I hope he wins ...
but I doubt it, AT&T have far more lawyers and their terms have pages of small print to cover their corporate asses.
A California judge has given the go-ahead for a $240m lawsuit against AT&T for porting a subscriber's phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency. Michael Terpin sued the mobile operator back in August 2018, revising his legal challenge a year later to make more specific allegations. This …
Something tells me, if he is the kind of person that has (had) BTC 24m, that he probably has a lawyer or two at his disposal as well.
That's not to say that The Big Guys won't win in the end, just that it might be a slightly more 'balanced' fight than it would be if it were you or I.
A lot of people who have millions worth of virtual currencies are those who got lucky after buying a bunch of the stuff in the early days for the purpose of buying drugs, illegal pornography etc. on the internet. There are also the enthusiasts who were lucky enough to mine a bunch in the early days.
There are also those idealogues who, in spite of stories just like this one, still think the idea of "being your own bank" isn't the stupidest thing ever, and then those who think it's a hedge about the complete economic and societal collapse that's coming Real Soon Now™ (after which obviously everyone will want to buy their coins, for some reason?) There's a lot of overlap between these latter two.
Not the kind of groups who usually have lawyers on call or retainer, I'd have thought. This guy might be different but that might also have been his entire savings.
I do not hope he wins. A telephone company's protections against unauthorized phone number hijacking should be sufficient for ordinary risks, not the pressure of a $24M payoff. If the phone company's protections must be proof against $24M, or $100M, or (what limit?) attack motivations, then the increased costs (both monetary and otherwise) will be borne by everyone all the time.
If the number had just been hijacked for ordinary reasons (someone wanted that number, someone wanted to hassle the owner) then when the hijack was discovered AT&T would have been able to restore the number to its rightful owner. The only loss would have been some inconvenience to the owner, perhaps some social relationship repair.
According to the story, AT&T didn't just fold and give away the number at the drop of a hat, but failed under sustained pressure by the baddies against the system. It wasn't just AT&T's failure that led to the loss of the $24M, it was a series of protections that failed. Ultimately much of this series of protections was the responsibility of the individual who lost the $24M to ensure that these protections were sufficient to the threat. I don't think it was reasonable for him to expect the AT&T protection against number hijacking to be designed to handle the pressure of a $24M threat.
You talk as if stealing someones phone number is just a bit of a jape.
Untold damage could be done in a multitude of ways , not just the route described in the article.
This is because having unique access to your own phone number is more and more relied upon as an authentication method, as other commentors , and the article , have noted.
In addition to which , this had happened to the guy before , he and AT&T agreed on extra security policies that they totally failed to follow!
The pages of small print may be true, but there is a good chance he will have the better lawyers. In this type of civil case, you are looking at a contingency fee of 25% to 33% of the final award, whereas AT&T lawyers are going to be getting an hourly fee. There is a reason that some plaintiff class action lawyers are billionaires - and this case is getting into the same dollar ranges. And the best lawyers are going to go where the most money is.
The use of phones to ‘secure’ important, personal information has become widespread without any concern for fact that phone companies do not have strict and consistent rules about such things as SIM swapping - Particularly as this practice is considered a handy feature by many who would, no doubt, baulk at any reduction in this convenience.
I have heard the "large orgs do technical security so much better than we ever could" mantra so many times but there never seems to be any consideration of the increased social engineering surface that a large organisation must have to manage huge numbers of anonymous clients. Also, as in this case it seems, a large organisation is much less well equiped to deal with rogue employees who are, again because of org size, pretty anonymous AND able to subvert any security protocols put in place.
Maybe the new mantra should always be that "convenience and security are opposite ends of a scale, as one increases the other must decrease". You must prioritise what is most important. Anyone who claims different is ignorant or selling snake oil.
My last employer moved to using cloud storage for the thin clients used throughout the business. A manager for my (non technical) division who was informing us of this change at a meeting to explain what was happening said it would make us more secure. 'The cloud' is run by a large business and so more secure. Afterwards I spoke to her and said I was interested in knowing what made this more secure. I asked if she how it was more secure than our own servers which we had in our own buildings. If there's an attack we could physically take them offline by pulling cables etc.
The poor woman clearly had no idea as she just said the cloud's obviously more secure isn't it. Before admitting that she didn't know and it was just what corporate had sent her in a glossy folder to read out to her staff. She did say don't worry about it though "You're not on the hook for this if this goes wrong Corporate are". To educate her I sent her a few links to this site and the multiple instances of e.g. poorly secured or even unprotected AWS buckets. She said that it was disturbing but not to worry as it wasn't my problem.
Cloud based hosting, SAAS etc 'can' be much more secure than your on-prem setup. But the vanilla cheap assed entry level options will not be.
