Hacker News new | past | comments | ask | show | jobs | submit login
Man sues AT&T over 'SIM Swap' hack allegedly involving employees (foxla.com)
242 points by Crafty_Gurl on Oct 24, 2019 | hide | past | favorite | 119 comments

This is exactly the kind of thing that needs to start happening to actually motivate the companies to stop allowing this BS. Good luck!

Also, don't have your life savings in crypto, but if you must, then please for the love of everything holy don't put it someplace where a SIM swap attack is enough to get it out. Irreversible transactions are kind of the whole point of it, so you need to be much more careful with crypto credentials than, say, your bank password or credit card.

Indeed, listen to NIST: [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

Sad that one of my current banks (Chase) won't add TOTP to their login.

Edit: https://twitter.com/skunkworker/status/1131297869703438337

@ChaseSupport Hey Chase, when will offline TOTP be added for a more secure login?

Thank you for reaching out! What we have is the multi-factor authentication on all online accounts. You can visit https://tinyurl.com/y7r2fztd for more info on how we protect and secure your information. ^AA

I'm still looking at how to best communicate with my bank too, to get actual answers. :D Not this cookie cutter kind of support.

No matter how precisely I describe the problem, I get copy paste or poorly thought out response. That's why I like smaller businesses, where there's still a connection between doers and support people, or where the doers are the support people.

I've been suffering from the same frustration, and have been thinking about switching to a smaller bank. There are apparently more than 7,000 FDIC insured institutions out there.

It's rather sad that Canadian banks still view SMS as the best way forward. They'll text you, they'll email you, they'll validate over the phone... all of which are really this same problem.

I'm waiting for the days our banks will accept multiple 2FA solutions.

And when you (unavoidably) get hacked, they tell you it's your fault and that it sucks to be you, because you are not getting that money back.


Tell me about it. The whole thing makes me cringe. Frequently I wonder if the goal is just to have enough insurance, such that when people and their money are separated, life is fine.

That's really surprising. In the US, the banks are responsible for fraudulent transactions.

This is insane. How are banks not liable for fraud in Canada? The incentives couldn't be worse.

The banks already know what happens when you issue every customer a 2FA token, because they issue you a bank card. You have to verify the customer is who they say they are before giving them the token, and have processes for dealing with a lost or stolen token.

No matter how careful you are, the service(bank, SNS and everything) you're using aren't. If you hand over them a phone number and they think phone number alone can identity you, you're done for.

The only solution is not using the phone. The phone reached it's limit. It's not trustworthy communication method.

> Irreversible transactions are kind of the whole point of it

Just as a sidenote, the problem isn't that the transactions are irreversible, they're also irreversible for banks. You never reverse the actual transaction, you just create another transaction in the opposite direction. Sometimes banks accidentally sent money to the wrong (foreign) bank and kissed them goodbye. The other bank had no obligation to send it back and if the 2 don't have a relationship and don't plan on having one it's free money for the recipient.

The difference with crypto is that you're basically dealing with "untrustworthy" parties since there's no central trustworthy authority over the whole network. The advantage is that nobody can control the network. The disadvantage is that you have no leverage over the receiving party.

It's like a private individual ad-hoc lending money to a friend vs. lending money to a total stranger. There's probably no legal obligation to return it but friends most likely will.

From the perspective of the bank customer, in the US, bank transactions are reversible, by fiat. It does not matter to the customer whether the bank is out money or not. All that matters is that you are made whole in the case of a fraudulent transaction.

And they'll just hide their binding arbitration clauses.

> Also, don't have your life savings in crypto

Exactly. Cryptocurrency, in my view, are meant to be intermediary currency. Keeping a lot of it is just too risky.

Tech nerds seem to like cryptocurrencies because it's a cool and fancy gadget, but the reality is that normal banks are more secure. If your money gets stolen, banks can trace it, cancel transactions, and there are insurances in place to recover your money. Governments are involved in bank security.

Currencies are not trivial things. Only libertarians and anti-government, anti-federal-reserve people will actually prefer cryptocurrencies to their own risk.

I get that the AT&T employee is guilty, but the victim was asking for it.

He's got good evidence. The SIM-swappers have actually been convicted. ATT says it's "an industry" problem, but it's 100% their problem. They are doing nothing to stop employees from robbing their customers.

