Investor Sues AT&T Over Two-Factor Security Flaws, $23 Million Cryptocurrency Theft

An anonymous reader quotes a report from Fast Company: Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company's negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He's also seeking punitive damages. Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin. The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin's account without providing the code or a "scannable ID" as AT&T requires, he says.

I hope he wins

Not because I think he deserves his money back...

.. but rather because if AT&T pays a penalty for lax security, then maybe (finally!) there will be incentive to improve security practices in the industry.

That actually seems like a legit case

He might win and in the process force ATT to stop sucking at security. That would be a win for everybody.

Re:That actually seems like a legit case

[Powercntrl]

I expect AT&T has some sort of terms of service that limits or disclaims their liability.

Yup, it's in the TOS that no one ever reads.

Of course, if you have any sense to understand what you're getting into, you don't keep $23 million dollars worth of cryptocoins on an unregulated, uninsured crypto exchange either.

Wo what was the first factor that failed?

[ffkom]

Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor.

But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

Re:Wo what was the first factor that failed?

Usually, the problem is, it's not REALLY two-factor. You just click "I forgot my password" and the supposedly secure system instantly becomes one-factor and sends a link to your phone or email to reset the password!
Or (even worse, in the case of Facebook) sends you a link that gives you access without even resetting the password. A friend of mine only discovered this by mistake after getting a new phone number, which promptly received a text that gave him access to some random dude's Facebook account. He reported it to Facebook as a security bug and they blew him off, so he got it published on a few news sites, and still pretty much nothing.

Re:Wo what was the first factor that failed?

[tlhIngan]

Sure, AT&T might provide horrible security, so their mobiles are not a good 2nd factor.

But isn't as much blame to put on whoever maintained the first factor? The article doesn't tell us how and why that factor failed...

No, a phone number is not a second factor

NIST recommendations a few years ago have determined that a phone number is no longer eligible as a "second factor". This includes anything that involves using the phone number - SMS, phone calls, etc. NIST has forseen that phone numbers are not unique identifiers and cannot be "something you have" - because it's something other people can have as well. Basically, a phone number does not identify a unique phone.

And with hacks to SS7 and all that, things can be hijacked.

The only way to use a phone as a second factor is through authentication apps that basically generate a unique key per device and thus cannot be cloned.

Chances are, the AT&T service terms will let him claim only direct damages - damages caused by loss of service so things like a replacement SIM card, the days of service he missed and perhaps any bills that got run out. Indirect damages are almost always excluded, so if loss of service causes you to miss a stock trade or something, those losses wouldn't be eligible.

And this is nevermind the ineffective "2FA" used by the exchange. (And likely, coinbase will be indemnified on that loss as well).

Moral of the story:

[Gravis+Zero]

When your security matters, telecoms should not be trusted.

Biometrics. But Irony runs deep.

[Bob_Who]

You can't steal someone's identity, in actuality, unless you have their biometric signature within their physical body. This is how to responsibly authenticate access to hundreds of millions of dollars. However, if for some reason your real identity is better kept unknown and shrouded in cryptocurrency to evade taxes and hide the identity of your investors' insider hedges then I guess you get what you deserve from anonymity.

The real problem is the laws regarding banking is stuck in the late 20th Century when bank robbery became "identity theft".

In the 19th Century, they called it bank robbery when the Wells Fargo Stage Coach got robbed.

In the 21st Century, Wells Fargo robs the customer, outright.

As for AT&T, they've been stealing for years.

Re: Oh no!

[tysonedwards]

This is the literal case of intellectual property being stolen and rendered unusable by its owner. From a precedent standpoint, would this be functionally different than industrial espionage or destruction of property? Further, as he only had a contractual relationship with AT&T, who was the responsible party to facilitate the transfer of service.

Re:He doesn't have a snowball's chance in hell

[The+MAZZTer]

Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.

You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!

Re:Oh no!

[KiloByte]

It doesn't matter what got stolen. These could be collector's bottle caps just the same. Both of these have a monetary value that's unrelated to any intrinsic virtue such an item would have but to what the market pays. If that kind of old bottle caps is typically sold on collectors' auctions for X quatloos, the judge will assume a value somewhere around X. Bitcoin is just easier to appraise than most items.

The guy requested multiple additional means of protection, which AT&T agreed to implement. It's not the plaintiff who got repeatedly phished, it was AT&T.

Re:Oh no, lost monopoly money

[sjames]

OTOH, text messaging is a common 2FA method and AT&T needs to do better before someone gets their bank account hoovered.

I hope AT&T loses big considering that they screwed up once, agreed to an additional security measure, then ignored the extra measure entirely in the process of screwing up again.

Re:Oh no, lost monopoly money

[anegg]

Isn't it an open question whether using the AT&T phone service as a critical authentication component puts a duty on AT&T to secure their phone service?

Doesn't the organization that decided to use the AT&T phone service as a critical authentication component bear some responsibility for their choice?

If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my gold?

Re:Oh no, lost monopoly money

[maglor_83]

If I secure my $100M gold stash in a storage locker protected by a $40 Masterlock padlock, do I get to sue Masterlock for $100M when the thieves use a bolt cutter to remove the lock and take my gold?

No, but if the thieves asked Masterlock to open it and they did, you'd have a much better case.

An interesting question. Wrong tool for the job?

[raymorris]

That is indeed an interesting question. There are two different factors at play.

I expect a certain amount of security from a $5 Masterlock.
I expect a greater amount of security from a American Lock Company shrouded shackle that costs $60.
I expect even more security from a $500 Medeco.

Similarly, I expect a pickup truck to be able to carry a 400 pound load. I expect a semi truck to be able to carry a 10,000 pound load. Ford isn't responsible if I put a 10,000 pound load on my F-150 and it doesn't work well. Wrong tool for the job.

Aside from how much security is expected, how much LIABILITY is there? The maker of a $5 lock might reasonably foresee that their lock would be used to secure a $50 item. Medeco knows their locks are used to secure $20,000 jewelry. If you use a $5 to "secure" a $10,000 item, that's on you. You used the wrong lock for the job.

Is a text message designed or expected to secure $xx million? Is it the right tool for the job?

PS it's the thief's fault

[raymorris]

BTW people are talking about how much fault AT&T may have vs if this guy is at fault for using the wrong tool for the job. Let us not forget, really it's the thief's fault.

Whenever bad guys hack something, everyone wants to go after the company that got hacked. *IF* the company was reckless, that makes sense to a degree. There's also a criminal involved. That's who REALLY, obviously did something very wrong.

Car analogy time

[Powercntrl]

OTOH, text messaging is a common 2FA method and AT&T needs to do better before someone gets their bank account hoovered.

Car door locks are a common way of securing your vehicle, and they can be easily defeated with a wedge, an inflatable bag, and a bent coat hanger. Car manufacturers need to do better, before someone gets their valuables stolen.

Or perhaps, you can realize the security is inherently shitty and don't rely on a locked car to protect your valuables.

Re:An interesting question. Wrong tool for the job

[JaredOfEuropa]

Is a text message designed or expected to secure $xx million? Is it the right tool for the job?

+1 but out of mod points. That is exactly the right question. And I'm hoping banks are taking notice: over here there seems to be a shift away from air-gapped 2FA (PIN protected challenge/response through a chip on bank cards) because people find it "inconvenient" having to carry the pocket card reader. SMS based 2FA is all the rage now.