
Cryptocurrency investor robbed via his cellphone account sues AT&T for $224M - ProAm
https://www.cnbc.com/2018/08/15/cryptocurrency-investor-sues-att-for-224-million-over-loss-of-digita.html
======
axaxs
I hope he wins, mainly so cell operators will perhaps take security more
seriously. Not long ago, I was with T-Mobile. My username was my phone number,
and the password, you could request and they'd send it to you in an email.
With the climb of social media, our phone numbers are more a part of our
identity than ever before, and carriers lack of security is being thrust into
the spotlight.

~~~
redm
There are of course two sides to every coin. The flip side is, cell carriers
never signed up to be a secure identification mechanism. SMS wasn't designed
for security, and there's little financial incentive for them to invest in
those changes, i.e., they don't charge you more for secure authorization of
3rd party platforms. I think its very akin to the US Social Security Number
being used as a 'secure' identification in many cases.

I imagine a world where you go into the cell store, and they demand three
forms of identification including a utility bill to talk to you. I can already
hear the complaints from a much larger portion of their customer base.

~~~
theptip
That's a good point in general; NIST recommends not using SMS for challenge-
response authentication.

I don't know whether in this case the victim was using SMS codes, or whether
the attacker used their phone number as part of a more involved attack (e.g.
calling customer support and impersonating the victim). Even if you don't use
SMS codes, there are a number of attacks that are opened up if someone seizes
your cell phone number.

In general, however, I think it would be a good thing if service providers
were held liable for damages occurring due to account breaches; that's the
only way we're going to get proper account security. Schneier has written on
this subject extensively, e.g.
[https://www.schneier.com/essays/archives/2003/11/liability_c...](https://www.schneier.com/essays/archives/2003/11/liability_changes_ev.html).

~~~
Maxion
I work in fraud prevention. While it's not yet a typical attack, it is does
happen regularly.

Usually the attack is done against an individual who is known to have
significant crypto assets and is using Gmail. By default if you enable 2fa on
your Gmail account, sms based 2fa is activated as backup.

The attacker social engineers the phone provider to port the victims number,
then resets the victims Gmail account, uses Android device manager to wipe
their devices, and using the details found in Gmail they proceed to gain
access to other accounts owned by the victim. The main goal being to social
engineer access to services where they store crypto or to find unencrypted
wallet backups in the cloud.

~~~
theptip
The previous best option I was aware of with Gmail was to add a pair of
Yubikeys, then explicitly remove your cellphone from the account, to close the
gap you mention.

Now there is
[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/),
which might be a better option -- interested to know if you've got any
opinions on that scheme.

------
tessi3r
While I was working at a blockchain forensics company (we built one of the
first AI backed block-explorers both for Bitcoin and Ethereum & our service
was also used to identify the DAO hack), both myself and my boss were targeted
multiple times a year with this kind of attack even though we held no crypto
through the company. It seemed that just since my name was on the web with the
word crypto I was a target.

To this day I have a personal phone and a revolving burner I only use for non-
SMS 2FA with an unlisted number, which is kept in an EMF proof bag while not
in use.

Security for this kind of thing is an absolute joke.

Granted, this guy should've known better granted the value of his holdings...
Most also don't know that accounts such as Authy and other non-SMS 2FA
authenticators can still be stolen if your mobile number is stolen.

However, I'm still waiting for a carrier that creates a system that can't be
trivially socially engineered by bored Chinese scammers...

~~~
avian
> Most also don't know that accounts such as Authy and other non-SMS 2FA
> authenticators can still be stolen if your mobile number is stolen.

I was under the impression that apps like Authy and Google Authenticator have
no connection with the telephone network/phone number. Do you have any
reference that claims otherwise?

~~~
guildenstern
Authy specifically stores your account in the cloud and can be recovered using
SMS. They have a 24 hour warning period during which the email address on file
receives multiple notifications that a recovery is being attempted with the
option to cancel but if someone has control over your phone number for an
extended period of time they can absolutely take over your Authy account. I
found this out when my Authy account was corrupted somehow and support said,
hey no worries just go through the recovery process.

Google Authenticator is offline only and is not vulnerable.

~~~
tessi3r
I mentioned this because I know multiple people who've had authy / other
authenticators compromised down the line from social engineering attacks. Even
if you can be alerted, usually it's too late by the time you realize what's
happened to your creds.

