A cryptocurrency entrepreneur and investor is suing AT&T for permitting a $23.8 million theft in a “SIM SWap” scam conducted by an authorized agent.
Michael Terpin is suing the telecommunications company in a U.S. District Court in Los Angeles for $223.8 million on 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and related charges, according to an Aug 15 press release.
The lawsuit stems from an incident on January 7, 2018, in which an AT&T agent allegedly committed identity theft to gain unauthorized access to Terpin's cellphone account and transferred more than 3 million cryptocurrency tokens from Terpin's cryptowallet to an international criminal gang being pursued by several federal and state law enforcement agencies.
Terpin claims AT&T promised him “unbreachable” security on its end through a unique, purportedly unchangeable password following a smaller SIM swap scam in which took place the prior year. The complaint also referenced the July 2018 arrest of multiple SIM swap gang members, including a valedictorian that allegedly made off with $2 million in cryptocurrencies.
Some security professionals feel Terpin's claims may be a bit of a reach.
“If carriers, ISPs, and MNOs had to bear full financial responsibility for every crime and act of fraud committed across their networks, they would all cease to exist,” John Gunn, chief marketing officer at OneSpan, said. “Viewing this under the doctrine of assumed risk, it would be very difficult for the plaintiff in this action to prove they were unaware of the inherent risks of mobile and online transactions.”
Paul Bischoff, privacy advocate at Comparitech, pointed out that SIM-jacking arose as a response to the growing adoption of two-step verification.
“Unfortunately, employees who work at stores run by mobile carriers like AT&T have free reign to "hijack" a SIM card and transfer the phone number to a different device,” Bischoff said. “This can be done unbeknownst to the user, so thieves will seek out store employees who can be bribed to assist with SIM jacking.”
Bischoff recommended using an app like Google Authenticator or Authy whenever possible, noting that unfortunately, most sites, services and apps don't support their services and instead rely on SMS-based verification. He also noted that with fully automated service like Google Voice, there is no one there who could spoof a user's information.