Of course the victim could probably have protected his "life savings" better, but that's not the point.

AT&T's going to say "you don't own that phone number--it's ours--and we never said it was intended for verifying your identity. Take it up with whoever stole your number and your--wait, someone stole your cryptocurrency? You realize banks are insured against mistakes like this and bitcoin wallets aren't, right?"

Losing your life’s savings in an irrevocable way is a feature of crypto currency. Not a bug!

Except AT&T themselves use the phone number as a form of identity verification / 2nd factor so that argument doesn't really hold up.

Also insurance doesn't always hold up in cases like this, especially if the company was aware of the weakness and chose to do nothing about it.

Well, most companies, AT&T including, do not have truly irreversible actions. If someone steals your account this way, with enough complaining you will likely get it back, mostly, eventually. Same thing with traditional banking.

This breaks down for internet giants which provide free services which can still be very valuable, like gmail, and that’s why they are moving away from it.

Their employees and their systems.

Ideally it wouldn't be possible for a single employee to do this.

The amazing thing is with Wells Fargo that if you have a RSA SecurID 2FA FOB for access to your bank accounts, and you have a phone number configured for the account, you can use EITHER the 2FA RSA one-time pin, OR SMS verification to log into your bank account web page.

I mean this is a bank, are these guys for real?

Yes, although there is actually a lower transaction limit on sessions initiated with SMS 2FA vs SecurID.

Which almost furthers the point that this is bad, isn’t this an acknowledgement by them that SMS 2FA is less secure? If it’s less secure and you have SecurID, why can’t I disable SMS?

There is support cost for disabling sms. While you may be technically inclined to be comfortable with disabling sms, they have to balance the cost of hacking vs support cost for all users.

Thats really bad. Chase doesn't even offer the option of non-phone 2FA

Had this happen to me last week. Thankfully they only tried to get into a few e-mail accounts, which I was quick enough to get into, kill their session, and recover them before any real damage was done. AT&T of course claimed it was impossible for that to happen, despite a different phone showing up in my account, a bunch of unexplained SMS messages I never received, and two calls accessing my voicemail that I didn't make.

Currently working on finishing moving passwords from a Google account to my password manager and resetting them all, as well as replacing anything that uses an SMS 2FA with a time based authenticator or other alternative where possible. Planning on getting a FIDO key to use where I can. Also setting up a Voice number on an account that's used for nothing else besides 2FA in the instances where there is no better form of authentication.

One thing I've noticed lately is that Google Voice numbers are working with fewer and fewer companies. For example, I don't think that they work with Wells Fargo or Chase. Wells Fargo said flat out that the phone number can't be validated.

That's interesting, I appreciate the heads up. I'll have to see if I can find some other workaround whenever that pops up.

I've been using Voip.ms to pretty reasonable success. They support most SMS short codes, and everything else I've needed it for has worked as a voice call.

Did you have a PIN setup with ATT? I am trying to figure out which of their employees can modify the account without the PIN.

There are thousands of AT&T and Verizon accounts for sale online with PIN, SSN, DoB, email address, email password, etc. Some of them are paired with known bank account login information, credit report, etc. They're less than 300 USD.. Once you have the phone and information you can either use fake ID + SSN + phone to use established credit line at a retailer or if you have banking information perform a wire transfer. It's rampant.

As of a year or two ago when I worked at a authorized att dealer, manager logins can access any account without a pin and any employee can access prepaid accounts without a pin.

Edit:for whatever its worth att does keep a record of what employees accessed an account and when, and notes when managers bypass the pin, so doing this an an employee seems really stupid to me.

Interesting, I figured since they claimed that wasn't possible that they didn't keep records. I'll have to go bug them again to see if they can investigate it further. I'm not sure if this was an instance of targeted social engineering or an employee, though I would assume the former is more likely.

I'm not sure what customer service policy is about telling customers but in store at least we definetely had a notes section of every account with breakdowns of what internal usernames accessed the accounts and when. The fraud dept I assume would be the ones to look at who the employees were from the usernames but we didn't handle that kind of stuff at the authorized retailer stores so no advice to give you unfortunately :/

Yes, we have a PIN on the account. They did ask for it in store when I went to get a new SIM card.

