Slashdot Mirror
Investor Sues AT&T Over Two-Factor Security Flaws, $23 Million Cryptocurrency Theft (fastcompany.com)
An anonymous reader quotes a report from Fast Company: Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company's negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He's also seeking punitive damages. Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin. The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin's account without providing the code or a "scannable ID" as AT&T requires, he says.
Not because I think he deserves his money back...
He might win and in the process force ATT to stop sucking at security. That would be a win for everybody.
Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor.
But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...
This has been a problem for years. I keep getting prompted to add my phone number to use for "extra security" when really all it does is increase the attack surface and make the account easier for a dedicated attacker to compromise. Considering that dedicated attackers are by far the worst kind, and knowing that not just AT&T but basically all carriers can easily be convinced, by a sob story about a lost phone or similar, to give anyone access to your number, you'd have to be pretty stupid to use that method for anything seriously important (like millions in cryptocurrency).
I wouldn't even use that for Facebook...
When your security matters, telecoms should not be trusted.
Anons need not reply. Questions end with a question mark.
You can't steal someone's identity, in actuality, unless you have their biometric signature within their physical body. This is how to responsibly authenticate access to hundreds of millions of dollars. However, if for some reason your real identity is better kept unknown and shrouded in cryptocurrency to evade taxes and hide the identity of your investors' insider hedges then I guess you get what you deserve from anonymity.
The real problem is the laws regarding banking is stuck in the late 20th Century when bank robbery became "identity theft".
In the 19th Century, they called it bank robbery when the Wells Fargo Stage Coach got robbed.
In the 21st Century, Wells Fargo robs the customer, outright.
As for AT&T, they've been stealing for years.
Yay! Sue their pants off. Bigly lawsuits may finally motivate such companies to reduce shortcuts and sloppiness.
Seems the only way to make them care is to kick them in their wallets.
Table-ized A.I.
This is the literal case of intellectual property being stolen and rendered unusable by its owner. From a precedent standpoint, would this be functionally different than industrial espionage or destruction of property? Further, as he only had a contractual relationship with AT&T, who was the responsible party to facilitate the transfer of service.
Thirty four characters live here.
Cheapskate couldn't spring for an RSA token. The phone company isn't good at security and expecting them to be on a phone plan is ridiculous. If he wanted security he should have bought a plan that explicitly supplied it, instead of trying to create the obligation ex post facto.
Also insurance seems like it would have been in order here.
Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.
You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!
It doesn't matter what got stolen. These could be collector's bottle caps just the same. Both of these have a monetary value that's unrelated to any intrinsic virtue such an item would have but to what the market pays. If that kind of old bottle caps is typically sold on collectors' auctions for X quatloos, the judge will assume a value somewhere around X. Bitcoin is just easier to appraise than most items.
The guy requested multiple additional means of protection, which AT&T agreed to implement. It's not the plaintiff who got repeatedly phished, it was AT&T.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
OTOH, text messaging is a common 2FA method and AT&T needs to do better before someone gets their bank account hoovered.
I hope AT&T loses big considering that they screwed up once, agreed to an additional security measure, then ignored the extra measure entirely in the process of screwing up again.
That's actually one legitimate way to monetise your TulipBulbEtherCoin, you set up your own exchange and do an ICO and all the other stuff, value your imaginary money at eleventy googleplex dollars, sue someone with deep enough pockets, and eventually settle for a few billion or so as compensation. Profit!
Isn't it an open question whether using the AT&T phone service as a critical authentication component puts a duty on AT&T to secure their phone service?
Doesn't the organization that decided to use the AT&T phone service as a critical authentication component bear some responsibility for their choice?
If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my gold?
If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my gold?
No, but if the thieves asked Masterlock to open it and they did, you'd have a much better case.
That is indeed an interesting question. There are two different factors at play.
I expect a certain amount of security from a $5 Masterlock.
I expect a greater amount of security from a American Lock Company shrouded shackle that costs $60.
I expect even more security from a $500 Medeco.
Similarly, I expect a pickup truck to be able to carry a 400 pound load. I expect a semi truck to be able to carry a 10,000 pound load. Ford isn't responsible if I put a 10,000 pound load on my F-150 and it doesn't work well. Wrong tool for the job.
Aside from how much security is expected, how much LIABILITY is there? The maker of a $5 lock might reasonably foresee that their lock would be used to secure a $50 item. Medeco knows their locks are used to secure $20,000 jewelry. If you use a $5 to "secure" a $10,000 item, that's on you. You used the wrong lock for the job.
