AT&T said it would fight a suit accusing it of negligence in a customerâs loss of $1.7 million in a SIM swap.
The case was brought by Seth Shapiro, VideoCoinâs head of strategy, who blames the phone giant for allowing employees to transfer control of his phone number to criminals during a May 2018 hack.
Speaking to CoinDesk, AT&T spokesman Jim Greer said:
âIt is unfortunate that Mr. Shapiro experienced this, but we dispute his allegations. We look forward to presenting our case in court.â
After a series of brazen SIM swaps, Shapiro said he lost $1.7 million in cryptocurrency. Hackers allegedly seized control of his cellphone, reset his email and breached his exchange accounts to steal $1 million from him, with the balance belonging to other people for upcoming investments.
Greer said AT&T was cautioning all its customers to bolster their security measures, and that mobile phone authentication is not enough:
âRecent high profile cases reinforce the importance of businesses and consumers taking steps to protect against SIM swap fraud, such as not using mobile phone numbers as the single source of security and authentication.â
But Shapiroâs lawyer, Andrew Calderon, maintained that the underlying problem was not customer carelessness but âsystemic negligenceâ by AT&T.
âAT&Tâs failure to secure Mr. Shapiroâs data is not an aberration,â Calderon told CoinDesk. âAs explained in the complaint, AT&T has a rich and troubling heritage of taking less than adequate measures to protect its customersâ data from unauthorized access.â
To access Shapiroâs SIM card, the hackers allegedly paid off AT&T employees â now since fired and being prosecuted in criminal court â to gain control.
According to Shapiro, the initial phone hack occurred during the May 2018 Consensus conference. On the same date, Shapiroâs VideoCoin announced the close of a $50 million private coin offering, for which his related Alphabit Fund subscribed. Two colleagues of his in several ventures â entrepreneurs Chris Kitze and Enzo Villani â were also SIM hacked at the same time, but they did not lose any funds.
In April 2019, Joel Ortiz, the alleged 21-year-old mastermind of the Shapiro hack, was sentenced to 10 years in federal prison, after pleading no contest to charges that he orchestrated 13 SIM swaps. An accomplice, a 19-year-old minor, was charged in seven cases. Ortiz was alleged to have made off with $5.2 million, but only $400,000 was recovered.
Another high-profile SIM hack case was brought against AT&T last year, when Michael Terpin, a crypto exec with a public relations firm, investment company and conference series, and a partner of Shapiroâs in several of those ventures, said he lost $23.8 million when his phone was hacked.
Terpin sued the telephone company to reclaim his losses, in addition to $200 million in punitive damages and that the breach was a violation of the Federal Communication Act. The perpetrators were alleged to be a New York City-based, 21-year-old thief named Nicholas Truglia, along with his 16-year-old computer hacking accomplice.
According to an affidavit filed by a Truglia friend caught up peripherally in his bust, the thiefâs M.O. was to have himself fraudulently added as an admin to a targetâs phone account, then proceed to a local AT&T store where he used his own ID to verify his identity and instruct an AT&T employee to make the changes to provide him access to the SIM.
The loss highlights an obvious question for security experts, who wondered why an experienced crypto executive would keep such high sums in an online exchange rather than âcold storageâ â i.e. offline storage, where it would be completely shielded from remote hacks.
Relying on a cellphone to secure any part of oneâs online security apparatus is a huge potential vulnerability, Haseeb Awan, CEO of the California-based SIM card security provider DontPort, told CoinDesk.
âPeople should avoid SMS [verification] whenever possible,â Awan said. âTwo-factor authentication is probably the worst form of authentication,â because of the ease with which hackers compromise it.
Even without the AT&T moles alleged by Shapiro, Awan, himself the target of multiple SIM swaps, said hackers social engineer, trick and buy their way into victimsâ mobile accounts every day, making the value of cellphone verification almost negligible.
Many people think they will never get hacked simply because they have never been before, Awan said:
âItâs kind of like saying you will never die because you havenât yet.â
That hubris makes them even more vulnerable.
SIM swapping is a relatively well-known threat among high-profile crypto holders, who are often targeted because of their publicity and the heightened likelihood that they may hold valuable assets.
Shapiro, the current head of strategy for VideoCoin and founder of various crypto media projects, even told investigators that he immediately suspected SIM-swapping when his phone suddenly stopped working.
Awan said he was surprised Shapiro could have lost so much money so easily:
âHeâs not some newbie. Heâs been in crypto for a while.â
AT&Tâs Greer said that offline storage is the only real solution:
âFor cryptocurrency, security experts recommend further safeguards, such as keeping cryptocurrency in âcold storage,â an offline environment that canât be accessed via the internet, and following instructions regarding storage of wallet and exchange access credentials.â
Shapiroâs lawyer Calderon, however, said it is not just crypto users who are hurt by these hacks.
âOther victims have lost U.S. dollars and valuable personal information,â he said. âSIM swap attacks have affected people across the spectrum of economic standing. All data accessible through a mobile device is vulnerable when AT&T transfers account access to criminal hackers.â
It was unknown from the legal filings, which, if any, security products the executives had on their hacked phones.
UPDATE (Oct. 30, 22:00 UTC): This article has been updated to include statements received after publication from Shapiroâs lawyer.
SIM card image via Shutterstock
