items of value either.

Re:Wo what was the first factor that failed?

[AmiMoJo]

I imagine the defence argument would be that bitcoin or whatever is not currency, it's goods. Thus the bank should only have to buy him the amount of bitcoins he had at the time, which now only costs $78 because the price collapsed.

In the same way that if you lost a car because of their mistake they wouldn't give you the purchase price of the car when you bought it five years ago, they would give you the value of a 5 year old replacement model today.

This could be quite an interesting case because potentially it would establish crypto currencies as being more like real currencies, even though for example there is no official Dollar exchange rate to calculate their value against.

Re:Wo what was the first factor that failed?

[thegarbz]

I imagine the defence argument would be that bitcoin or whatever is not currency, it's goods. Thus the bank should only have to buy him the amount of bitcoins he had at the time, which now only costs $78 because the price collapsed.

Again I still don't see that as a valid arguement unless he was able to freely sell the thing he didn't have. He was prevent from extracting the value of the item at the time of the loss.

In the same way that if you lost a car because of their mistake they wouldn't give you the purchase price of the car when you bought it five years ago

We're not talking about purchase price. We're talking about value at the time of the loss. If we spent 10 years legally arguging about the car I expect the value to be defined as the value at the time when you stole it from me + any inflation, and not the scrap value it is now worth because the local council has banned diesels in the city, or whatever else could cause the value to drop.

Again I don't see the status of bitcoins (currencies vs physical items vs imaginary property) as having any bearing on its value determination.

Re:Wo what was the first factor that failed?

Reputable financial institutions such as Vanguard have exactly the same security flaw. It seems to be a world-wide myopia. They offer a current industry-standard two factor option on your retirement or brokerage account, but *require* that a phone also be linked to the account for account recovery. Most people end up using their smartphone for this purpose as well as their email access and this means that hijacking that phone gives you the ability to interfere in and hijack their lives.

I have never found a provider with a real "paranoid" account security option. One where you can configure multiple factors and require two or more factor for any purpose (including recover of lost factors). If I really configure and then lose my two factor authentication basis, I should have to show up in person at your firm's retail location or some other deputized bank or notary public and reestablish my identity using real IDs and presence.

It's a farce that these supposed two-factor mechanisms can be obliterated and re-established by a ghost in the communication network. That ghost is indistinguishably the inept user or the real attacker this whole mechanism was supposed to foil. But the industry is more interested in ease of use and cost per user than in actually protecting the user from real harm like their account being drained.

NEVER use a mobile number for two-factor

This has been a problem for years. I keep getting prompted to add my phone number to use for "extra security" when really all it does is increase the attack surface and make the account easier for a dedicated attacker to compromise. Considering that dedicated attackers are by far the worst kind, and knowing that not just AT&T but basically all carriers can easily be convinced, by a sob story about a lost phone or similar, to give anyone access to your number, you'd have to be pretty stupid to use that method for anything seriously important (like millions in cryptocurrency).
I wouldn't even use that for Facebook...

Re:NEVER use a mobile number for two-factor

[devslash0]

That's one of the areas where humans should be replaced with some clever biometrics or AI. Human emotions, subjective judgements and not following procedures would be entirely taken out of equation.

Re:NEVER use a mobile number for two-factor

I was recently asked, in order to veryify my account, what my most recent bill was (dollars and cents). Given the not exactly random nature of the charges, it makes some sense, but could definitely be a problem as well...

Re:NEVER use a mobile number for two-factor

Not alone but as transport it works as good/bad as anything.

On the other hand if you list a number you use as your second factor you are part of the problem anyway.
Get a burner and use it only for password resets and you are not that much worse of.

Re:NEVER use a mobile number for two-factor

[laffer1]

You were very careful to say dedicated multiple times. Two factor auth does protect accounts from "random" brute force password attacks. It has some value.

queue the hordes

queue the hordes who call this frivolous because SMS can be hacked anyway...

on the flip side sounds like this guy was targeted and probably not because he isn't a douche.

Re:queue the hordes

No, it's not frivolous. He's dumb, but AT&T f-d up pretty badly and should be held responsible for their behavior.

He was almost certainly targeted because he held cryptocurrency, and may have made the mistake of admitting that in some publicly visible place (or publicly following some bitcoin group or forum, or service, etc). There's an entire category of criminals who just search for such things and then use methods like this to gain access and drain people's accounts.

Moral of the story:

[Gravis+Zero]

When your security matters, telecoms should not be trusted.

Re:Moral of the story:

[aaarrrgggh]

Telecoms should not be trusted

Fixed that for you.