Is a text message designed or expected to secure $xx million? Is it the right tool for the job?
But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...
If the investor ("crypto gambler" sounds more apt) had their virtual tulip bulbs in their blockchain wallet, there would've been no heist. My best guess would be that the coins were stolen from an account on Coinbase, which uses this sort of 2FA.
So, as much as I loathe AT&T, this is really just another case of someone failing to heed the advice of "don't keep your Bitcoins on an exchange." There are so many ways that can end badly, and most of them don't involve AT&T.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
BTW people are talking about how much fault AT&T may have vs if this guy is at fault for using the wrong tool for the job. Let us not forget, really it's the thief's fault.
Whenever bad guys hack something, everyone wants to go after the company that got hacked. *IF* the company was reckless, that makes sense to a degree. There's also a criminal involved. That's who REALLY, obviously did something very wrong.
At the least, AT&T agreed to implement an additional security measure which they then ignored entirely (as if it didn't exist). That constitutes a specific promise made and then reneged.
It's notable that at one time, AT&T took security VERY seriously. They still enjoy the reputation even though increasingly it seems undeserved.
OTOH, text messaging is a common 2FA method and AT&T needs to do better before someone gets their bank account hoovered.
Car door locks are a common way of securing your vehicle, and they can be easily defeated with a wedge, an inflatable bag, and a bent coat hanger. Car manufacturers need to do better, before someone gets their valuables stolen.
Or perhaps, you can realize the security is inherently shitty and don't rely on a locked car to protect your valuables.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
I agree, but I wonder about of value.
Precisely what was crypto going for at the time of theft.
Can theft be proven?
Isn't crypto all about anonymity?
It little behooves the best of us to comment on the rest of us.
Pretty much.
And having worked for one previous company that is now part of the current monster AT&T, I can pretty much tell you how this account hijack went, because every rep has a version of this story.
1) A male or female voice will have all the right VID (Verified Identification) and want to cut off this account from their abusive spouse
2) There will be notes on the account not to fuck with the account, sometimes multiple notes because it's happened multiple times
3) The representative (usually at the store) can't see these notes because they're at the wrong part of the account, either the billing account (the one that is your "AT&T" account, or the service account (the one attached to the actual phone number)
When AT&T Wireless switched from AXYS (for 2G) to Siebel (for 2.5G+) all the notes and stuff disappeared. So if there were notes on the 2G system about not to fuck with the account, they were gone if they migrated to the GSM system.
Now if AT&T after they were purchased by Cingular, and them subsequently became AT&T again, likely had yet another billing system migration, or after they upgraded to 4G (LTE) and the notes were lost again.
That's the only direct explanation why the notes were not followed. Indirectly however, you can socially engineer pretty much any phone representative by giving them a bleeding heart story, usually one of the following:
A) My Divorce is final and I need to prevent my ex from accessing this account, please do X, Y, Z and then password protect the account (this is something that is only in billing account level notes, and hence why it may not get read)
B) I am a (Law enforcement, FBI, NSA, CIA, Secret Service, etc) and need access to X, account, here is the (whatever bogus info) , and the representative doesn't know they have to go through a specific law enforcement channel to get this information, so the person on the phone ups the urgency that it's life-or-death, eg someone's been kidnapped, being held at gunpoint, or something that the representative can not verify.
C) I am the lawyer of (name on account). Thus they presumably have authority, but again, the representative can not verify this.
And Store reps are the worst for it, because at the time I worked for AT&T Wireless, the third party store guys would call in and impersonate the real customer and have them do things like cancel the account for invalid reasons, so they could get their commission by selling them a new service. Fortunately LNP has put an end to that, but yeah it was a big thing where third party store reps would say the customer is dead or on military service and to cancel the account without charging an ETF.
All in all, nobody should use SMS based 2FA, use a temporal authenticator, like a physical one if you really are protecting financial things, or MMO game accounts, because there is no way someone can emulate something that they can't physically access.
Overall, until there is some kind of international electronic ID standard that is NOT the passport (passport is for your physical citizenship, it's ID purposes end there as there is no financial connection to it) for financial transactions, these issues will continue to exist.
Like the kind of thing that needs to exist is a kind of block-chain transaction ledger for ID verification. The phone or store rep asks to verify, you push your thumb on the fingerprint pad, or the faceid, or plug in your usb dongle into the phone/computer, and representative on the other end sees the last 10 verification requests with them, and matches it to their system contact dates. If it doesn't match, it's not the right person.