~~~
matwood
Did they not put a password on the Authy backup?

------
saas_sam
Wasn't it like a year ago that famous YouTubers and such were getting their
accounts stolen the exact same way and AT&T promised they would tighten up
security measures?

~~~
SurrealSoul
Yes, you have to opt-in to this type of security

~~~
adtac
Opt-in security is the best form of security, after security by obscurity /s

~~~
sturgill
I prefer both options: opt-in by obscurity.

~~~
loa-in-backup
Sueing tge internet to force it to forget your number?

------
village-idiot
I’m not sure if he has any legal recourse against AT&T, but it’s another
example why sms based 2FA is a bad security scheme, especially if you’re a
high value target.

~~~
aviv
In the US it is trivial to hijack any mobile number's SMS traffic. It takes
less than a minute. SMS as 2FA should never ever be used by anyone.

~~~
maym86
How does it work? Why is it so easy?

~~~
jeanlucas
SMS is not exactly the most secure protocol. But you do not need to use SMS
for 2fa, that's a misconception.

~~~
bena
Isn't it effectively plaintext?

I don't know too much about the SMS protocol. But I do know that most
protocols do start out plaintext because programmers are lazy and optimistic.

~~~
village-idiot
That’s one part of the problem. The other part is that it’s actually quite
easy to convince most cell phone carriers to change the SIM card associated
with a given phone number. Once you’ve pulled that off hijacking the account
is easy.

------
onetimemanytime
Publicity and tens of millions in Bitcoin /Ethereum++ is a bad idea.
Especially since once it's gone it's gone. Hacking your account means FU money
and then some, with less chance of getting caught than other crimes. So they
have all the incentive in the world to take heir sweet time...even if they
lost 50% laundering, it's still more than enough.

I'm all for At&t to be held responsible if they broke security protocols. They
charge an arm and a leg

~~~
tessi3r
Having any serious amount of money and being showy or grandiose about it is
asking for trouble...

Only rich morons actually need armed security as a result of their social
media habits emanating from a pathetically desperate ego.

------
bdcravens
If Bank A makes my PIN number automatically the last 4 of my SSN, and Company
B discloses that information, is Company B responsible for 9 times whatever
losses I incur if my ATM is stolen?

~~~
jklein11
Sure.. you can sue for whatever you want. There is no guarantee that you will
be awarded the damages though.

~~~
digitaLandscape
This kind-of comment would have been clever in elementary school.

Here, you're just being a dick.

~~~
jklein11
Sorry I really wasn't trying to be a dick here. The original post asked
whether one party could sue instead of being responsible. It is possible that
this is why my post seems childish.

The point I was trying to make was about conflating the damages being sought
in a lawsuit by one party and the actual damages owed by other other in a
lawsuit. I think it is pretty common practice for the plaintiff pick a high
number out of somewhat thin air to prevent themselves from pricing themselves
from leaving money on the table.

------
nkrisc
Are there any phone companies that have decent security practices? As far as I
can tell switching is pointless because they're all awful in this regard.

~~~
bubblethink
That's the wrong question to ask. There are no financial institutions that
have proper 2FA. I don't know of a single bank in the US that uses any
standard 2FA. They all use SMS. Recently, I found that you can make paypal
(US) use TOTP 2FA with a workaround. I recommend everyone to do that.

------
m-i-l
Sorry for his loss, and the mobile providers do need to do something about
this known attack vector. But with cryptocurrencies you need to "be you own
bank", and extending his own analogy how many legitimate or long lasting banks
would store USD24 million in cash in a hotel room safe?

~~~
kodablah
Following this analogy, would the bank sue the builder or vault manufacturer
if they gave someone a key to the vault without the bank's knowledge and it
was used to rob the vault? Or might the bank sue a armored carrier for
irresponsibly storing monies that were stolen in transit between banks?

Maybe you can be your own bank, but banks have to depend on external
factors/entities to do what they're supposed to do as well.

~~~
m-i-l
Seems reasonable, because bank vaults and armoured vehicles are designed
specifically for protecting high value items. Hotel room safes on the other
hand are not (in fact some even have a disclaimer advising you not to store
valuables in them).