Re:Moral of the story:

In all fairness, telephones were never meant to be used as a critical security measure for third parties.
Relying on such a system for your security for anything other than trivial matters is plain stupid.

Re:Moral of the story:

[AmiMoJo]

I wish someone would tell my bank that. They keep bugging me to set up text messages to confirm transfers and payments. I keep telling them no.

Biometrics. But Irony runs deep.

[Bob_Who]

You can't steal someone's identity, in actuality, unless you have their biometric signature within their physical body. This is how to responsibly authenticate access to hundreds of millions of dollars. However, if for some reason your real identity is better kept unknown and shrouded in cryptocurrency to evade taxes and hide the identity of your investors' insider hedges then I guess you get what you deserve from anonymity.

The real problem is the laws regarding banking is stuck in the late 20th Century when bank robbery became "identity theft".

In the 19th Century, they called it bank robbery when the Wells Fargo Stage Coach got robbed.

In the 21st Century, Wells Fargo robs the customer, outright.

As for AT&T, they've been stealing for years.

Make Lawsuits Great Again!

[Tablizer]

Yay! Sue their pants off. Bigly lawsuits may finally motivate such companies to reduce shortcuts and sloppiness.

Seems the only way to make them care is to kick them in their wallets.

He doesn't have a snowball's chance in hell

[chromaexcursion]

He was obviously hacked. It's his fault.
Some lawyer is trying this on spec. Maybe he's hoping they'll settle to avoid legal costs.

Re:He doesn't have a snowball's chance in hell

[The+MAZZTer]

Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.

You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!

Re:He doesn't have a snowball's chance in hell

I'd say he actually has a snowball's chance, of melting.
Even from the summary it's very clear what happened. AT&T gave away his phone number to the thief, against his explicit instructions and their own policy. The same thing could happen to you if someone were to gain access to your phone number (by giving the carrier a sob story about how they lost their phone while traveling), or email in order to reset all your passwords and bypass two-factor authentication. It would then be "your fault" I suppose.

Re:He doesn't have a snowball's chance in hell

Thanks sir, for injecting some fucking common sense, I swear its some freaking idiots on here that don't seem to comprehend a damn thing within reason. FUCKING IDIOTS, I SWEAR MAN!

Re:He doesn't have a snowball's chance in hell

[Aighearach]

It may be turtles all the way down, but that doesn't stop it from being assholes, all the way up.

Re:He doesn't have a snowball's chance in hell

[buchanmilne]

Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.

You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!

Uh, the *primary* way SMS 2FS is insecure is 'SIM-swap fraud'. Here is an article from almost 5 years ago about the problem as it existed/exists where I currently live: https://mybroadband.co.za/news...

From the article:

A SIM swap typically happens using the following methods:
* Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and
* Stealing passwords from employees at the mobile operators or mobile dealers.

Telcos need to do a better job of customer authentication. At the ISP I used to work for, our new customer service portal required call centre agents to authenticate the customer by selecting the correct values (from the correct one value, and 4 random fictitious ones generated from a list of customer information we generated, presented in random order, and all masked so that only partial values are visible to the agent) for 4 out of 5 customer details (e.g. cellphone number, email address, physical address, national ID number, account number) in 2 attempts before the agent would be able to do anything on the customer's account. If the 2nd attempt failed, it would be logged, and if 2 failures were logged in 48 hours, a security ticket would be opened automatically. We were planning on adding an additional level of opt-in authentication for security-conscious customers. Escalation staff were able to bypass the customer validation, but they had to provide a reason (e.g. escalation ticket number), and this was also logged and reviewed by their managers.

Our system as-is would prevent/limit the 2nd method to perform sim-swaps listed above, but without the additional enhancements that were planned wouldn't have prevented the first one from being viable by well-prepared attacker.

Mobile operators really can do a much better job here, but they don't want the additional staff costs that would result from changes to these processes.

Re:He doesn't have a snowball's chance in hell

You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!

If this other party racked up a bunch of expensive AT&T charges that got billed to this guy, I don't think anyone is arguing that he shouldn't have to pay those charges. By all means, AT&T, refund those long-distance charges for that call to the disputed zone.

It sounds like he wants something more, though.

It looks like he was doing something that everyone would agree can't ever be reliable (was using his AT&T account to authenticate to third parties) and now that it has failed (as you'd expect it to fail) he suddenly cares that it's a bad idea. But it wasn't AT&T's idea. It was his.

He bought a thick mattress and then found out that it's not much better at storing money than his sock drawer is. If he was looking to store money, maybe he should have gone to Safes'R'Us instead of Matresses'R'Us.

