Losing his phone at the Consumer Electronics Show in January wasn’t the worst thing to happen to Michael Terpin in Las Vegas. The theft of $23.8 million of his cryptocurrency holdings? That’s another story.
The theft only happened, Terpin contends, after hackers convinced an AT&T (T) support rep to transfer his phone number to them and then used it to unlock his online accounts.
Now Terpin, a tech publicist and cryptocurrency investor, is suing AT&T and 25 unidentified John Doe defendants for $223.8 million in damages to cover his losses and punish the telecom giant for its alleged negligence. “It was AT&T’s act of providing hackers with access to Mr. Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur,” his complaint alleges.
“We dispute these allegations and look forward to presenting our case in court,” AT&T said in a statement.
A swindle via Skype
Terpin’s core argument is that after his account was first compromised in June 2017, AT&T pledged to safeguard it with an additional passcode that would be required to authorize any changes. Terpin, however, says the company didn’t enforce that requirement.
Terpin filed his complaint Aug. 15 via the Los Angeles firm Greenberg Glusker Fields Claman & Machtinger LLP in the United States District Court for the Central District of California.
“If AT&T had stuck with their promise that nobody could get in without that six-digit thing, nobody would be talking about this now,” Terpin told Yahoo Finance in an interview following the court filing.
The first time, attackers hacked not just the AT&T line described in the lawsuit but also a T-Mobile (TMUS) line, according to Terpin. But they inflicted relatively little damage—“$60,000, only $2,000 was sort of direct thieving from me,” he said.
After “half a bitcoin in an old exchange,” the losses came when thieves hijacked his Skype account and impersonated him with fake stranded-traveler appeals that fooled a few acquaintances into sending Bitcoin, Terpin said.
“I went to both T-Mobile and AT&T and said, how do you protect me?” Terpin said. Both carriers promptly set up extra-security passcodes—called “extra security” at AT&T, “account verification” at T-Mobile.
T-Mobile sent a statement that read in part: “T-Mobile is always working to improve security so we can stay ahead of fraud schemes.”
Just take the money
The second attack targeted not people but funds: three tokens from startups that Terpin wouldn’t name at this time. The companies paid him for PR work in part with early access to tokens they later sold to investors in initial coin offerings, a semi-regulated alternative to initial public offerings of stock.
ICOs can be exceedingly risky, but Terpin said these three coins were doing fantastic on Jan. 7, 2018, the date of the second attack.
Because these were newly created cryptocurrencies, Terpin kept them online in “native wallets” from each startup instead of parking them offline or in a hardware wallet—the way he secures his holdings of bitcoin and ether, the cryptocurrencies with the largest market capitalization. That left the startups acting as custodians of these tokens.
Some of these wallets were “staking”: They generated additional new tokens by helping mathematically verify their cryptocurrency platforms, so they had to be left online full-time.
These native wallets were secured not with usernames and passwords but public and private key pairs. “As long as you have your private keys, nobody can hack it,” Terpin said.
His complaint says the unknown attackers got an AT&T store employee in Norwich, Conn., to move his phone number to their SIM card, then used that to bypass the password on an account that hid these private keys. Terpin’s T-Mobile line stayed secure.
Terpin described this online account only vaguely beyond saying it was not a password manager.
“It involves them getting into third-party software that I didn’t realize they could get into,” he said. “That allowed them to get into a file that had a hidden component.”
Don’t phone in security
Terpin’s encounter with what’s called SIM swapping was more costly than most: Once somebody takes cryptocurrency, it’s as gone as bills lifted from your wallet.
But defeating phone-based two-step verification, in which you confirm a login with a temporary code texted to you, is common enough that crooks use it to nab catchy Instagram usernames.
“There are too many ways to compromise the contents of SMS,” explained Chris Wysopal, chief technology officer of the CA Technologies (CA) security firm Veracode. “These are non-trivial attacks, but when the payoff is big enough they will be used.”
Harold Feld, a veteran telecom lawyer, suggested that AT&T’s alleged failure to keep Terpin’s account private gives him favorable odds—if he can overcome forced-arbitration clauses in AT&T’s user agreement.
“Under the Communications Act provisions 206 and 207, he can sue AT&T for any actual damages caused by their failure to do something they are required to do under the Communications Act,” explained Feld, who also serves as senior vice president with the digital-rights group Public Knowledge.
Major cryptocurrency services already provide non-phone “2FA” through apps such as Google (GOOG, GOOGL) Authenticator. Coinbase, for instance, has offered app two-step verification since 2012 and lets customers use that exclusively, although it does not support verification via “U2F” USB keys that work even if you lose your phone.
Wysopal, who has harshly criticized the security of cryptocurrency services, strongly endorsed app verification for “anyone issuing cryptocurrency or performing cryptocurrency transactions.”
Terpin offered similar advice for anybody who’s merely well-known online.
“If you’re at all visible, do not use any of the four major telephone companies for any aspect of your digital life,” he said. If a site requires your digits—for instance, Instagram still only supports phone verification, unlike its parent Facebook (FB)’s stronger app authentication—he recommended using a burner phone or a Google Voice number, where there’s no customer-support line or stores for hackers to game.
His grumpy conclusion: “It’s a travesty that the multi-trillion-dollar global telco industry can’t figure out basic security.”
(Disclosure: I bought $5 in Bitcoin from an ATM at a press event Terpin sponsored in January of 2014; as I have since forgotten the password to the wallet app I set then, the value of that investment is effectively zero.)
More from Rob: