
Man sues AT&T over 'SIM Swap' hack allegedly involving employees - Crafty_Gurl
https://www.foxla.com/news/torrance-man-sues-att-over-1-8-million-sim-swap-hack-allegedly-involving-company-employees
======
asdfasgasdgasdg
This is exactly the kind of thing that needs to start happening to actually
motivate the companies to stop allowing this BS. Good luck!

Also, don't have your life savings in crypto, but if you must, then please for
the love of everything holy don't put it someplace where a SIM swap attack is
enough to get it out. Irreversible transactions are kind of the whole point of
it, so you need to be much more careful with crypto credentials than, say,
your bank password or credit card.

~~~
sliken
Indeed, listen to NIST: [Out of band verification] using SMS is deprecated,
and will no longer be allowed in future releases of this guidance.

~~~
cik
It's rather sad that Canadian banks still view SMS as the best way forward.
They'll text you, they'll email you, they'll validate over the phone... all of
which are really this same problem.

I'm waiting for the days our banks will accept multiple 2FA solutions.

~~~
smnrchrds
And when you (unavoidably) get hacked, they tell you it's your fault and that
it sucks to be you, because you are not getting that money back.

[https://www.cbc.ca/news/business/banks-deny-compensation-
onl...](https://www.cbc.ca/news/business/banks-deny-compensation-online-fraud-
security-1.5322982)

~~~
cik
Tell me about it. The whole thing makes me cringe. Frequently I wonder if the
goal is just to have enough insurance, such that when people and their money
are separated, life is fine.

------
fortran77
He's got good evidence. The SIM-swappers have actually been convicted. ATT
says it's "an industry" problem, but it's 100% their problem. They are doing
nothing to stop employees from robbing their customers.

Of course the victim could probably have protected his "life savings" better,
but that's not the point.

~~~
dehrmann
AT&T's going to say "you don't own that phone number--it's ours--and we never
said it was intended for verifying your identity. Take it up with whoever
stole your number and your--wait, someone stole your _cryptocurrency_? You
realize banks are insured against mistakes like this and bitcoin wallets
aren't, right?"

~~~
aeternum
Except AT&T themselves use the phone number as a form of identity verification
/ 2nd factor so that argument doesn't really hold up.

Also insurance doesn't always hold up in cases like this, especially if the
company was aware of the weakness and chose to do nothing about it.

~~~
theamk
Well, most companies, AT&T including, do not have truly irreversible actions.
If someone steals your account this way, with enough complaining you will
likely get it back, mostly, eventually. Same thing with traditional banking.

This breaks down for internet giants which provide free services which can
still be very valuable, like gmail, and that’s why they are moving away from
it.

------
camkego
The amazing thing is with Wells Fargo that if you have a RSA SecurID 2FA FOB
for access to your bank accounts, and you have a phone number configured for
the account, you can use EITHER the 2FA RSA one-time pin, OR SMS verification
to log into your bank account web page.

I mean this is a bank, are these guys for real?

~~~
dboreham
Yes, although there is actually a lower transaction limit on sessions
initiated with SMS 2FA vs SecurID.

~~~
dvdbloc
Which almost furthers the point that this is bad, isn’t this an
acknowledgement by them that SMS 2FA is less secure? If it’s less secure and
you have SecurID, why can’t I disable SMS?

~~~
d-sc
There is support cost for disabling sms. While you may be technically inclined
to be comfortable with disabling sms, they have to balance the cost of hacking
vs support cost for all users.

------
sfteus
Had this happen to me last week. Thankfully they only tried to get into a few
e-mail accounts, which I was quick enough to get into, kill their session, and
recover them before any real damage was done. AT&T of course claimed it was
impossible for that to happen, despite a different phone showing up in my
account, a bunch of unexplained SMS messages I never received, and two calls
accessing my voicemail that I didn't make.

Currently working on finishing moving passwords from a Google account to my
password manager and resetting them all, as well as replacing anything that
uses an SMS 2FA with a time based authenticator or other alternative where
possible. Planning on getting a FIDO key to use where I can. Also setting up a
Voice number on an account that's used for nothing else besides 2FA in the
instances where there is no better form of authentication.

~~~
lotsofpulp
Did you have a PIN setup with ATT? I am trying to figure out which of their
employees can modify the account without the PIN.

