Investor Sues AT&T Over Two-Factor Security Flaws, $23 Million Cryptocurrency Theft

An anonymous reader quotes a report from Fast Company: Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company's negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He's also seeking punitive damages. Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin. The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin's account without providing the code or a "scannable ID" as AT&T requires, he says.

Re:Wo what was the first factor that failed?

Usually, the problem is, it's not REALLY two-factor. You just click "I forgot my password" and the supposedly secure system instantly becomes one-factor and sends a link to your phone or email to reset the password!
Or (even worse, in the case of Facebook) sends you a link that gives you access without even resetting the password. A friend of mine only discovered this by mistake after getting a new phone number, which promptly received a text that gave him access to some random dude's Facebook account. He reported it to Facebook as a security bug and they blew him off, so he got it published on a few news sites, and still pretty much nothing.