Re:He doesn't have a snowball's chance in hell

Completely irrelevant. Moron.

No chargebacks! Be your own bank!

And cry to the law when your libertarian dunning-krugerrands get free-marketed away from your weak hands.

Anyway, lol at keeping $23 million "worth" of crypto hot and not using so much as a hardware wallet. I don't even have $23 *thousand* to protect, yet I use a yubikey literally anywhere that allows it (including keepass using a plugin), because account security is broadly dependent on individual organizations that are highly incentivized to be insecure.

24 million secured by a phone ?

[Crashmarik]

Cheapskate couldn't spring for an RSA token. The phone company isn't good at security and expecting them to be on a phone plan is ridiculous. If he wanted security he should have bought a plan that explicitly supplied it, instead of trying to create the obligation ex post facto.

Also insurance seems like it would have been in order here.

Re:24 million secured by a phone ?

I didn't see what exchange he has his accounts on - did they support real two factor at the time? Because I have more than one business that doesn't. Hell, most real US banks still think a password and an additional question constitutes real security.

He may share some blame, but let's get it straight here - AT&T is useless from a security standpoint, and should in fact be punished for that fact.

Re:24 million secured by a phone ?

I didn't see what exchange he has his accounts on - did they support real two factor at the time? Because I have more than one business that doesn't. Hell, most real US banks still think a password and an additional question constitutes real security.

He may share some blame, but let's get it straight here - AT&T is useless from a security standpoint, and should in fact be punished for that fact.

Password and security question are ironically more secure. It's how they're implemented that sucks. You'll never find a password on any billing statement, yet in many cases companies will happily display it to their agents. That is WRONG. The interface should tell them there is a password and prompt for it. Agent enters whatever they are told, if it's wrong, you dont' get access. Wrong enough times and it gets locked out.

The password is at not point given to the agent ahead of time. Another issue is where passwords ARE accepted as a form of validation, they are severely limited in size and believe it or not, content. My password used to be something like "chota", I had to change it because it apparently offended agents. Irony is if you heard me say that over a phone, you'd think nothing of it. This is the level of left retardation we've become.

Re:24 million secured by a phone ?

1. There's no insurance that will work with crypto
2. Most people don't understand RSA tokens, and there's a pretty good chance he would have lost access even to himself going that route.

Re:24 million secured by a phone ?

[Crashmarik]

1. There's no insurance that will work with crypto
2. Most people don't understand RSA tokens, and there's a pretty good chance he would have lost access even to himself going that route.

This site used to have knowledgeable people

1. https://www.reuters.com/articl...

2. If you are too stupid to use an RSA token your too stupid to have 24 million in bitcoin and the phone company can't do much to help you.

Re:24 million secured by a phone ?

[Aighearach]

Everything can be insured.

If you think you found an exception, it only means your insurance agent doesn't think you can afford it!

Re:24 million secured by a phone ?

I think by this point most places are using hashes and agents are not verifying your password (but there may be a phone pin). The largest problem with passwords is reuse and simplicity, and numerous hacks of sites around the web that have given people usernames and passwords (most likely rainbow tables against the hashes) that people are also using for important access.

Re:24 million secured by a phone ?

if you have 24 millions and can't be fucked learning some basics about securing it then I have no sympathy for you losing it regardless of the negligence of a phone company (only a complete retard could think that is adequate security)

Re:24 million secured by a phone ?

[buchanmilne]

Password and security question are ironically more secure. It's how they're implemented that sucks. You'll never find a password on any billing statement, yet in many cases companies will happily display it to their agents.

No personal information should be displayed un-masked unless there is a need to update it (which should be individually re-authenticated and logged), because it might be used to secure the customer's account at a different business entity.

Lesson learned; don't store cryptocurrency at AT&a

Oh lol wait; this "investor" didn't own any cryptocurrency. He was nominally owed cryptocurrency by some worthless online site with poor 2fa implementation that instead transferred actual ownership of the currency to the hackers.

Re:Biometrics. But Irony runs deep.

Biometrics are a terrible solution. The biometric hashes to a digital signature stored by the service, just like they currently store hashed passwords. When that hash is lost or stolen, how am I supposed to change my physical self?

Re:Oh no, lost monopoly money

[sjames]

OTOH, text messaging is a common 2FA method and AT&T needs to do better before someone gets their bank account hoovered.

I hope AT&T loses big considering that they screwed up once, agreed to an additional security measure, then ignored the extra measure entirely in the process of screwing up again.

Possession != Ownership, even if it helps

Possession is not the same as ownership, despite the quip about it being worth 9/10ths as much.

If I store my property into a self-storage locker, I am NOT transferring ownership of my knicknacks to the storage company.