~~~
thatguy0900
As of a year or two ago when I worked at a authorized att dealer, manager
logins can access any account without a pin and any employee can access
prepaid accounts without a pin.

Edit:for whatever its worth att does keep a record of what employees accessed
an account and when, and notes when managers bypass the pin, so doing this an
an employee seems really stupid to me.

~~~
sfteus
Interesting, I figured since they claimed that wasn't possible that they
didn't keep records. I'll have to go bug them again to see if they can
investigate it further. I'm not sure if this was an instance of targeted
social engineering or an employee, though I would assume the former is more
likely.

~~~
thatguy0900
I'm not sure what customer service policy is about telling customers but in
store at least we definetely had a notes section of every account with
breakdowns of what internal usernames accessed the accounts and when. The
fraud dept I assume would be the ones to look at who the employees were from
the usernames but we didn't handle that kind of stuff at the authorized
retailer stores so no advice to give you unfortunately :/

------
techsupporter
I wish him the best of luck but considering AT&T was a party in the big
Supreme Court decision setting the precedent, I predict this falls down the
dark hole of mandatory, binding arbitration about twelve minutes after the
first hearing on a motion to dismiss and compel arbitration.

We’ve collectively given up our rights to sue in many instances (including
when signing up for HN-backed services run by people who should know better).

~~~
ikeboy
So it gets moved to arbitration. If anything, it will move quicker and cost
him less than a court case would.

~~~
sneeze-slayer
Binding arbitration is almost unilaterally bad for consumers.

See:
[https://www.nytimes.com/2015/11/01/business/dealbook/arbitra...](https://www.nytimes.com/2015/11/01/business/dealbook/arbitration-
everywhere-stacking-the-deck-of-justice.html)

~~~
ikeboy
Unilaterally is not an accurate description. Your link has exactly one
relevant sentence:

>Roughly two-thirds of consumers contesting credit card fraud, fees or costly
loans received no monetary awards in arbitration, according to The Times’s
data.

Note that

1\. This excludes non monetary awards

2\. The categories are cherry picked and they give us no data on arbitrations
overall

And even under those conditions they show a third of consumers win something,
which is hardly a unilateral loss. And of course it's impossible to know how
many of those cases were frivolous, and they didn't bother to compare to small
claims court and see how consumers fare there.

Anyway it's not relevant to this case, because he's not suing for one of those
categories, plus he presumably has a lawyer (lots of arbitrations are done
without lawyers and I'd bet that they have lower success rates).

------
sdan
This is exactly why I’m only faithful to FIDO U2F keys. Got a couple and
ensure they’re safe. No one’s hacking my accounts unless they crack both my
passwords and rob me physically... which at this point doesn’t seem like it’s
going to happen.

~~~
rb808
What happens if the keys get lost or destroyed? It seems like a never ending
problem.

~~~
munchbunny
Keep two or three, put one in a bank or a safe at home. That should be enough
redundancy for most people. As long as you can still get in to revoke/enroll
stuff you should be okay.

It’s not so much a problem as it is a balance of security, redundancy, and
effort. You decide where you want to be on that balance of considerations.

~~~
bsder
> Keep two or three, put one in a bank or a safe at home. That should be
> enough redundancy for most people.

Yeah, good luck.

I don't know of _any_ system that lets me enroll 3 security keys for an
account.

~~~
henkslaaf
Doesn't Google let you set an arbitrary amount?

~~~
munchbunny
Yes, as does Github and Facebook. I forget whether AWS does.

------
sdan
If you're into crypto, remember:

Not your keys, not your coins.

------
geofft
> _When FOX 11 reached out to AT &T for comment on the SIM swap lawsuits
> against them, the company responded “This is an industry problem,” and
> referred us to the CTIA for more information._

And AT&T is the industry leader.

~~~
snappieT
I don't even see how it's an industry problem - AT&T didn't do thorough
verification before swapping the SIM, there's nothing broader about it.

------
chii
This is why SMS verification is insecure.

------
dev_dull
I’ve mostly disabled 2fa via phone where alternatives exist. Unfortunately
some services (such as twitter) require you to verify a number (you can sign
up, but you’ll quickly be account-locked without providing a number)

I’m still wondering why I can’t use Touch ID to do U2F...

