AT&T Faces $224M Legal Challenge Over SIM-Jacking Rings

Cryptocurrency investor and Dogecoin founder Michael Terpin has filed a $223.8 million lawsuit against AT&T, alleging the mobile phone giant turned a blind eye to SIM fraud.

Terpin alleges that more than 3 million cryptocurrency tokens worth $24 million were lifted from his digital wallet at an AT&T store in Connecticut in January, when an AT&T employee swapped out the SIM card on his device to hijack his mobile phone content. The tokens were then transferred to an international criminal gang, which the FBI has been targeting with an ongoing investigation.

SIM cards are essentially the autheticator of a mobile device, containing the individual’s personalized settings and connecting the device with the network and an account. This allows people to take their settings, content and services/phone number with them when they switch handsets. Thus, a bad actor with physical access to a device can simply swap SIM cards in order to gain access to an unsuspecting person’s account, gaining the ability to initiate or receive that person’s calls and texts, application notifications, and, importantly, two-factor authentication codes and authorizations, such as those used for money transfers. They can also change security settings to prevent the victim from regaining access to the account.

The easiest way for a malefactor to do this is by working with a rogue mobile store employee who has regular access to people’s devices, or by coopting someone’s handset and then taking advantage of lax authentication methods to ask for a seemingly legitimate SIM swap from the carrier. Provided the thief can answer basic security questions, it’s possible to cancelled the old SIM and order a new one, and from there commandeer the victim’s mobile account.

“SIM-jacking arose as a response to the growing adoption of two-step verification (also referred to as two-factor authentication) as a means to protect online accounts from hackers,” Paul Bischoff, a privacy advocate at Comparitech.com, said via email. “Most two-step verification requires entering a PIN number sent to the user’s phone number. Unfortunately, employees who work at stores run by mobile carriers like AT&T have free reign to hijack a SIM card and transfer the phone number to a different device. This can be done unbeknownst to the user, so thieves will seek out store employees who can be bribed to assist with SIM-jacking.”

SIM-jacking has been on the rise, drawing law enforcement attention. The Feds in fact made two SIM-jacking arrests in July, including charging Joel Ortiz with 28 counts, including a $1.5 million SIM swap of an AT&T subscriber during New York Blockchain Week – he’s suspected of stealing at least $5 million in cryptocurrency. Then, Ricky Joseph Handschumacher was arrested in Florida on July 18 for his role in a gang that stole at least $460,000 in Bitcoin by hijacking SIM identities from AT&T customers.

While the criminal drama plays out, Terpin is suing AT&T as the responsible party in the situation, alleging that the carrier has been asleep at the switch while its store employees run rampant – despite the fact that this kind of insider fraud is notoriously difficult to pinpoint and root out, especially in a retail footprint of 16,000+ stores [PDF].

The lawsuit levels 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and related charges in US District Court in Los Angeles. He said that he had been SIM jacked before, after which, he claims, AT&T promised him a unique, purportedly unchangeable password with “unbreachable security.”

“AT&T’s studied indifference to protecting its customers’ privacy and financial assets is a metastasizing cancer, threatening hundreds of millions of unsuspecting AT&T’s customers,” said Pierce O’Donnell, senior partner at leading litigation firm Greenberg Glusker and lead counsel for Terpin in the complaint, in a media statement. “Our client had no idea when he initially signed up, nor when later he was promised the highest level of security for his account, that low-level retail employees with access to AT&T records, or people posing as them, can be bribed by criminals to override every system that AT&T advertises as unassailable.”

The 69-page complaint alleges that AT&T has not improved its account security protections despite knowledge that some of its employees are criminals: “AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well-aware that its customers are subject to SIM swap fraud, and that its security measures are ineffective.”

AT&T had not commented on the litigation at the time of publication, but John Gunn, CMO at OneSpan, told Threatpost that holding the phone giant liable may be fanciful thinking.

“If carriers, ISPs and MNOs had to bear full financial responsibility for every crime and act of fraud committed across their networks, they would all cease to exist,” he said. “Viewing this under the doctrine of assumed risk, it would be very difficult for the plaintiff in this action to prove they were unaware of the inherent risks of mobile and online transactions.”