Slashdot Mirror
Investor Sues AT&T Over Two-Factor Security Flaws, $23 Million Cryptocurrency Theft (fastcompany.com)
An anonymous reader quotes a report from Fast Company: Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company's negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He's also seeking punitive damages. Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin. The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin's account without providing the code or a "scannable ID" as AT&T requires, he says.
Not because I think he deserves his money back...
When your security matters, telecoms should not be trusted.
Anons need not reply. Questions end with a question mark.
Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.
You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!
It doesn't matter what got stolen. These could be collector's bottle caps just the same. Both of these have a monetary value that's unrelated to any intrinsic virtue such an item would have but to what the market pays. If that kind of old bottle caps is typically sold on collectors' auctions for X quatloos, the judge will assume a value somewhere around X. Bitcoin is just easier to appraise than most items.
The guy requested multiple additional means of protection, which AT&T agreed to implement. It's not the plaintiff who got repeatedly phished, it was AT&T.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my gold?
No, but if the thieves asked Masterlock to open it and they did, you'd have a much better case.
That is indeed an interesting question. There are two different factors at play.
I expect a certain amount of security from a $5 Masterlock.
I expect a greater amount of security from a American Lock Company shrouded shackle that costs $60.
I expect even more security from a $500 Medeco.
Similarly, I expect a pickup truck to be able to carry a 400 pound load. I expect a semi truck to be able to carry a 10,000 pound load. Ford isn't responsible if I put a 10,000 pound load on my F-150 and it doesn't work well. Wrong tool for the job.
Aside from how much security is expected, how much LIABILITY is there? The maker of a $5 lock might reasonably foresee that their lock would be used to secure a $50 item. Medeco knows their locks are used to secure $20,000 jewelry. If you use a $5 to "secure" a $10,000 item, that's on you. You used the wrong lock for the job.
Is a text message designed or expected to secure $xx million? Is it the right tool for the job?