Losing his phone at the Consumer Electronics Show in January wasn’t the worst thing to happen to Michael Terpin in Las Vegas. The theft of $23.8 million of his cryptocurrency holdings? That’s another story.
The theft only happened, Terpin contends, after hackers convinced an AT&T (T) support rep to transfer his phone number to them and then used it to unlock his online accounts.
Now Terpin, a tech publicist andcryptocurrency investor, is suing AT&T and 25 unidentifiedJohn Doe defendants for $223.8 million in damages to cover his losses and punish the telecom giant for its alleged negligence. “It was AT&T’s act of providing hackers with access to Mr. Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur,” hiscomplaint alleges.
“We dispute these allegations and look forward to presenting our case in court,” AT&T said in a statement.
A swindle via Skype
Terpin’s core argument is that after his account was first compromised in June 2017, AT&T pledged to safeguard it with an additional passcode that would be required to authorize any changes. Terpin, however, says the company didn’t enforce that requirement.
“If AT&T had stuck with their promise that nobody could get in without that six-digit thing, nobody would be talking about this now,” Terpin told Yahoo Finance in an interview following the court filing.
The first time, attackers hacked not just the AT&T line described in the lawsuit but also a T-Mobile (TMUS) line, according to Terpin. But they inflicted relatively little damage—“$60,000, only $2,000 was sort of direct thieving from me,” he said.
After “half a bitcoin in an old exchange,” the losses came when thieves hijacked his Skype account and impersonated him withfake stranded-traveler appeals that fooled a few acquaintances into sending Bitcoin, Terpin said.
“I went to both T-Mobile and AT&T and said, how do you protect me?” Terpin said. Both carriers promptly set up extra-security passcodes—called“extra security” at AT&T,“account verification” at T-Mobile.
T-Mobile sent a statement that read in part: “T-Mobile is always working to improve security so we can stay ahead of fraud schemes.”
Just take the money
The second attack targeted not people but funds: three tokens from startups that Terpin wouldn’t name at this time. The companies paid him for PR work in part with early access to tokens they later sold to investors ininitial coin offerings, asemi-regulated alternative to initial public offerings of stock.
ICOs can be exceedingly risky, but Terpin said these three coins were doing fantastic on Jan. 7, 2018, the date of the second attack.
Because these were newly created cryptocurrencies, Terpin kept them online in “native wallets” from each startup instead of parking themoffline or in ahardware wallet—the way he secures his holdings of bitcoin and ether, the cryptocurrencies with the largest market capitalization. That left the startups acting as custodians of these tokens.
Some of these wallets were “staking”: They generated additional new tokens by helping mathematically verify their cryptocurrency platforms, so they had to be left online full-time.
These native wallets were secured not with usernames and passwords butpublic and private key pairs. “As long as you have your private keys, nobody can hack it,” Terpin said.
His complaint says the unknown attackers got an AT&T store employee in Norwich, Conn., to move his phone number to theirSIM card, then used that to bypass the password on an account that hid these private keys. Terpin’s T-Mobile line stayed secure.
Terpin described this online account only vaguely beyond saying it was nota password manager.
“It involves them getting into third-party software that I didn’t realize they could get into,” he said. “That allowed them to get into a file that had a hidden component.”
Don’t phone in security
Terpin’s encounter with what’s calledSIM swapping was more costly than most: Once somebody takes cryptocurrency, it’s as gone as bills lifted from your wallet.
“There are too many ways to compromise the contents of SMS,” explained Chris Wysopal, chief technology officer of the CA Technologies (CA) security firmVeracode. “These are non-trivial attacks, but when the payoff is big enough they will be used.”
Harold Feld, a veteran telecom lawyer, suggested that AT&T’s alleged failure to keep Terpin’s account private gives him favorable odds—if he can overcome forced-arbitration clauses in AT&T’s user agreement.
“Under the Communications Act provisions 206 and 207, he can sue AT&T for any actual damages caused by their failure to do something they are required to do under the Communications Act,” explained Feld, who also serves as senior vice president with the digital-rights groupPublic Knowledge.
Terpin offered similar advice for anybody who’s merely well-known online.
“If you’re at all visible, do not use any of the four major telephone companies for any aspect of your digital life,” he said. If a site requires your digits—for instance, Instagram stillonly supports phone verification, unlike its parent Facebook (FB)’s stronger app authentication—he recommended using a burner phone or a Google Voice number, where there’s no customer-support line or stores for hackers to game.
His grumpy conclusion: “It’s a travesty that the multi-trillion-dollar global telco industry can’t figure out basic security.”
