AT&T stands accused of “studied indifference” regarding security and has been hit with a lawsuit asking for nearly $224 million in damages after Michael Terpin’s cryptocurrency holdings were wiped out by a suspected criminal gang.
Michael Terpin Files Lawsuit Against AT&T
Michael Terpin, an avid investor and entrepreneur, has filed a lawsuit against AT&T, claiming that gross negligence and possible collusion with parties responsible for theft and fraud has resulted in the theft of $24 million in cryptocurrency through his cellular device. The cryptocurrency was allegedly stolen through a fraudulent SIM card swap, coupled with an effective theft of Terpin’s digital identity.
Theft Enabled by SIM Card Swap and Cooperation by AT&T Agents
In Terpin’s case, the suspected thief carried out his attack by targeting an employee in a Connecticut AT&T retail store on January 7, 2018. A fake SIM card swap would have given access to Terpin’s cryptocurrency-related accounts through SMS-based two-factor authentication. The criminal ring could then transfer a total of three million crypto coin/tokens owned by Terpin to their own accounts or devices.
This scheme relies on bribing or conducting social engineering attacks on authorized agents of telecommunication companies like AT&T to allow the SIM card swap and port a phone number over to a new phone. Terpin alleges that AT&T knew about the problem, but did not do enough to shut down authorized agents who enabled the fraud. His attorney, Pierce O’Donnell, referred to a pattern of “studied indifference” on the part of telecommunication companies such as AT&T, to which he also likened to a growing cancer.
The papers filed for the lawsuit lists 16 charges that include alleged fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, and failure to supervise its employees and investigate their criminal background.
Terpin said of his decision to file a lawsuit, “Mainstream adoption of cryptocurrency cannot take place as long as phone company employees are handing over critical unauthorized access to the heart of everyone’s digital lives. AT&T has a well-established track record of violating user privacy and security, endangering billions of dollars in digital assets, and must be called to account.”
SIM Card Fraud Being Investigated
The FBI is currently investigating the same international criminal gang that is suspected of the theft of Michael Terpin’s cryptocurrency. So far, investigations into SIM card hijacking have led to the arrest of multiple members of a SIM card swap ring, whose members operated in Los Angeles on July 12, 2018. A Florida resident was also arrested on July 18 for his role in a similar scheme that stole at least $460,000 worth of Bitcoin.
Until ongoing cases involving SIM card hijacking can be resolved and phone service providers take security more seriously, law enforcement agencies recommend avoiding SMS-based two-factor authentication if at all possible. These criminals can normally get identifying information needed to carry out these attacks online, through sources such as social media, and then they can receive PIN numbers and passcodes needed to get into their victims’ accounts. This form of attack has also been used to drain victims’ bank accounts.
Michael Terpin is seeking nearly $224 million in damages through this lawsuit. Even though he is unlikely to get that much in damages, large lawsuits like these may be the only way to get the attention of large corporations like AT&T who may often refuse to take security seriously.