------
Arubis
From TFA:

> Terpin was the victim of two hacks within seven months

If indeed these were separate occurrences of breaking in through the same
phone account—and the article is not definitive on this—then the punitive
damages seem quite appropriate. “Fool me twice, shame on me,” and all that.

------
metalliqaz
Given the revelation that phone number security just isn't that secure, I have
changed my online accounts that allow 2FA to use a crypto key. However, I have
found that most seem to only allow crypto keys in addition to a cell phone
number. You can't turn it off. Has anyone else noticed this? What is the point
of moving to something more secure if you can't get rid of the weak link?

~~~
jobigoud
Yeah it really makes you think of all the other methods you might not even
know about. My bank has an mobile app to connect that I'm not using because I
don't trust it, but what if it's indeed insecure and someone else exploit
it...

------
perl4ever
I notice AT&T is quoted as saying "we dispute these allegations and look
forward to presenting our case in court". It's interesting they didn't say
"these allegations are baseless and without merit". I wonder if that means
anything.

~~~
cjslep
A "baseless allegation" is one with no evidence or reason. This guy has a
reason and presumably evidence, so his allegations are not baseless.

A baseless allegation would be if I were suing AT&T for losing all my crypto
investments. I have none and am not an AT&T customer.

An "allegation without merit" means no rational interpretation of the law
would result in a guilty conviction of the allegations. Baseless ones are
almost always without merit.

~~~
perl4ever
You think that lawyers _say_ an allegation is "baseless" iff it _is_ baseless?
That's an interesting epistemic outlook.

~~~
cjslep
No, I'm providing definitions and using myself in an example. Please do not
put words in my mouth.

~~~
perl4ever
You provided unnecessary and unhelpful definitions, from my perspective.

I assume as axiomatic (and required by HN guidelines) that you _intended_ to
be helpful and relevant, so I asked a question to determine what you were
thinking.

If you do _not_ think lawyers use the "baseless" language in a totally
transparent, sincere way, then I would've expected you to be more interested
in when and how they do that, which is the discussion I was looking for, if
any.

~~~
cjslep
Wow, if that's how you really feel. Your eagerness to fall back to rules
lawyering to justify your behavior instead of reflecting where our
misunderstanding is and working to resolve it, is the kind of toxic online
behavior I will gladly get dinged for.

I will help you and go ahead and flag all of my posts in this thread so dang
and others can take moderative actions against me.

------
coding123
What kinda crappy ass crypto wallet would break if you had access to a cell
phone account.

------
hondadriver
How can he prove he did posses this amount of crypto currency and is not
making everything up? With a system without any regulation nor oversight where
you have to play your own bank, this is exactly what you’ve signed up for...

~~~
jobigoud
He still has the private keys that control addresses that can be shown from
the blockchain to have had the coins until the hack.

What is harder to prove is that he doesn't also control the new addresses
where the funds were transferred to.

------
lawlessone
I feel for him.

But couldn't they reasonably argue they are not a service for securing this
kind of thing?

If i leave $224m in my car and park it in car park at my local shopping centre
are they liable for $224m?

I'm not saying they're not liable to some extent.

~~~
ProAm
It's more he parked it at the dealership, and the dealership made a stranger a
spare key to get into the car.

~~~
williamscales
Even more analogously in my opinion: someone walked into the dealer, said
"hey, transfer the keyless entry for my car to this fob right here" and they
did.

~~~
NegativeK
Or that someone put out plastic-shell bike lockers, someone had a $224M stolen
from one, and now they're pissed.

I suspect that metaphors aren't going to really convey this well.

------
markovbot
I hope we see more of this. A _lot_ more. These fuckers need to hurt.

~~~
asdfman123
Who, phone companies or cryptocurrency investors?

~~~
markovbot
well, first and foremost phone companies. But also anyone who trust phone
companies to protect them

------
enahs-sf
I think about this a lot as the phone is a pretty obvious single point of
failure for 2FA and telcos are easily pwned through basic social engineering.
I struggle with removing it as an alternative though because losing your phone
or 2FA device leaves you in a pretty nasty spot. Tough choice.