~~~
MaxGabriel
Touch ID support for WebAuthn is live in the latest Chrome!

------
megous
Phone number is not something you own, it's just a record on someone else's
computer system. It's really weird that it passes as "something you own" part
of multi-factor auth for so many serious companies.

------
gertrunde
I love the response: "This is an industry problem."

Translation: "All telcos are equally bad at this, so who are you going to
switch to? So why should we bother fixing it? What's in it for us?"

------
arminiusreturns
To me this is more about the lack of internal controls and auditing of those
controls at ATT. I know someone who is a supervisor fairly high up with them
and I suspect has abused that power to spy on an ex, but she assures me "he
can't because of the internal flags"... I figure there are a multitude of ways
around that. Events like this don't give me confidence that I am wrong.

------
darkhorn
How do you know if someone has obtained a SIM card with your identity? Do you
have a web site for this, like [https://www.turkiye.gov.tr/mobil-hat-
sorgulama](https://www.turkiye.gov.tr/mobil-hat-sorgulama) ?

~~~
wmf
Usually your phone stops working because your old SIM card gets disabled.

~~~
rwmurrayVT
You can also add an authorized user or open up an entirely new line. You won't
notice until you receive your bill.

~~~
wmf
Wouldn't a new line have a different phone number which wouldn't allow these
hacks?

~~~
rwmurrayVT
Yes. It won't allow the number take over, but you will end up with 1+ new
iPhones in hand for the attacker. You can swap the number at any point
afterward easier than just setting up a new phone at the store with a
suspecting employee.

------
exabrial
This is why sms as 2FA is terrible: cell phone companies are not hardened.

------
ghostpepper
I am not condoning or justifying criminal behaviour but I have to wonder why
on earth he would have his life savings in cryptocurrency, protected only by
SMS 2FA, if he knew someone else this had happened to?

~~~
sdan
He clearly isn’t educated enough (not to be mean).

Especially if you’re going around with that much crypto always always
remember:

Not your keys, not your coins.

Always store cold storage and set aside some for trading if you want. And if
you’re trading, always use FIDO U2F physical keys.

------
usaphp
> and within minutes, the hackers had stolen $1.8 million in cryptocurrency
> from him

> It essentially destroyed our financial future, our entire life savings was
> stolen

Who keeps their entire life savings in crypto?

~~~
judge2020
With that much money not using a hardware wallet is short-sighted.

~~~
tyingq
Even that leaves it in a crazy volatile currency. Adrenaline junkie I guess,
assuming it really was their life savings.

~~~
sdan
I guess you can call most cryptocurrencies volatile but some like BTC and ETH
have so much marketcap that it's getting a bit better. Some people truly
believe in crypto (and even institutions are... they store in Bakkt) and I
guess you have to respect that (pretty sure they understand the risk as well).

~~~
wmf
Yes, BTC is "only" down 23% in the last month.

~~~
sdan
I don't want to argue, but it's up 15% since last year (if you bought/sold
right you could've also make 400% since last year. I don't personally have
anything in crypto, but am watching enthusiastically from the sidelines (and
given it's down 23% in the last month is one reason why).

At the end of the day you have to look at it from a bigger picture. Since the
next halfing is happening in a year, prices will most likely go up
(speculation).

------
pjy04
Wasn’t there a pin on his account?

~~~
zaguios
Employees are able to override the pin entering requirement. There is
absolutely nothing you can do to stop this from happening if you happen to get
targeted. (Speaking from experience)

~~~
caleb-allen
It is a liability to trust another party with keys to cryptocurrency with such
high value.

To step out of the regulated financial system is to open oneself up to these
liabilities with little recourse.

That is not to say that telecom companies should not fix this. They absolutely
should.

------
runn1ng
The lesson here is not to sue AT&T. The lesson here is to stop investing in
cryptocurrency.

~~~
colejohnson66
So it’s all the guy’s fault for the problem and AT&T has no fault? Could it be
they both made a mistake?