Re:Oh no, lost monopoly money

[anegg]

Isn't it an open question whether using the AT&T phone service as a critical authentication component puts a duty on AT&T to secure their phone service?

Doesn't the organization that decided to use the AT&T phone service as a critical authentication component bear some responsibility for their choice?

If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my gold?

Re:Oh no, lost monopoly money

[maglor_83]

If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my gold?

No, but if the thieves asked Masterlock to open it and they did, you'd have a much better case.

Re:Biometrics. But Irony runs deep.

When that hash is lost or stolen, how am I supposed to change my physical self?

You can just hack off your fingers and replace them with AT&T fingers. Remember, AT&T - Reach Out and Touch Someone [with AT&T Fingers].

Re:Oh no, lost monopoly money

The question is closed. AT&T _already had a duty to secure their phone service_ in the first place.
As a DIRECT result of AT&T's improper an unlawful actions, their customer was significantly harmed. This even happened after AT&T was taken to task for making the same mistake on the same customer's account previously and having promised to implement measures to prevent it. IANAL, but that sure as hell sounds like ample grounds to sue for the value of the entire loss, plus legal costs, etc.

The lock analogy is absolute and utter BS. A slightly better (though still flawed) analogy might be hiring a security company to prevent anyone from accessing your storage locker containing a stash of gold. The security guard on duty then decides to ACTIVELY ALLOW a burglar to enter the locker, a second time after having already screwed up once and promising to adequately protect it this time. SO, do you "get to sue" the security company?

An interesting question. Wrong tool for the job?

[raymorris]

That is indeed an interesting question. There are two different factors at play.

I expect a certain amount of security from a $5 Masterlock.
I expect a greater amount of security from a American Lock Company shrouded shackle that costs $60.
I expect even more security from a $500 Medeco.

Similarly, I expect a pickup truck to be able to carry a 400 pound load. I expect a semi truck to be able to carry a 10,000 pound load. Ford isn't responsible if I put a 10,000 pound load on my F-150 and it doesn't work well. Wrong tool for the job.

Aside from how much security is expected, how much LIABILITY is there? The maker of a $5 lock might reasonably foresee that their lock would be used to secure a $50 item. Medeco knows their locks are used to secure $20,000 jewelry. If you use a $5 to "secure" a $10,000 item, that's on you. You used the wrong lock for the job.

Is a text message designed or expected to secure $xx million? Is it the right tool for the job?

Insecure exchanges, as usual

[Powercntrl]

But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

If the investor ("crypto gambler" sounds more apt) had their virtual tulip bulbs in their blockchain wallet, there would've been no heist. My best guess would be that the coins were stolen from an account on Coinbase, which uses this sort of 2FA.

So, as much as I loathe AT&T, this is really just another case of someone failing to heed the advice of "don't keep your Bitcoins on an exchange." There are so many ways that can end badly, and most of them don't involve AT&T.

PS it's the thief's fault

[raymorris]

BTW people are talking about how much fault AT&T may have vs if this guy is at fault for using the wrong tool for the job. Let us not forget, really it's the thief's fault.

Whenever bad guys hack something, everyone wants to go after the company that got hacked. *IF* the company was reckless, that makes sense to a degree. There's also a criminal involved. That's who REALLY, obviously did something very wrong.

Re:Oh no, lost monopoly money

[sjames]

At the least, AT&T agreed to implement an additional security measure which they then ignored entirely (as if it didn't exist). That constitutes a specific promise made and then reneged.

It's notable that at one time, AT&T took security VERY seriously. They still enjoy the reputation even though increasingly it seems undeserved.

Hope he wins..

This kind of thing infuriates me because I have similar "restrictions" on my accounts yet my lovely ISP's outsourced call centers refuse to follow protocol that requires them to ask. The policy literally says they will be terminated for failing to do so yet everytime I call, it's trivial to get around them.

Car analogy time

[Powercntrl]

OTOH, text messaging is a common 2FA method and AT&T needs to do better before someone gets their bank account hoovered.

Car door locks are a common way of securing your vehicle, and they can be easily defeated with a wedge, an inflatable bag, and a bent coat hanger. Car manufacturers need to do better, before someone gets their valuables stolen.

Or perhaps, you can realize the security is inherently shitty and don't rely on a locked car to protect your valuables.

Re:Car analogy time

[sjames]

This is more like you order an extra door security package and then a car thief calls the dealer and they send someone out who gives them a spare key, no questions asked, and wishes them a nice day as they drive off with your car.