Just use the same marketing technique that guy with the book about a false narrative of the history of the tulip market! Then there is no limit to the idiocy that people will believe as history. And if you can rewrite the history, then of course you can give your Bulbcoin all the gravitas of a Federation Credit!
Is a text message designed or expected to secure $xx million? Is it the right tool for the job?
+1 but out of mod points. That is exactly the right question. And I'm hoping banks are taking notice: over here there seems to be a shift away from air-gapped 2FA (PIN protected challenge/response through a chip on bank cards) because people find it "inconvenient" having to carry the pocket card reader. SMS based 2FA is all the rage now.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
It may be turtles all the way down, but that doesn't stop it from being assholes, all the way up.
Only partly agree, sure AT&T has some liability here, but seriously what sort of idiot relies on a phone number and phone company as the source of authentication to secure your assets? obviously he wasn't serious about security in the first place.
Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.
You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!
Uh, the *primary* way SMS 2FS is insecure is 'SIM-swap fraud'. Here is an article from almost 5 years ago about the problem as it existed/exists where I currently live: https://mybroadband.co.za/news...
From the article:
A SIM swap typically happens using the following methods:
* Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and
* Stealing passwords from employees at the mobile operators or mobile dealers.
Telcos need to do a better job of customer authentication. At the ISP I used to work for, our new customer service portal required call centre agents to authenticate the customer by selecting the correct values (from the correct one value, and 4 random fictitious ones generated from a list of customer information we generated, presented in random order, and all masked so that only partial values are visible to the agent) for 4 out of 5 customer details (e.g. cellphone number, email address, physical address, national ID number, account number) in 2 attempts before the agent would be able to do anything on the customer's account. If the 2nd attempt failed, it would be logged, and if 2 failures were logged in 48 hours, a security ticket would be opened automatically. We were planning on adding an additional level of opt-in authentication for security-conscious customers. Escalation staff were able to bypass the customer validation, but they had to provide a reason (e.g. escalation ticket number), and this was also logged and reviewed by their managers.
Our system as-is would prevent/limit the 2nd method to perform sim-swaps listed above, but without the additional enhancements that were planned wouldn't have prevented the first one from being viable by well-prepared attacker.
Mobile operators really can do a much better job here, but they don't want the additional staff costs that would result from changes to these processes.
You can only demand what the value of the gold was at time of theft + any interest or other benefits it would’ve brought you until the time you got it back + some punitive damages.
Only if you can prove you were selling it at the point of all-time high (I had an armored truck on standby and instructions with my accountant) can you recover any of that value.
Custom electronics and digital signage for your business: www.evcircuits.com
The difference is that security companies will have an agreement about how much they're willing to protect, and insurance policies to cover loses up to that amount. Your contract with them will spell out the maximum amount that they will protect or transport for you, and if it goes missing then your losses will be covered.
AT&T is not a security company and has not agreed to protect your valuables. You can certainly sue them for failing to provide the service which you purchased, but expecting them to pay out millions because you were stupid enough to coopt their service as a shitty "security" method ... that's not at all reasonable.
It's not the plaintiff who got repeatedly phished, it was AT&T.
No.... The perpetrator was the thief, and I would say they managed to scam BOTH the guy and ATT.
That is also another possible outcome for this case. (1) ATT is only Partially responsible for this loss: because the service they provided was Telephone, Data and SMS text message service --- The Terms of Service do not include a warranty that the SMS text message service is "Fit for the purpose of authenticating you", let-alone "Fit for the purpose of strongly authenticating you so as to secure access to $23 million".
And (2) The plaintiff, despite not having a warranty that this SMS Text messaging service was usable for sending high-value messages that could not be intercepted decided to rely upon it for such, with no contract to ATT promising it suitable for that purpose and entitling them to rely upon it for such, And,
(3) Therefore, ATT's liability should be limited to the first $1,000,000 of the claimed loss.
These could be collector's bottle caps just the same. Both of these have a monetary value that's unrelated to any intrinsic virtue
Correct... The loss will be evaluated in USD... damages are valued in currency, not in Bitcoins. The loss is either the value of the personal property at the time stolen, OR if the cost to replace the personal item is higher now --- then the plaintiff can potentially claim the cost to replace their property with like property in the same condition as necessary to "make them whole"; For example, if their car was stolen and destroyed, they can seek whatever cost is necessary to get the same make of car in same age and condition --- even if that cost is higher than what their lost property was worth when stolen.
Arenâ(TM)t ... heâ(TM)s ...
Lern to tipe.
It little behooves the best of us to comment on the rest of us.