back to article It’s happened again: AT&T sued for allegedly transferring victim's number to thieves in $1.9m cryptocoin heist

AT&T has been sued for a second time over allegations its staff gave thieves control of a specific individual’s cellphone number to steal a large chunk of cryptocurrency. Seth Shapiro’s $1.9m claim follows in the footsteps of Michael Terpin, who sued the gigantic US cellular network in 2018 for more or less the same thing: …

  1. Jonathan Richards 1
    Stop

    24E6 eggs in a flimsy basket

    I don't know if AT&T promised and didn't deliver, but I will observe that if my entire life savings were even a fraction of $24m then I wouldn't be entrusting it to a repository the ownership of which depended on control of a single mobile telephone account. Sod 2FA, I would want an order of magnitude better than that. Why is it all in any one place in any event?

    1. tin 2

      Re: 24E6 eggs in a flimsy basket

      Yep, I'd want 24FA, at least.

      1. vir

        Re: 24E6 eggs in a flimsy basket

        Ah Mr. tin 2, I see you've successfully entered your 36 digit PIN, matched four fingerprints, a retinal scan, a handprint scan, a voiceprint, a DNA test, an anal wrinkle scan, presented your unique USB token, confirmed the PIN sent to you over SMS, confirmed the PIN sent to you through email, confirmed the PIN sent to you on grindr, entered your grandmother's hairdresser's grandmother's neighbor's maiden name, confirmed your third grade teacher's anal wrinkle scan, identified several pictures of motorcycles, matched every street you and your family have lived on going back seven generations, identified which car models you've applied for financing on, found the four pieces of the ancient treasure map hidden in famous Mason landmarks on different continents, evaded the attack dogs, evaded the attack squirrels, verified that your heart weighs less than a feather, and completed an audio CAPCHA. Here is the 0.006 BTC you requested to pay your cell phone bill.

        1. martinusher Silver badge

          Re: 24E6 eggs in a flimsy basket

          I've only got a fraction of that sum in my life savings but it relies on more than a password to protect it from miscreants. First of all, the accounts that hold this money are not in any way connected with our day to day checking accounts -- they're air gapped. Secondly, as a 'high net worth' individual you get a personal banker who gets to know you and your fiscal habits. This personal service means that any unusual request like an out of the blue outbound wire transaction to Ruritania is going to raise a few eyebrows and at least a phone call. Thirdly, as your credit is likely to be stellar there's never any particular need to raise funds 'right now' -- everything can be done at the speed of a personal visit or snailmail because creditors know you're good for the cash.

          The only reason for hiding that level of money is that its either dodgy or you don't want the IRS to know about it (essentially the same thing).

          1. Zarno Bronze badge

            Re: 24E6 eggs in a flimsy basket

            "The only reason for hiding that level of money is that its either dodgy or you don't want the IRS to know about it (essentially the same thing)."

            Or, you got into the whole mining shebang early and it's "new" pre-tax income/currency from nothing, so if you pull it all out at once, you get hit at the entire income tax liability all at once.

            I know a couple people who are stuck in that situation, and don't feel like taking the massive tax hit to convert it all in one fiscal year. Instead, they draw off of it as needed, and stay out of the painful tax brackets.

            Similar idea with someone not paying themselves the full 100% of their sole proprietorship's profits as wages, to avoid the corporate+income double-wham on all of it. Tax avoidance vs tax evasion.

            if it's post-tax earnings that were stuffed into crypto to be held, they're a bit daft...

            I sort of wish I had hopped on the wagon and mined some when it was easy, but back then I was trading microlot forex, which put me partly through college...

            1. d3vy Silver badge

              Re: 24E6 eggs in a flimsy basket

              "Or, you got into the whole mining shebang early and it's "new" pre-tax income/currency from nothing, so if you pull it all out at once, you get hit at the entire income tax liability all at once."

              At what point do you become liable for the tax on this? When you mine the crypto currency you have "earned" it so I'd assume tax would be due there and then.

              Are you saying that you dont have to declare it for tax until its taken from your Crypto wallet and paid into your personal wallet?

              1. Zarno Bronze badge

                Re: 24E6 eggs in a flimsy basket

                As far as my somewhat limited knowledge, it is only taxed when converted to a recognized currency, or "withdrawn".

                So if you mined $20 in BTC back when, and it's now worth $20K, then you'll pay tax on the 20K, same as a stock transaction or bank interest. Lovely for sure.

                It's a big ball of wax, but that's how it was explained last ai looked into it

                In some ways, it's like a 401(k) or IRA?