Re:Car analogy time

[Powercntrl]

No, this is like Amazon telling you the glove box of your car is a safe place to keep your Amazon stock. Then some criminal gets the car dealer to give them a copy of your car key, and uses it to pilfer your stock.

Re:Car analogy time

well nothing is secure with enough dedication

Re:Car analogy time

[sjames]

Amazon in that analogy was wrong (since they didn't realize glove boxes are no longer made of steel), but that hardly excuses the dealership for their extreme negligence.

Settlement: force ATT to advertise crap security

Run several dozen time in prime-time, and include a visible cigarette-style warning on all their products that the provided security is basically non-existent.

Re:Oh no, lost monopoly money

Thats an asinine comment at best, some people are just fucking idiots with no care or consideration for anyone else!

Re: Oh no, lost monopoly money

s/Thats/This is/

Re:Oh no, lost monopoly money

Thats an asinine comment at best, some people are just fucking idiots with no care or consideration for anyone else!

What comment are you even replying to?
Perhaps you meant to reply to the GP? The direct parent of your post is entirely true. Masterlock deciding to open your lock for a thief is a much better analogy to what AT&T did than the thief using bolt cutters.

Re:An interesting question. Wrong tool for the job

[JaredOfEuropa]

Is a text message designed or expected to secure $xx million? Is it the right tool for the job?

+1 but out of mod points. That is exactly the right question. And I'm hoping banks are taking notice: over here there seems to be a shift away from air-gapped 2FA (PIN protected challenge/response through a chip on bank cards) because people find it "inconvenient" having to carry the pocket card reader. SMS based 2FA is all the rage now.

Wrongful lawsuit

AT&T is a phone company, not a secure vault. They are not obliged by contract to provide Fort Knox-like security to you. It's the same reason you don't use Windows to run mission-critical industrial or medical systems - because you will be the only one responsible for any consequences. If you rely on AT&T to provide security for transactions of such magnitude, then you're doing it wrong and any losses are your own fault.

AT&T Response

You know they are going to respond claiming Bitcoin isn't legitimate and that he can't prove damages, because it's not an accepted currency or doesn't have an accepted value.

AT&T is the worst company on the face of the planet in regards to quality and security.

Re:An interesting question. Wrong tool for the job

against this attack a non air gapped version would have worked just as well as long as the recieving phone is a smartphone which can do apps.

Problem with this attack isn't lack of airgap but the fact the security is dependent on a changeable private key (imei) of a public key (your number)

Re:Biometrics. But Irony runs deep.

verifying biometrics without meeting in person comes down to digital data which can be stolen and reproduced.

Re: Oh no, lost monopoly money

[c6gunner]

The difference is that security companies will have an agreement about how much they're willing to protect, and insurance policies to cover loses up to that amount. Your contract with them will spell out the maximum amount that they will protect or transport for you, and if it goes missing then your losses will be covered.

AT&T is not a security company and has not agreed to protect your valuables. You can certainly sue them for failing to provide the service which you purchased, but expecting them to pay out millions because you were stupid enough to coopt their service as a shitty "security" method ... that's not at all reasonable.

Maybe their ads are all wrong

We're telecoms, the sign in front, jackass. Do you read?
Security is next door!

Re: Oh no, lost monopoly money

I'm not sure it actually matters. They were clearly negligent, and because of that, their customer was harmed. How about this: Your landlord doesn't merely fail to prevent a thief from entering your apartment, but instead _actually takes away your apartment key and gives it to the thief_ without any authorization, and after having already promised you to never let anyone in without your explicit permission. When the thief then makes off with all your expensive stuff, what, do you just get a one day credit on your rent because that dude was occupying your apartment for the day while stealing everything? Or is your landlord perhaps responsible for the loss?

Since when are phone companies our society's CAs?

It really sounds a lot like this guy considers his AT&T billing account to also be a form of identification.

Did AT&T market it as a form of identification?

Don't get me wrong: I know lots of other irresponsible parties (e.g. Google and Facebook, among many, even Slashdot works like this) use the ability to receive a challenge by phone or email as the main way of authenticating. But everyone knows you can't do that with anything important. A Slashdot account is about as far as you would take that. Did AT&T tell this guy they support this way of doing things?

Your phone can't authenticate you to someone else, and this story is merely an example one of the ways it can fail. But even before this story, you knew it doesn't (and can't) work. It will always be a bad idea. No matter how this lawsuit goes, it will still be a bad idea.

simple strategy

All at&t has to do is stall. If the trial lasts a few months, even if they are found guilty, they'll only owe like 50 bucks.

Re:Biometrics. But Irony runs deep.

There are some proprietary implementations of salted/revocable biometrics out there.