MS 365 can be very very secure. But only if you give everyone a fucking expensive E5 licence and have dedicated and trained staff running the security consoles that MS have designed using the shifting sands of the Sahara desert as a model.
If you think you're going to be secure by buying an F1 licence for everyone then sticking it in vanilla then you're going to be in a very bad place very soon.
The analogy I use with the non techies is that if cloud was a car, MS and AWS can make a very very good car, but you're chosing the specification and you're still driving it, and if you spec it with 3 bicycle wheels or drive it off a cliff MS/AWS are not going to take the blame for your mangled corpse.
If I had a file containing the password to $24 million dollars worth of assets I'd make sure that it was strongly encrypted. Not letting AT&T off the hook but having previously lost $24 million of crypto-currency you think he would have taken some slightly better precautions.
1) It was the second hack that lost the $24 million.
2) Why do you not think the file wasn't strongly encrypted? I would think that it almost definitely was and there is nothing in the alleged theft that would suggest it wasn't.
However I would counter for 2FA to work then two factors must always be used at every step of the chain and if they dodn't have access to his e-mail and/or password then the 2FA token should not have worked.
Although the 2FA is a last line of defence if your login/password is compromised so should still provide security
You're right - I misread the article
"At the heart of the matter is Terpin’s phone number. In June 2017, miscreants successfully managed, after no fewer than 11 attempts in AT&T retail stores, to transfer his number to a smartphone controlled by the criminals – a so-called SIM jacking attack. The phone was then used to gain access to cryptocurrency accounts, linked to his phone number, to steal an unspecified amount of Bitcoin, and impersonate him on Skype".
However I still stand by the fact that the file probably wasn't encrypted as the thieves managed to open the file, retrieve the details and transfer the funds. Aren't we being told all the time about how government agencies want back doors to encryption? At the very least he should have split his credentials onto three different systems, password on one, user name on another and wallet ID on a third (or however many separate bits of info are needed) so that three hacks would be needed to get all of the required information , especially as he had been targeted in the past and lost funds.
Exactly, I store forms of my pwords on a notepad app on my laptop. They are in forms even I struggle to decode sometimes. They point to initialled phrases and the numbers are in a form of Navaho code talk in a language from the other side of the world.
The two factor in this is that the form only makes sense when I am reading them. So you would have to perfectly clone my brain with all its knowledge and understanding.
I prefer this to a pword manager which is defeatable due to get the pword for it and you get the keys ot the kingdom.
The munged pwords are ones I do not allow the browser to remember, ones that really matter and I have thought and learned carefully on that point.
I do on some things use sms/email 2FA but only as a ‘yes I know my door lock can be picked but I still lock it’ basis (I have viewed a lot of the Lock Picking Lawyer’s YouTube videos).
It was a reference to an earlier article, in which a certain gent invested an amount of illicit cash in bitcoin, then stored the passwords on a piece of paper stored with his fishing rod.
When the feds came looking, it turned out the paper had been thrown out by his landlord along with the rest of his gear
And the consensus in the comments was it was inconceivable anyone would conceal their password alongside their fishing tackle.
But this case shows exactly why downloading it onto unhackable media is not such a dumb idea. Although, personally, I would tattoo it onto a part of my body that is never normally visible in public - ideally a part that is covered in thick, curly, dark hair so even a strip search wouldn't reveal it.
Not if you self-tattoo. Tattoo equipment (at its most basic a toothpick and a source of ink, like a ballpoint pen) isn't exactly restricted or hard-to-get equipment. I had a friend that had a professional tattoo 'gun' and needles at home. And this is just some characters that any unskilled, unartistic person (like me!) could do, not artwork (well, unless you wanted to also implement steganography).
"personally, I would tattoo it onto a part of my body that is never normally visible in public - ideally a part that is covered in thick, curly, dark hair"
...make the password "I love mum"
There's a word for this sort of thing.
Written on a piece of paper, and then stored in a fireproof safe would be fine. The vast majority of password attempts are online. Storing a password on a physical piece of paper secures it against any online attack.
After all, if someone knows where you live and can break into your house, they can just stand over you with a rubber hose until you give them all your passwords, online or offline. (Or they could install cameras and record you typing in your password).
Hey, you know all those super 'secure' instant messengers, that use all kinds of super powerful encryption and stuff? Signal, Telegram, etc?
They'll all linked to your phone number. So all the Regime need do is request a new device or password reset, and since they own the telcos, they can get into your account.
Real secure. Allow the option of userid/password authentication rather than just a phone number you say? You wish. Signal and Telegram don't want to allow that. For Reasons.
Unless you also have a copy of the user's backups and know the 64 character backup key to restore it, which is shown only once when you enable backups.
Telegram, pah, last I checked it didn't even default to e2e and sent messages unencrypted.
