$560 000 USD

SEPTEMBER 2020

UNITED STATES

UNKNOWN

DESCRIPTION OF EVENTS

"An AT&T customer filed a lawsuit against the company last week accusing it of failing to provide “reasonable and appropriate security to prevent unauthorized access to its customer wireless accounts.” This has led to the theft of cryptocurrency from the plaintiff’s crypto exchange account."

 

"An AT&T customer, Jamarquis Etheridge, filed a lawsuit in the district court for the Southern District of Texas against AT&T Inc. and AT&T Mobility LLC Wednesday." "On or around Sept 10, bad actors were able to infiltrate Etheridge’s wireless account without authorization and drain his cryptocurrency account. AT&T was slow at reacting and unable to contain the security breach until the next day."

 

"Etheridge, a resident of the U.S. state of Texas, has been a customer of AT&T since 2009. He claims to be a victim of “SIM swapping,” also known as “SIM hijacking.” SIM swapping is a common scam that AT&T is no stranger to."

 

"Plaintiff Jamarquis Etheridge, a Texas resident, filed the suit in the state’s District Court on Sept 15. In it, Etheridge is claiming that AT&T failed to provide reasonable and appropriate security to prevent unauthorized access to his wireless account."

 

"The court document filed by Etheridge’s attorney, Richard E. Brown, states that on or about Sept. 10, 2020, AT&T “allowed wrongdoers access to plaintiff Etheridge’s wireless account and, without his authorization,”"

 

"AT&T was unable to contain this security breach until the next day, enabling wrongdoers to drain plaintiff Etheridge’s cryptocurrency exchange account."

 

"The plaintiff claims that as a result of AT&T’s actions or inactions, he has suffered and continues to suffer actual damages, including the loss of 159.8 ETH, lost time, embarrassment and humiliation, aggravation and frustration, fear, anxiety, financial uncertainty, unease, emotional distress, and various expenses."

 

“As a result of this breach of security, Plaintiff Etheridge’s exchange account was subjected to unauthorized transfers; he was deprived of his use of his cell phone number and required to expend time, energy, and expense to address and resolve this financial disruption and mitigate the consequences; and he also suffered consequent emotion[al] distress,” the filing says.

 

"As a result of AT&T’s failures if not active participation in SIM swap theft that was inflicted upon him, Plaintiff Etheridge has had over 159.8 ETHEREUM Tokens of assets stolen from him." "The plaintiff, who has been a customer of AT&T since 2009, was unable to use his cell phone number to mitigate the incursion and ended up losing 159.8 in ETH worth approximately $560,000 at the time."

 

"On or about September 10, 2020, Plaintiff noticed his phone service was not working and immediately called AT&T to find out that his service was compromised. Without obtaining Plaintiff’s permission, his phone service had a four (4) digit passcode as well. While on the phone with the agent, Plaintiff was told to update a new passcode to his account and the agent would add “extra” security measures to Plaintiff’s account."

 

"Plaintiff’s phone was restored hours later. The following day, Plaintiff’s phone service was not working again and Plaintiff immediately called AT&T to see why this was happening and the agent said it was because the first agent only added Plaintiff’s SIM back to the account and did not disable the fraudulent SIM. The actions of the first agent was how the fraudsters were able to deplete most of Plaintiff’s cryptocurrency account."

 

"For redress, the man seeks a variety of damages and his attorneys’ fees and costs. The lawsuit also states that it reserves the right to convert into a class action on behalf of similarly aggrieved Texans and out-of-state residents. The plaintiff is represented by Richard E. Brown Attorney at Law PC."

A client of an unnamed US-based exchange had their account breached after relying on SMS-based 2FA. The client is taking their mobile provider to court in an attempt to gain some recovery.

HOW COULD THIS HAVE BEEN PREVENTED?

In order to be effective, authentication factors need to be varied. Having all factors either publicly determinable or common to one factor allows for a breach of the account. Adding factors which are specific to hardware, held by separate individuals, or require identification will improve security. Platforms should provide greater flexibility for customization and more factors to customers. Reliance on SMS-based authentication should be avoided.

 

It's recommended that platform owners be made aware of all common breach factors (and especially the limitations of SMS-based factors). It makes sense for new platforms to receive 2 separate reviews of their authentication security policies by experts prior to launching.

 

Under our proposed framework, customers of platforms may be eligible to claim against their losses from an account breach. This would include a thorough review of both the claim and the platform's security policies prior to discretionary reimbursement from the industry insurance fund.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.