AT&T fails to have $24 million SIM-swap attack lawsuit dismissed

The case calls into question how liable carriers are in criminal scenarios which use cell phones as the primary attack vector.
Written by Charlie Osborne, Contributing Writer

AT&T has failed to have a lawsuit thrown out of court in which the complainant is pursuing the loss of millions in cryptocurrency allegedly caused by a SIM-swapping attack. 

On Monday, a Los Angeles federal judge formally dismissed AT&T's bid to quash the case, brought forward by Michael Terpin, a blockchain and cryptocurrency investor. 

In mid-2018, Terpin became aware of a problem with his cellphone, which had been subscribed to AT&T services since the 1990s. 

A previous hacking incident -- a SIM swap leading to the fraudulent transfer of cryptocurrency through his compromised Skype account in 2017 -- had prompted the wireless carrier to enforce additional, protective measures on Terpin's account, but these safeguards allegedly failed. 

According to the complaint (.PDF), despite the addition of a six-digit passcode before a number transfer was accepted, a fraudster was able to pose as the investor and "obtain [his] telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin's required password."

The complaint continues:

"Mr. Terpin relied upon AT&T's promises that his account would be much more secure against hacking, including SIM swap fraud, after it implemented the increased security measures. Because of the implementation of such measures, Mr. Terpin retained his account with AT&T. But for these express promises and assurances, Mr. Terpin would have canceled his AT&T account and contracted with a different cellular telephone provider and he would not have lost nearly $24 million from hackers."

Phone numbers are often used as an additional security measure in two-factor authentication (2FA) schemes. If attackers are able to seize control of a phone number in so-called SIM-swapping attacks, this can be used to bypass 2FA, as well as to reset online service credentials. 

Terpin claims that the phone number was used to compromise his accounts, resulting in the loss of cryptocurrency from wallets worth close to $24 million. 

See also: Google wraps up lawsuits over age discrimination, Wi-Fi snooping, child data sharing

"It was AT&T's act of providing hackers with access to Mr. Terpin's telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur," the complaint reads. "What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner."

Terpin is suing for the value of the lost cryptocurrency and damages, amounting to $224 million. The foundation of the claim is the allegation that AT&T has violated the Federal Communications Act by giving hackers unauthorized access to his account. 
The investor has also asked the court to disregard the carrier's consumer contract stipulations, in which AT&T promises to safeguard customer data, but also decrees -- in vague language -- that the company cannot be held liable for a range of claims. 

While the complaint accuses the carrier of being well aware of the prevalence of SIM hijacking and the collusion of its own employees in such schemes, AT&T has argued that Terpin has not specifically shown the connection between his subscription, the attack, and alleged theft. 

TechRepublic: How organizations and employees can protect themselves against financial email scams

The judge presiding over the case has given Terpin a further 21 days to amend his case and to adequately demonstrate the link between AT&T's apparent negligence and the compromised accounts.

"I am grateful that Judge Wright is allowing my case to proceed," Terpin said.  "We must hold AT&T accountable. If AT&T demonstrated the same zeal to totally revamp its porous security system as it does to suppress the damning evidence of its callous indifference to its customers, we would not be in court."

CNET: NSA aims to up its cybersecurity game

"We are pleased the court dismissed most of the claims," AT&T told Ars Technica. "The plaintiff will have the opportunity to re-plead but we will continue to vigorously contest his claims."

2018's worst cryptocurrency scams, cyberattacks (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards