Sep 2020 - Sim Swapping AT&T - $560k (United States)
"An AT&T customer filed a lawsuit against the company last week accusing it of failing to provide “reasonable and appropriate security to prevent unauthorized access to its customer wireless accounts.” This has led to the theft of cryptocurrency from the plaintiff’s crypto exchange account."
"An AT&T customer, Jamarquis Etheridge, filed a lawsuit in the district court for the Southern District of Texas against AT&T Inc. and AT&T Mobility LLC Wednesday." "On or around Sept 10, bad actors were able to infiltrate Etheridge’s wireless account without authorization and drain his cryptocurrency account. AT&T was slow at reacting and unable to contain the security breach until the next day."
"Etheridge, a resident of the U.S. state of Texas, has been a customer of AT&T since 2009. He claims to be a victim of “SIM swapping,” also known as “SIM hijacking.” SIM swapping is a common scam that AT&T is no stranger to."
"Plaintiff Jamarquis Etheridge, a Texas resident, filed the suit in the state’s District Court on Sept 15. In it, Etheridge is claiming that AT&T failed to provide reasonable and appropriate security to prevent unauthorized access to his wireless account."
"The court document filed by Etheridge’s attorney, Richard E. Brown, states that on or about Sept. 10, 2020, AT&T “allowed wrongdoers access to plaintiff Etheridge’s wireless account and, without his authorization,”"
"AT&T was unable to contain this security breach until the next day, enabling wrongdoers to drain plaintiff Etheridge’s cryptocurrency exchange account."
"The plaintiff claims that as a result of AT&T’s actions or inactions, he has suffered and continues to suffer actual damages, including the loss of 159.8 ETH, lost time, embarrassment and humiliation, aggravation and frustration, fear, anxiety, financial uncertainty, unease, emotional distress, and various expenses."
“As a result of this breach of security, Plaintiff Etheridge’s exchange account was subjected to unauthorized transfers; he was deprived of his use of his cell phone number and required to expend time, energy, and expense to address and resolve this financial disruption and mitigate the consequences; and he also suffered consequent emotion[al] distress,” the filing says.
"As a result of AT&T’s failures if not active participation in SIM swap theft that was inflicted upon him, Plaintiff Etheridge has had over 159.8 ETHEREUM Tokens of assets stolen from him." "The plaintiff, who has been a customer of AT&T since 2009, was unable to use his cell phone number to mitigate the incursion and ended up losing 159.8 in ETH worth approximately $560,000 at the time."
"On or about September 10, 2020, Plaintiff noticed his phone service was not working and immediately called AT&T to find out that his service was compromised. Without obtaining Plaintiff’s permission, his phone service had a four (4) digit passcode as well. While on the phone with the agent, Plaintiff was told to update a new passcode to his account and the agent would add “extra” security measures to Plaintiff’s account."
"Plaintiff’s phone was restored hours later. The following day, Plaintiff’s phone service was not working again and Plaintiff immediately called AT&T to see why this was happening and the agent said it was because the first agent only added Plaintiff’s SIM back to the account and did not disable the fraudulent SIM. The actions of the first agent was how the fraudsters were able to deplete most of Plaintiff’s cryptocurrency account."
"For redress, the man seeks a variety of damages and his attorneys’ fees and costs. The lawsuit also states that it reserves the right to convert into a class action on behalf of similarly aggrieved Texans and out-of-state residents. The plaintiff is represented by Richard E. Brown Attorney at Law PC."
Further Analysis
A client of an unnamed US-based exchange had their account breached after relying on SMS-based 2FA. The client is taking their mobile provider to court in an attempt to gain some recovery.
How Could This Have Been Prevented?
In order to be effective, authentication factors need to be varied. Having all factors either publicly determinable or common to one factor allows for a breach of the account. Adding factors which are specific to hardware, held by separate individuals, or require identification will improve security. Platforms should provide greater flexibility for customization and more factors to customers. Reliance on SMS-based authentication should be avoided. It's recommended that platform owners be made aware of all common breach factors (and especially the limitations of SMS-based factors). It makes sense for new platforms to receive 2 separate reviews of their authentication security policies by experts prior to launching. Under our proposed framework, customers of platforms may be eligible to claim against their losses from an account breach. This would include a thorough review of both the claim and the platform's security policies prior to discretionary reimbursement from the industry insurance fund.
More Cryptocurrency Exchange Hacks/Scams/Frauds
Soda Finance Loophole > > < < LV Finance Exit Scam
Sources/Further Reading
AT&T Sued by Customer After Security Breach Led to Theft of Cryptocurrency – News Bitcoin News (Sep 19)
Etheridge v. AT&T, Inc. et al, 4:21-cv-03002, No. 1 (S.D.Tex. Sep. 15, 2021) (Oct 3)
AT&T Sued After SIM Swap Attack Results in $560K Crypto Loss for Customer - BeInCrypto (Oct 3)
https://oltnews.com/att-sued-by-customer-after-security-breach-led-to-cryptocurrency-theft (Oct 3)
AT & T faces proceedings after hacked user loses $ 560,000 in stolen Ethereum cryptocurrency - Fuentitech (Oct 3)
AT&T sued by customer following theft of cryptocurrency after security breach - TechStory (Oct 3)
FBI Warns Digital Currency Exchanges and Crypto Owners of Possible Threats – Bitcoin News (Oct 3)
What To Do When Sim Swapping Happens To You (Oct 14)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|