------
aml183
This was a good article about how to prevent these types of attacks.
[https://medium.com/@masonic_tweets/minimum-viable-
security-3...](https://medium.com/@masonic_tweets/minimum-viable-
security-32e61d10aee4?ref=tokendaily)

------
tonyztan
Original court filing here:
[https://www.greenbergglusker.com/content/uploads/2018/08/Com...](https://www.greenbergglusker.com/content/uploads/2018/08/Complaint-
as-Filed-3063362-1.pdf)

------
stanleydrew
There's not a lot of detail in the article, but reading between the lines it
seems like an attacker went to an AT&T retail location and pretended to be the
plaintiff in order to re-assign the plaintiff's phone number to a new SIM
card.

------
nodesocket
Not getting my sympathy. Use a hardware wallet such as Trezor for God sake.

Also, in what world when he lost $24M can he sue for $224M? Entited to a 10x
return because of his own neglegence. Nope!

------
mastrsushi
>Loses $24M in anonymous currency that's unbound by state

>Sues telecommunications conglomerate for $224M over loss

Is this guy ill or what

------
bufferoverflow
Who the hell keeps $24M worth of crypto on a phone? I only trust open source
systems, do all large transactions on fresh Linux, disable JS if I have to use
the browser, never visit any unusual websites, nothing not related to the
process.

------
jmull
Phone numbers are specifically designed to serve as public identifiers.

I don't think you can expect a security mechanism that is supposed to work
counter to that to work very well.

~~~
closeparen
The validation mechanism is control over the phone number, not knowledge of
it.

Verification by knowledge of numbers intended to remain secret (social
security, credit card) is also never okay.

~~~
jmull
I'm going by the content of the story, which describes acquiring the phone
number as the key issue.

> After the first hack, Terpin alleged that an impostor was able to get his
> phone number from an "insider cooperating with the hacker" without an AT&T
> store employee requiring him to show valid identification or provide a
> required password. That phone number was later used to access Terpin's
> cryptocurrency accounts, according to the complaint.

~~~
closeparen
“Acquiring the phone number” means getting it mapped to the attacker’s
phone/SIM card. Overview of SMS hijacking (copy paste link, JWZ doesn’t line
HN referrer headers): [https://www.jwz.org/blog/2018/07/two-factor-auth-and-
sms-hij...](https://www.jwz.org/blog/2018/07/two-factor-auth-and-sms-
hijacking/)

~~~
jmull
What you say must be the real story.

It's just that the article says, "was able to get his phone number".

Getting a phone number, to me, has always had a pretty universal meaning,
which is to simply learn its digits. But I suppose you must be right and they
actually mean a deeper compromise.

------
shashanoid
> Have your own guy impersonate you and get your $24 million stolen

> Sue At&T for $224 million

> ???

> Profit

~~~
NegativeK
> Go to jail for perjury.

> Lose all profit.

------
bdcravens
Two things that jump out:

1) $200M in punitive damages? The hack occurred in January, and the price has
gone down across all cryptocurrencies substantially since then.

2) Was the password hacked? Or did the exchange allow password resets via SMS?
(So negligence made 2fa really 1fa) In this situation it seems AT&T would be
at most 50% responsible.

~~~
wp381640
> AT&T would be at most 50% responsible

You could reduce that further by arguing AT&T aren't at fault because third-
parties built authentication and identity protocols ontop of what was never
guaranteed to be a secure or authenticated channel

~~~
s73v3r_
And then increase it again by arguing that AT&T should never have made it
possible for employees to do this.

~~~
evgen
And then diminish it to zero again because yes it should be possible for
employees to do that. The economic value for most people of being locked out
of your phone number and not being able to easily fix the problem or easily
upgrade a phone exceeds the cost imposed when some of those people are morons
and assume ability to receive an SMS message sent to a particular phone number
is any sort of security factor.

~~~
s73v3r_
"And then diminish it to zero again because yes it should be possible for
employees to do that."

Absolutely not. It never should be possible for a single employee to do that
with no checks at all.

------
Nasrudith
My first thought was "cryptocurrency is fundamentally not investment but
speculation they don't create anything of value but squander vast ammounts.
Second is that it is multileveled frustration that both phone systems are so
damn insecure like the completely insecure call identification - while
international efforts to track down telefraud rings are well and good a proper
system would prevent most of their tricks.