                There may be more recent laws/rules/regulations though. The IRS wants their cut six ways from a half dozen after all.

                1. d3vy Silver badge

                  Re: 24E6 eggs in a flimsy basket

                  @zarno

                  Thanks!

  2. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble? Silver badge

    I have questions...

    So I'm quite willing to accept that the individuals in this and the previous story were targeted specifically. I don't believe that hackers are picking phone numbers at random in the hope of hitting one that holds crypto, never mind high value crypto. But how did the hackers know to go for these phone numbers? I guess either the victims were bragging about how much (fake) money they had, in which case made themselves targets, or the people who run the repositories or whatever they are where people keep their wallets know the value of said wallets, know who the owner is and therefore know which phone numbers they need to intercept to get the really high value ones.

    And if it's the second option, then why the hell does anyone trust this crap? As previous commenter said, I wouldn't trust $24m of my money (if I had it, I wish!) to a single reputable, insured, regulated financial institution, never mind some faceless internet people who cobbled a few web pages together. In what world does someone think "I don't trust these financial institutions to look after my money, I don't trust FIAT currency but I'll leave enough money to live the rest of my life without ever having to work again and be able to pay myself $250,000 per year for life with money left over in some bizarreo mystery tech storage place. I'd want that money out as soon as possible and somewhere much more reliable.I just don't believe it frankly. But then as is often noted: people are strange.

    1. Doctor Syntax Silver badge

      Re: I have questions...

      And if it's the second option, then why the hell does anyone trust this crap?

      TFA describes him as a technology consultant. You'd think he'd know better.

      1. lglethal Silver badge
        Mushroom

        Re: I have questions...

        TFA describes him as a technology consultant. You'd think he'd know better.

        Oh I dont know. Have you ever had a "Technology Consultant" come into your business before? They spout a bunch of bollocks and buzzwords to the PHB's, convince them that X is the new thing that they absolutely need to be doing. Provide a whole bunch of expensive, yet useless solutions that fix nothing and leave the entire thing a worse mess than it was previously, and then they bugger off with their excessive fee, and leave the IT team to clean up the mess afterwards...

        In other words, they're just snake oil salesman with no actual Tech knowledge beyond buzzwords. So No i wouldnt think he'd know better.... Because Blockchain!

    2. Anonymous Coward
      Anonymous Coward

      Re: I have questions...

      Why? Taxes. As soon as you move it to a "legit" institution the IRS will come a knocking for their piece. And now that they're suing, the IRS is definitely going to want to have a word. Cheat the taxman at your own peril. They have zero sense of humor.

    3. sitta_europea

      Re: I have questions...

      "...why the hell does anyone trust this crap?"

      Good God! I've been sayin' it. I've been sayin' it for ten damn years. Ain't I been sayin' it, Miguel? Yeah, I've been sayin' it.

  3. Pascal Monett Silver badge
    Trollface

    It looks like the Wild West out there

    If only there was a structure in place where you could put your money and be confident that it was guaranteed that you could not lose it under any circumstance.

    If only there was a legal framework and charter that allowed for the creation of institutions who were responsible for the money you placed in your accounts.

    If only there was a way to ensure that, even in case of robbery, your account was guaranteed and you didn't lose anything.

    Instead, it's the 3rd millennium and we still have people hiding their "life savings" under the mattress. What a shame.

    Oh wait . . .

    1. Santa from Exeter

      Re: It looks like the Wild West out there

      Thank you for using the correct icon.

      You *do* know that you aren't actually guaranteed not to lose your money at these amounts if a bank goes bust don't you. In the UK, only the first £85k is protected by compensation schemes.

      1. Imhotep

        Re: It looks like the Wild West out there

        In the US it is $250k per account, per bank.

      2. Pascal Monett Silver badge

        Yes, well, the day I have more than £85K in my account I'll start worrying about that detail.

        Actually, no I won't. I'll just open another account in another bank. Problem solved.

  4. Dr Paul Taylor

    Relying on phone numbers

    Much as I agree with the 24E6 eggs comments, the central point of the article is the reliance on phone numbers.

    Increasingly, financial bodies (including HMRC) insist that you give them your (mobile) phone number "for security" --- exactly so that they can send you "codes" to do exactly this.

    At least twice banks have refused my business because I wouldn't give them my phone number(s), even though I had provided plenty of evidence of solvency.

    So, power to Seth Shapiro and Michael Terpin. I hope they win their cases against AT&T and that banks take notice!

  5. Anonymous Coward
    Anonymous Coward

    ELI5 please

    Maybe I've completely misunderstood how blockchain works: but I understood there wasn't really anything in a bitcoin 'wallet' apart from a public key and a private key. You know how much you've got because you basically total up your entries from the entire ledger from block 0 to the present day. When you make a transaction, you tell lots of people and eventually that gets imortalised in a tamperproof block (by miners?) which, once created, is also shared with lots of people. If you are 'keeping your bitcoin' in some place X, surely that just means you've stored your private key there?

    1. Anonymous Coward
      Anonymous Coward

      Re: ELI5 please

      "When you make a transaction, you tell lots of people and eventually that gets imortalised in a tamperproof block (by miners?) which, once created, is also shared with lots of people."

      So this is the bit I don't get - does it just keep growing in size forever? Or is it truncated in some way at some point?

      1. Anonymous Coward
        Anonymous Coward

        Re: ELI5 please

        *... does it just keep growing in size forever?"

        AIUI, this is why it is called block chain and not just chain. The miners compete to be first to generate a sufficiently large partial hash collision, which is a "proof of work" (because the only way to generate such collisions is trial and error). Once that is done the completed block can be promulgated amongst the peers, and its totals can be trusted, without any need to open it up and iterate through the individual transactions within it. You therefore only have to total the subtotals from the blocks which went before.

        I visualise it like a long ledger in several volumes where each complete volume has been signed off. However as I'm the AC who asked for the ELI5 this is a highly non-authoritative answer!

    2. Jon 37

      Re: ELI5 please

      There are three ways to store your bitcoin:

      1) In your own "wallet" where the private key only exists on a USB stick which you keep securely. (If you're sensible, two or three copies of that USB stick in safes or bank vaults in different buildings). You run the "wallet" program on your own computer. This way is a good idea for large amounts of savings, where you're not going to make withdrawals often. You can still make deposits, using just your public key which is part of the public record.

      2) In your own "wallet" where the private key is stored (perhaps encrypted with a passphrase) on your personal computer. You run the "wallet" program on your own computer. This is safe unless you get a virus. This way is a good idea for your "current account" equivalent.

      3) In an exchange. These are companies with a website that will run a wallet for you; they allow you to transfer funds into your wallet, make payments from your wallet, and convert bitcoin funds to or from dollars or other real-world currencies. They are effectively a bank, but without any regulations or insurance. If you want to convert bitcoin to or from dollars you'll have to set up an account with an exchange. Storing large amount of funds in an exchange for a long period of time is a really bad idea. There are plenty of stories of exchanges running off with people's money, either as a deliberate scam or because they were incompetent and their bitcoins were stolen and they went bankrupt. Your individual account can also be hacked into and your money stolen, if someone can get your username, password and any 2FA authentication that you've set up. That's what seems to have happened in this case.

      Dispite the fact that option (3) is the worst and least secure option, it's also the most convenient. So most people store their Bitcoin that way.

  6. cd

    I just transferred my number off VZW; they did everything to prevent me from generating the transfer PIN that they require. That generator has been moved around the customer portal, it's now at the bottom of a seemingly-unrelated page and requires scrolling to find., so my MVNO's navigation instructions were no help

    When found it is easy to run out of attempts and be given a 24 hour hiatus before further attempts. None of the 2FA texts arrived, use the email option if you need to do this. Texts suddenly worked perfectly minutes later when I called CS and they wanted me to use their digital assistant instead, was practically bombarded with imprecations to talk with their AI.

    Perhaps incidentally, after I made it known that I wanted to transfer, my calls to CS were routed to a long queue. yet when I put in another SIM and called their CS I was answered promptly until they associated that number with me. Eventually, after days of trying, I got a transfer PIN that worked, unlike the one given to me verbally by VZW CS that turned out to be "invalid".

    Point being that things might be in place to prevent transfer, but they also might be used to prevent valid transfer if it so benefits the carrier.

    If I had one of those currency accounts I'd use an MVNO SIM and keep that phone number generally out of circulation and not associated with me anywhere official. There are plenty of MVNO's, easy to have several and rotate every so often. If thieves went after my regular number it would have no effect on my accounts. Those prepay SIMs are cheap to buy and keep.

    But I'm not a technology consultant, except to friends and family.

  7. Grinning Bandicoot

    I have an opinion on ATT and none is complimentary and I wonder how anyone claiming technological competency would deal with them. ATT should be for the proles that wanted to be shorn,

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020