AT&T Sued for $224mn Following SIM Swap

Michael Terpin (pictured) is an entepreneur and investor who has made a lot of money from cryptocurrencies. One of his businesses, Transform Group, works with some of the biggest names in cyptocurrency, such as Ethereum, and some people rank Terpin as the 59th most influential person in blockchain. But Terpin might be about to instigate a major transformation amongst some older technology companies. Terpin is taking AT&T to court, accusing them of fraud and negligence after USD23.8mn was stolen from his cryptocurrency account, and seeking an additional USD200mn in punitive damages.

In the 69-page complaint that Terpin’s lawyers submitted to court, they allege that:

…an imposter posing as Mr. Terpin was able to easily obtain Mr. Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password.

…The purloined telephone number was accessed to hack Mr. Terpin’s accounts, resulting in the loss of nearly $24 million of cryptocurrency coins.

…It was AT&T’s act of providing hackers with access to Mr. Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur. What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.

The case does sound a lot like a typical SIM swap.

After the hackers took charge of Mr. Terpin’s telephone number, the hackers accessed Mr. Terpin’s telephone to divert texts and telephone calls to gain access to Mr. Terpin’s cryptocurrency accounts. The hackers also used the phone to hijack Mr. Terpin’s Skype account to impersonate him. By that means, the hackers convinced a client of Mr. Terpin to send them cryptocurrency and diverted a payment due to Mr. Terpin to themselves.

AT&T finally cut off access by the hackers to Mr. Terpin’s telephone number on June 11, 2017, but only after the hackers had stolen substantial funds from Mr. Terpin. Moreover, because of the hack, Mr. Terpin expended a substantial amount of time investigating the hack and attempting to repair his computer accounts.

It is possible that Terpin already knows the identity of the AT&T insider who compromised his personal data. Gizmodo reports that Terpin has “been in contact with the FBI, Homeland Security, and the U.S. Secret Service and claims they’ve found the AT&T employee whom they believe assisted in the hacks.”

Terpin is a social media guru; one of his businesses seeded Will.i.am’s ‘Yes We Can’ viral video in support of Barack Obama’s 2008 campaign. It is hence unsurprising that he is using his media skills to draw attention to his case.

The provocative choice of words in Terpin’s complaint appears designed to encourage AT&T to reach a settlement sooner rather than later. Even so, Terpin is doing us all a favor by drawing attention to this kind of crime. We keep hearing about more and more customers suffering because lax telco security resulted in SIM swaps.

The legal team working for Terpin clearly intend to thrash AT&T’s reputation. The exhibits they have submitted include:

  • a 2015 Federal Communications Commission order after AT&T “failed to properly protect the confidentiality of almost 280,000 customers’ proprietary information”;
  • AT&T’s Privacy Policy; and
  • An AT&T statement on their code of conduct which includes the assertion that they “protect the information about our customers that they entrust to us.”

Terpin’s lawyers are going to present a simple argument: that AT&T have failed to protect customer privacy before, that they keep failing to protect customer privacy, and they will continue to fail unless courts start handing out punishments large enough to force a change of attitude.

This lawsuit seeks to hold AT&T accountable for its abject failure to protect subscribers like Mr. Terpin. Apparently, AT&T would prefer to buy Time Warner for over $85 billion than pay for a state-of-the art security system and hire, train, and supervise competent and ethical employees—even when it was well known to AT&T that its system was vulnerable to precisely the type of hack experienced by Mr. Terpin. A verdict for $24 million of compensatory damages and over $200 million for punitive damages might attract the attention of AT&T’s senior management long enough to spend serious money on an acceptable customer protection program and measures to ensure that its own employees are not complicit in theft and fraud. Then and only then will AT&T’s promise to protect the types of personal information that directly led to the hacking of Mr. Terpin’s accounts ring true.

AT&T responded by emailing various news outlets, including Reuters, to state that they “dispute these allegations and look forward to presenting our case in court.” However, they did not elaborate on how they disagree with Terpin.

I am looking forward to this court case too, and I hope it will be decided in open court instead of being brought to an end by an out-of-court settlement where nobody admits anything went wrong and everyone promises they will never talk about it again. Without knowing how well AT&T behaved in practice, our industry must recognize that the risks associated with account takeover frauds are spiraling. This is because the value and importance of services associated with a phone account keeps rising, irrespective of anything that telcos do. Not many of us are cryptocurrency millionaires, but SIM swaps might lead to the theft of someone’s life savings, or irreparable damage to their reputation. At the same time, any defense against SIM swaps will be compromised where there is a reliance on thousands of low-paid staff having access to the personal details of customers. This problem may appear intractable, but that does not mean it can be ignored.

In Kenya, leading telco Safaricom is transparent about the need to fire staff who abet fraud. Across this global industry, there is no business that can afford to be complacent. If Kenyan telcos have to sack insiders who want a slice of crimes worth a few hundred dollars, do we really expect all Americans to be so honest that none will become accomplices to crimes worth thousands or millions? This kind of crime is going to become as normal for telcos as shoplifting in the retail sector or bar staff pouring free drinks for themselves. The difference is that there is a natural limit to the liability when something physical is being stolen, whilst there is no upper limit to crimes committed online. As a consequence, we need to implement much more stringent security procedures to monitor the actions of staff and protect the data of customers.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.