Are things like this usually targeted, I.e. the hackers know enough about you to know who you are and you probably know their names or at least know someone they know? How do hackers even pick their targets?

How did they know your email password and phone number at the same time?

The main e-mail they targeted was included in several breaches, specifically of note the CafePress and Yahoo breaches, but various others as well. I would wager they just compiled data from each until they found something that worked.

A scary amount of services will let you reset a password over SMS.

Even more scary with the Yahoo account in particular, I have it set up as an app-based authentication, so I get a popup on my phone if someone tries to log in. However, when they (I assume) clicked the "I don't have access to this, send an SMS instead" message, that notification immediately disappeared, so I didn't even have time to hit the "don't allow" button before it was no longer an option.

Google at least seems to have this right, in that when they attempted to do the same with those, the notification was still there. I also received a separate "request to reset account password" which stated it would take like 15 days to occur, and I was given the option to cancel it.

Regardless, I think I'm going to try to go hardware key with an TOTP app backup for 2FA going forward, wherever possible.

I wish him the best of luck but considering AT&T was a party in the big Supreme Court decision setting the precedent, I predict this falls down the dark hole of mandatory, binding arbitration about twelve minutes after the first hearing on a motion to dismiss and compel arbitration.

We’ve collectively given up our rights to sue in many instances (including when signing up for HN-backed services run by people who should know better).

> (including when signing up for HN-backed services run by people who know they can get away with it)

I don't think so. This guy is the second (or third or whatever) person to sue AT&T over a SIM swap. The first case is already moving to trial: https://www.coindesk.com/att-fails-to-win-dismissal-in-24-mi....

So it gets moved to arbitration. If anything, it will move quicker and cost him less than a court case would.

Binding arbitration is almost unilaterally bad for consumers.

See: https://www.nytimes.com/2015/11/01/business/dealbook/arbitra...

Unilaterally is not an accurate description. Your link has exactly one relevant sentence:

>Roughly two-thirds of consumers contesting credit card fraud, fees or costly loans received no monetary awards in arbitration, according to The Times’s data.

Note that

1. This excludes non monetary awards

2. The categories are cherry picked and they give us no data on arbitrations overall

And even under those conditions they show a third of consumers win something, which is hardly a unilateral loss. And of course it's impossible to know how many of those cases were frivolous, and they didn't bother to compare to small claims court and see how consumers fare there.

Anyway it's not relevant to this case, because he's not suing for one of those categories, plus he presumably has a lawyer (lots of arbitrations are done without lawyers and I'd bet that they have lower success rates).


For 2015, it shows the majority of cases settle, about 3k out of 5k. Out of the remaining, more than half get some kind of award. But reporting this data goes against the NYTimes narrative so they cherry picked.

.. but is guaranteed to rule in favor of the bigger party.

https://levelplayingfield.io/ For 2015, it shows the majority of cases settle, about 3k out of 5k. Out of the remaining, more than half get some kind of award.

Are those stats across all arbitration, voluntary and compulsory, or just for contractually mandated arbitration?

I'd imagine there's virtually no cases of consumers and businesses voluntarily using arbitration when there was no contractual agreement. Both sides need to agree to use arbitration.

I can dig through the data in a bit: they have the info under "source of authority", which will say whether it was in the contract or agreed upon later.

Looking at att in particular, they settle most of their cases. https://levelplayingfield.io/party/non-consumer-att

Why do you think so? Not what the data shows.

If by “him” you mean AT&T, definitely.

Arbitration is cheaper for both parties than court, in general.

This is exactly why I’m only faithful to FIDO U2F keys. Got a couple and ensure they’re safe. No one’s hacking my accounts unless they crack both my passwords and rob me physically... which at this point doesn’t seem like it’s going to happen.

“Hello thanks for calling. I understand you want to reset your password. To verify it’s really you may I have your cryptographically impregnable super token? Oh it’s lost, I see, how about can you verify your billing zip? Splendid you’re all reset.”

Suppose we take Coinbase (I don't use it, but I've heard SIM swapping is done regularly with Coinbase):

Suppose you lose all your physical keys: I don't think you can social engineer hack Coinbase (pretty sure most companies won't allow people to just give away your password/send a reset email to some other email).

