Bitcoin thought leader Michael Terpin lost $24 million in various altcoins last year, and he is suing AT&T to recover that as well as $200 million in punitive damages. While this story has been covered by a few major outlets, none of them dug deep into the complaint in a way we thought properly covered it. That is what we will try to do here.
The problem, according to Michael Terpin, is that he was hacked, twice. Once through a SIM swap social engineering hack before being put on their “high-risk and celebrity” security list, and once through a SIM swap social engineering hack after being put on their “high-risk and celebrity” list.
A SIM swap hack is a process where hackers use social engineering in order to pull off their crime. They go into a wireless carrier’s store or call them on the phone pretending to be their target. They then get their SIM information transferred to a new phone. A SIM card is a piece of removable hardware that holds personal information. It also links a phone number and the subscriber. It stands for “Subscriber Identity Module” and can be taken out and put into a new phone while keeping all the same information like the phone number and contacts. In this way, SIM cards are essential for two-factor authentication (2FA). In theory, there can’t be two SIM cards representing the phone number. So if you can prove you have the SIM card linked to an online account and that account’s password, it is a fairly safe way to secure an account. The only way a SIM card can represent someone else is if an employee of the carrier changes the specific card that represents that phone number. Ideally, this should only be done if the SIM card is lost, stolen, damaged or the user changes to a phone that uses a different sized SIM card. Transferring it to another person essentially makes it so that person owns the phone number. Then all of the personal information of the original owner and all the 2FA accounts linked to it are compromised.
According to the complaint filed by Michael Terpin, after the first hack, he had a meeting with AT&T. He claims that they promised his SIM could not be transferred unless he went into a store himself and gave the employee a special password.
That, apparently, wasn’t the case and Michael Terpin found himself the victim of another SIM swap hack. With his various accounts compromised, the hackers were able to drain $24 million in “various alts” while Terpin had to sit and watch it happen.
Throughout the process, Terpin says he was frantically on the hold with AT&T’s security center, only to discover that they weren’t open on Sundays. As his complaint points out, hackers do work on Sundays.
“When Mr. Terpin’s telephone went dead on January 7, 2018, he instantly attempted to contact AT&T to have the telephone number immediately cancelled so that the hackers would not gain access to his Personal Information and accounts. Ignoring Mr. Terpin’s urgent request, AT&T failed promptly to cancel Mr. Terpin’s account, which gave the hackers sufficient time to obtain information about Mr. Terpin’s cryptocurrency holdings and to spirit off funds to their own accounts. Adding insult to injury, AT&T placed Mr. Terpin’s wife on endless hold (over an hour!) when she asked to be connected to AT&T’s fraud department while Mr. Terpin was furiously attempting to see what damage was being done to his accounts. Mr. Terpin’s wife never reached AT&T’s fraud department because it apparently does not work (or is unavailable) on Sundays. But the hackers work on Sunday!”
It seems that the point of contention will be if AT&T either breached its contract with Mr. Terpin, or if they somehow otherwise misled him when he signed it. The fine print of the contract contends that they are not responsible for any loss, including any loss done by fraud on AT&T’s part or its employees.
That would seemingly disqualify his lawsuit, except that courts have on occasion thrown out these kinds of boilerplate agreements. Especially when they contradict what was said in person or the plain reading the contract or if the bargaining power of the two sides was unequal at signing.
“This might come down to what basic standard of care AT&T should owe its customers. If they made an innocent mistake or were understandably tricked into the SIM card swap, it is arguable whether their contractual limitations will protect them from a degree of simple negligence. If the losses were caused by a higher level of ‘gross negligence’ in their failure to protect Terpin’s customer data, especially when they should have known Terpin’s account was at high risk for fraud and needed special security precautions, it becomes harder to defend with the boilerplate disclaimers.” Explains Monty Silley, an attorney in New York and expert in financial crime “[Furthermore] if Terpin can actually show that an AT&T employee was actively involved in the theft of his cryptocurrency, then he will have a strong case against the company.”
As laid out in the complaint, AT&T has been made aware or should have been aware of the SIM swap danger. There have been multiple reports by the likes of KerbsOnSecurity and Vice that have detailed the issue. Mobile carrier employees have also been accused of cooperating with hackers to reveal personal information in the past.
One case that is mentioned in the complaint involved an AT&T employee giving personal information for over 200,000 customers to cybercriminals. AT&T was fined $25 million for the breach. The task for Terpin and his legal team will be proving that is the case here.
Considering that the only people who knew Terpin’s password was himself and his wife, he may have a point. Somehow, without using the password, a hacker managed to convince an AT&T employee to switch out the SIM card. That could only be due to complete incompetence or because the AT&T employee was cooperating with the hacker.
In response to an email from Reuters, AT&T denied the allegations stating “We dispute these allegations and look forward to presenting our case in court” but denied to comment further.
It is important to note that everything in the complaint is from Michael Terpin’s perspective. These are the things he has alleged and not things that have been proven in court. AT&T will state their side of it when the day comes.
We will keep you up to date on the trial as it progresses.