So, for reasons, you're completely wrong
When I called T-Mobile UK years ago when I lost my phone on holiday they were very security concious. Asked me questions about what phone models I'd had in the past with that number. Also what top up amounts I'd done and when. Plus when (because it was recent) I'd ported the number over from another network and what network was it. After answering all that was she happy to confirm it was me and arrange a new Sim with my number.
Wouldn't have stopped a rogue employee but seemed fairly good against a member of the public.
Sounds like a nightmare. Whenever organisations (usually my bank) try to use such questions to determine if I am who I say I am my replies consist of "I don't know", "I can't remember" and "maybe xxxx?" After much humming and hawing I usually pass the check but it always leaves me feeling that I'd be much hapier if they refused than taking my awful non-answers as good enough.
Once my dad, who was abroad and somewhat "off grid" asked me to ring up his credit card company to make a couple of chnages.
During the security "frisking" they asked "date of birth?" which left me momentarily stumped , but after a very lengthy pause . some frantic mental arithmetic and a correct answer , all was well.
T-Mobile in the US was... significantly different.
My friend had gotten a new phone and it needed a new SIM. His old phone was deader than a doornail (hence him getting a new one). He wasn't able to get the new SIM arranged because the online portal wanted him to confirm with his existing phone.
So I called in to the phone folks, talked to a bored-sounding lady with an accent I couldn't place, told her "sorry, can't verify the text because the phone is smashed" and with no confirmation of anything beyond the old phone number (!!) got a new SIM issued. To a different address than he had on file, because he'd never bothered updating them when he moved and he was on autopay and emailed statements anyway.
I didn't even have to dust off any 'social engineering' skills from my younger, more troublesome days. The state of security at telcos is just sad.
I asked for a new SIM, they sent it to my old address. They assured me that if someone at that address tried to use it it wouldn’t work without some unspecified “activation”. Not true, of course.
It didn’t really matter at the time; in those days we had pin-pad devices to authenticate for online banking. But now, banks just send codes to the mobile phone numbers they hope we have control of. I hope the people at the banks responsible for that change have read this story.
Storing the password(s?)/credentials to access $24million in a cloud service?? Might as well try suing the cloud service. Or self for prime stupidity. Better off a password that is only stored in one place - your head: even if it is technically weaker. At least doing that social engineering the password out of you becomes a very difficult proposition.
If it's stored in your head, you stand a good chance of forgetting it. If that means you lose your money, you probably decide not to store it only in your head. If there's a method of resetting a forgotten password, that method can then be attacked. The same provisos hold for all the typical methods of storing sensitive information--the better they are at making sure other people can't get in, the more complex or difficult they are to use. Eventually, you reach a point where what you're really doing is making it hard for yourself to get in without doing much to an attacker. This is why 2FA is so important--if for any reason one method becomes compromised, the attackers still can't get in for the time being. The story here is about the failure of 2FA to have two factors that work well enough. That can of course be argued, but "memorize a long password and why not the private key while you're at it" isn't going to solve anything.
Normal practice in the USA for a case like this is for the law firm to absorb most or all of the costs against their expected share (typically 30%) of the eventual payout. This is known as a contingency fee basis. If his law firm is insisting on a pay as you go basis, that's a good indication they don't believe there is a reasonable chance of a large verdict or settlement.
Speaking of settlements, usually once pre-trial maneuvers like the one reported on here have failed, the defendant company will seek to settle. All the lawyers want to settle, the plaintiff's for the certainty of a payout and the defendant to avoid a major business risk. Sometimes the sides will let it go to a trial if they feel they have a potentially decisive argument. But if this actually goes all the way to a jury or judge's final decision, it means one of the parties has decided to overrule their lawyers to prove a point.
This doesn't make sense. If a miscreant can go to the operator and effectively hijack somebody's phone, what exactly is the end user supposed to do? Surely it is entirely the responsibility of the telco to verify (beyond any reasonable doubt) that the person making the demand is the legitimate owner.
I don't know about how things work in the US, but here in France the telco demands a copy of my passport/identity card, and it's a lot less hassle if you go to one of the telco shops so somebody can see that you match the identity photo. Also, when my mother lost her phone, the old SIM was blocked immediately, and after showing identification, she was told that a new SIM would be mailed by courier to the address on record (which was neither confirmed nor disclosed) and it would arrive in under a week (took three days). It's, you know, not hard...
"[D]o the companies that make money from the sale of phones and related data plans" *and manage your sole access point to their network* "also share a degree of responsibility?"
There, added the key text that *makes* them responsible.
Credit card companies are getting pretty good at owning up to failures. I had one of my credit cards misused a couple of times. Both times, I reported it, got fully identified before they said they'd take care of it and send a new card. And they did: charges reversed and new card (new acct numbers) sent out both times. Backend handled it just fine and I didn't even have to create a new online account, but the second time I finally changed my username and password (shame on me). (My only complaint is that I specifically asked for rush shipping the second time but they sent it the slower way.)
"I don't know about how things work in the US, but here in France the telco demands a copy of my passport/identity card"
Here in the UK , they dont ask many questions , but somehow it still takes them about a week.
Last time i did it my number switched from one sim to the other in the middle of a job interview call.
This guy shoulders a lot of the blame too for setting things up so that someone who has control of his cell phone number can steal $24 million from him. That's a risk not only of being technologically clueless while trusting technology for your "assets", but also from the fact that bitcoin has no safeguards in place. If I had $24 million in the bank and they allowed "me" to change my password and transfer that $24 million away with a simple text message confirmation the bank's insurance would reimburse me (and they'd probably be forced to install more robust authentication by their insurance carrier after such a big loss)
My bank currently requires me to input a code sent by phone or text message if I'm logging in from a new device, but if you forget your password your only recourse is to appear to the branch in person. I know because my mom banks at the same place and when my dad died we couldn't access the online account and that's what she had to do to reset the password. As it should be!
Its always a fun game, which is the worst EvilCorp at the moment. Its one of those knock out games..
Oracle v MIcrosoft - Microsoft wins
Microsoft v Apple - Apple Wins
Apple v Facebook - Facebook Wins
.. but Facebook v AT&T (a.k.a SBC) - no contest, AT&T wins by engaging in lying and thieving and fraudulent practices for at least three more decades than Facebook
So for most EviCorps you know that everything they say is self serving lies. You know they are lying because their lips are moving. But with AT&T them just being in the same room is an act of mendacity. Even their body language is an outright lie. Shades of "Hello, he lied"...
So in situations like the above the natural reaction should always be when someone claims "AT&T did something bad... " no need to even finish the sentence. AT&T is Guilty as Hell on all counts. Because you have to go back to the pre-consent decree years to find even the slightest bit of honesty in AT&T's business practices. Some of the Baby Bells were not too awful. PacBell for example was OK. But South Western Bell in its pre SBC heyday added a whole new dimension to bottom feeder predatory practices. Which it elaborated on when it became SBC. And then the bigger shark SBC devoured the lesser shark AT&T. Which is what we have today.
Nah,Comcast dont even come close. They are just a typical local monopoly courtesy of you local government and the FCC. I found when dealing with Comcast customer support that if you are very polite and take the attitude that the person at the other end of the phone is just some poor schmuck who gets grief all day for a situation they did not create, just like with the DMV for example, most of the time it can be a not unpleasant experience dealing with them. In fact being friendly and not getting angry at them personally for whatever outrage Comcast has most recently done usually get a very sympathetic and helpful result. That has been my experience over the last 25 plus years in dealing with them.
Whereas AT&T has always hired script droids whose sole purpose is to read from the script without deviation and the superiors are even less helpful. Pure stonewalling from start to finish. So there is a special level in Hell just for AT&T. They dont quite qualify for the NKVD level, which is one below.
In my experience AT&T is easily Evil Corp No1.
If "SMS hijacking" proved sufficient to steal the coin pile -- evidently the latter was parked at an exchange house. That is, the victim did not in fact have cryptographic control of the coins, only (putative) "title" (and the whole point of cryptocoinism is to reduce control to "who has the key"; enforcement of titles in this context is rather similar to a hypothetical attempt to serve a lawsuit to a tectonic plate for earthquake damages.)
Victim learned nothing from the MtGox implosion or any of the subsequent smoking craters?
If you don't hold the key, it isn't "your" coin.
so , if im reading that right ..
He's gone to bit-wallets-R-us and said:
" 'scuse me mister , can you put these bitcoins i'm being given in one of your bags , and look after this key thingy for me? Gee I hope your security is good , remember = I'm the only one allowed access ok? lets set up a password."
Your Telco knows your name and address and last payment amount and every freakin number you've ever called or been called by. Surely if you have a contract a local store could require a photo ID that matches the name and address they have in their system. If you don't have a contract they could ask for the number you last called and a number you called multiple times over the last month.
As I see it the case is no different to "I gave X the key to my safe, they promised to look after it, but handed it to a crook who emptied the safe". There's no doubt 'X' is responsible for the amount stolen, and then some for failure to fulfil their obligations, but ten times the amount stolen? Really?
If those are the sort of returns one anticipates it becomes worth having $24 million stolen. And, as much as I believe in innocent until proven guilty, it does make me wonder.
This type of fraud is common, and has been common for years now. The Telcos don't care - or report it to the Police. The same goes for the banks who are also involved. Even where there is clear evidence of collusion between employees from both organisation types. Is that a generalisation? Yes, but it doesn't make it not true.
Biting the hand that feeds IT © 1998–2021