Or suppose you get them to send me an email to reset my password. But my email also has FIDO u2f! And I know as a fact you can't social hack my email provider.

Try it. Most companies don’t mind.

The Google Authenticator app on iOS doesn’t backup its keys so it’s pretty common for people to lose access to that kind of keys.

I don't think you completely understand the concept behind the Google Authenticator App, i.e. the standard it implements.

Which keys is it supposed to backup?

Everything else you said is sadly true.

You would expect that if you restore the full backup of your iOS device to a new one, because you lost it for instance, that on the new device you could open the Authenticator app and see the same keys as you had on your old device. That is not the case though.

Under the hood Google Authenticator uses keys to generate the codes you see on screen and these keys are not backed up.

It’s a difficult decision of course. If you back them up in iCloud Apple and people who hack your Apple account have access. If you don’t the keys are lost if the device breaks or is lost and you need a workaround.

I think they do backup if you do an offline (e.g. iTunes) full backup and restore on the same device, which of course is never what people do.

No, I know because that’s what I do and I had this fail on me when I migrated to a new phone. I switched to a different app that does backup keys when you use an encrypted iTunes backup.

Edit: oh you wanted to restore on the same device. Well that might work but it doesn’t help when migrating or if your phone is not available.

That's why I use Authy (able to have backup keys).

I think he's saying that the private keys to his crypto never leave physical hardware. There is no phone number to call if he loses them, but on the other hand what you are describing is impossible.

The joke is a thief will get ahold a live person and still be easily able to social engineer account access, despite best efforts to lock it down with technology.

That’s not how private keys work...

But it is how authentication works in the real world.

What happens if the keys get lost or destroyed? It seems like a never ending problem.

Keep two or three, put one in a bank or a safe at home. That should be enough redundancy for most people. As long as you can still get in to revoke/enroll stuff you should be okay.

It’s not so much a problem as it is a balance of security, redundancy, and effort. You decide where you want to be on that balance of considerations.

> Keep two or three, put one in a bank or a safe at home. That should be enough redundancy for most people.

Yeah, good luck.

I don't know of any system that lets me enroll 3 security keys for an account.

Doesn't Google let you set an arbitrary amount?

Yes, as does Github and Facebook. I forget whether AWS does.

Get 2 keys, keep one in a safe place. Add both to your important accounts.

Then also setup TOTP, so if you lose both keys and have a working cell phone with the app installed you can still login.

That's if important accounts allow you to do that. For example AWS only allow one MFA key

I have one at work/keep on my computer and one at home.

Some websites allow TOTP which is still safer than SMS, but if I lose one, I'll get another one while I use the 2nd.

> I have one at work

This seems really easy to steal.

> one at home

Most people I know have been burgled too.

If you're into crypto, remember:

Not your keys, not your coins.

> When FOX 11 reached out to AT&T for comment on the SIM swap lawsuits against them, the company responded “This is an industry problem,” and referred us to the CTIA for more information.

And AT&T is the industry leader.

I don't even see how it's an industry problem - AT&T didn't do thorough verification before swapping the SIM, there's nothing broader about it.

This is why SMS verification is insecure.

I’ve mostly disabled 2fa via phone where alternatives exist. Unfortunately some services (such as twitter) require you to verify a number (you can sign up, but you’ll quickly be account-locked without providing a number)

I’m still wondering why I can’t use Touch ID to do U2F...

Touch ID support for WebAuthn is live in the latest Chrome!

Phone number is not something you own, it's just a record on someone else's computer system. It's really weird that it passes as "something you own" part of multi-factor auth for so many serious companies.

I love the response: "This is an industry problem."

Translation: "All telcos are equally bad at this, so who are you going to switch to? So why should we bother fixing it? What's in it for us?"

To me this is more about the lack of internal controls and auditing of those controls at ATT. I know someone who is a supervisor fairly high up with them and I suspect has abused that power to spy on an ex, but she assures me "he can't because of the internal flags"... I figure there are a multitude of ways around that. Events like this don't give me confidence that I am wrong.

How do you know if someone has obtained a SIM card with your identity? Do you have a web site for this, like https://www.turkiye.gov.tr/mobil-hat-sorgulama ?

Usually your phone stops working because your old SIM card gets disabled.

You can also add an authorized user or open up an entirely new line. You won't notice until you receive your bill.

Wouldn't a new line have a different phone number which wouldn't allow these hacks?

Yes. It won't allow the number take over, but you will end up with 1+ new iPhones in hand for the attacker. You can swap the number at any point afterward easier than just setting up a new phone at the store with a suspecting employee.

What if they obtain a SIM card from another mobile provider with a different phone number?

This is why sms as 2FA is terrible: cell phone companies are not hardened.

I am not condoning or justifying criminal behaviour but I have to wonder why on earth he would have his life savings in cryptocurrency, protected only by SMS 2FA, if he knew someone else this had happened to?

He clearly isn’t educated enough (not to be mean).

Especially if you’re going around with that much crypto always always remember:

Not your keys, not your coins.

Always store cold storage and set aside some for trading if you want. And if you’re trading, always use FIDO U2F physical keys.

> and within minutes, the hackers had stolen $1.8 million in cryptocurrency from him

> It essentially destroyed our financial future, our entire life savings was stolen

Who keeps their entire life savings in crypto?

With that much money not using a hardware wallet is short-sighted.

Even that leaves it in a crazy volatile currency. Adrenaline junkie I guess, assuming it really was their life savings.

I guess you can call most cryptocurrencies volatile but some like BTC and ETH have so much marketcap that it's getting a bit better. Some people truly believe in crypto (and even institutions are... they store in Bakkt) and I guess you have to respect that (pretty sure they understand the risk as well).

Yes, BTC is "only" down 23% in the last month.

I don't want to argue, but it's up 15% since last year (if you bought/sold right you could've also make 400% since last year. I don't personally have anything in crypto, but am watching enthusiastically from the sidelines (and given it's down 23% in the last month is one reason why).

At the end of the day you have to look at it from a bigger picture. Since the next halfing is happening in a year, prices will most likely go up (speculation).

Not faulting them for having significant sums there. But "life savings"? Ouch.

When they say 'life savings' (conjuring the image of money saved slowly, over a lifetime), what they really mean is 'gambling profits'.

Wasn’t there a pin on his account?

Employees are able to override the pin entering requirement. There is absolutely nothing you can do to stop this from happening if you happen to get targeted. (Speaking from experience)

It is a liability to trust another party with keys to cryptocurrency with such high value.

To step out of the regulated financial system is to open oneself up to these liabilities with little recourse.

That is not to say that telecom companies should not fix this. They absolutely should.

AT&T employees on the inside were in on the scam. There's more details in this other article:


It’s better than nothing that AT&T finally allows pins at all, but one thing that’s insane about it is every time you log in on the web there’s a checkbox to never ask for your pin again. It’s exactly where you’d expect a checkbox for something like “remember me”, except it opens up a huge security hole in your account if you accidentally check it.

Pins obviously have other issues that make no sense, like the incredibly low complexity allowed that would never be acceptable for a password. But even aside from that I guess AT&T also want everyone to turn their pin off? I hope they do lose a lawsuit and actually have to start giving a shit about pin swapping and make things more secure by default.

Pretty sure that's only for the current device, not for the account.

When i upgraded my phone, I had to get a new (micro?) sim and they didn't even ask for my ID or the old sim.

Exactly. I have a pin on my account after identity thieves opened a bunch of AT&T and Verizon accounts under my name (thanks Equifax!). Since this happened I’ve been in the AT&T stores when I bought an unlocked phone on two occasions. The employees at the store weren’t able to do a thing until I spoke with a special call center on the phone and did verifications.

One time there was something wrong on their end and no one could do anything until the system to verify my pin was back up.

Would that have helped if there was an insider (AT&T supervisor) authorizing the transfer?

i.e. can a supervisor override lack of a PIN?

Pin is last 4 of social which isn’t hard to get.

No it is not. My pin is not my or my wife’s social. I was able to choose whatever I wanted.

The lesson here is not to sue AT&T. The lesson here is to stop investing in cryptocurrency.

So it’s all the guy’s fault for the problem and AT&T has no fault? Could it be they both made a mistake?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact