AT&T said it would fight a suit accusing it of negligence in a customer’s loss of $1.7 million in a SIM swap.
The case was brought by Seth Shapiro, VideoCoin’s head of strategy, who blames the phone giant for allowing employees to transfer control of his phone number to criminals during a May 2018 hack.
Speaking to CoinDesk, AT&T spokesman Jim Greer said:
“It is unfortunate that Mr. Shapiro experienced this, but we dispute his allegations. We look forward to presenting our case in court.”
After a series of brazen SIM swaps, Shapiro said he lost $1.7 million in cryptocurrency. Hackers allegedly seized control of his cellphone, reset his email and breached his exchange accounts to steal $1 million from him, with the balance belonging to other people for upcoming investments.
Greer said AT&T was cautioning all its customers to bolster their security measures, and that mobile phone authentication is not enough:
“Recent high profile cases reinforce the importance of businesses and consumers taking steps to protect against SIM swap fraud, such as not using mobile phone numbers as the single source of security and authentication.”
But Shapiro’s lawyer, Andrew Calderon, maintained that the underlying problem was not customer carelessness but “systemic negligence” by AT&T.
“AT&T’s failure to secure Mr. Shapiro’s data is not an aberration,” Calderon told CoinDesk. “As explained in the complaint, AT&T has a rich and troubling heritage of taking less than adequate measures to protect its customers’ data from unauthorized access.”
To access Shapiro’s SIM card, the hackers allegedly paid off AT&T employees – now since fired and being prosecuted in criminal court – to gain control.
According to Shapiro, the initial phone hack occurred during the May 2018 Consensus conference. On the same date, Shapiro’s VideoCoin announced the close of a $50 million private coin offering, for which his related Alphabit Fund subscribed. Two colleagues of his in several ventures – entrepreneurs Chris Kitze and Enzo Villani – were also SIM hacked at the same time, but they did not lose any funds.
In April 2019, Joel Ortiz, the alleged 21-year-old mastermind of the Shapiro hack, was sentenced to 10 years in federal prison, after pleading no contest to charges that he orchestrated 13 SIM swaps. An accomplice, a 19-year-old minor, was charged in seven cases. Ortiz was alleged to have made off with $5.2 million, but only $400,000 was recovered.
Another high-profile SIM hack case was brought against AT&T last year, when Michael Terpin, a crypto exec with a public relations firm, investment company and conference series, and a partner of Shapiro’s in several of those ventures, said he lost $23.8 million when his phone was hacked.
Terpin sued the telephone company to reclaim his losses, in addition to $200 million in punitive damages and that the breach was a violation of the Federal Communication Act. The perpetrators were alleged to be a New York City-based, 21-year-old thief named Nicholas Truglia, along with his 16-year-old computer hacking accomplice.
According to an affidavit filed by a Truglia friend caught up peripherally in his bust, the thief’s M.O. was to have himself fraudulently added as an admin to a target’s phone account, then proceed to a local AT&T store where he used his own ID to verify his identity and instruct an AT&T employee to make the changes to provide him access to the SIM.
The least secure security measure
The loss highlights an obvious question for security experts, who wondered why an experienced crypto executive would keep such high sums in an online exchange rather than “cold storage” – i.e. offline storage, where it would be completely shielded from remote hacks.
Relying on a cellphone to secure any part of one’s online security apparatus is a huge potential vulnerability, Haseeb Awan, CEO of the California-based SIM card security provider DontPort, told CoinDesk.
“People should avoid SMS [verification] whenever possible,” Awan said. “Two-factor authentication is probably the worst form of authentication,” because of the ease with which hackers compromise it.
Even without the AT&T moles alleged by Shapiro, Awan, himself the target of multiple SIM swaps, said hackers social engineer, trick and buy their way into victims’ mobile accounts every day, making the value of cellphone verification almost negligible.
Many people think they will never get hacked simply because they have never been before, Awan said:
“It’s kind of like saying you will never die because you haven’t yet.”
That hubris makes them even more vulnerable.
SIM swapping is a relatively well-known threat among high-profile crypto holders, who are often targeted because of their publicity and the heightened likelihood that they may hold valuable assets.
Shapiro, the current head of strategy for VideoCoin and founder of various crypto media projects, even told investigators that he immediately suspected SIM-swapping when his phone suddenly stopped working.
Awan said he was surprised Shapiro could have lost so much money so easily:
“He’s not some newbie. He’s been in crypto for a while.”
AT&T’s Greer said that offline storage is the only real solution:
“For cryptocurrency, security experts recommend further safeguards, such as keeping cryptocurrency in ‘cold storage,’ an offline environment that can’t be accessed via the internet, and following instructions regarding storage of wallet and exchange access credentials.”
Shapiro’s lawyer Calderon, however, said it is not just crypto users who are hurt by these hacks.
“Other victims have lost U.S. dollars and valuable personal information,” he said. “SIM swap attacks have affected people across the spectrum of economic standing. All data accessible through a mobile device is vulnerable when AT&T transfers account access to criminal hackers.”
It was unknown from the legal filings, which, if any, security products the executives had on their hacked phones.
UPDATE (Oct. 30, 22:00 UTC): This article has been updated to include statements received after publication from Shapiro’s lawyer.
SIM card image via Shutterstock