A federal judge has refused to dismiss a $224M lawsuit against telecom giant AT&T for a SIM swap attack that led to $24 million in stolen cryptocurrency.
AT&T is facing court over allegations it violated the Federal Communications Act, a consumer contract, as well as several other laws, when hackers assumed the identity (and telephone account) of cryptocurrency investor Michael Terpin in 2017. SIM-swapping is when scammers contact a carrier pretending to be their target in order to port the victim’s number to a SIM card that they control. It allows text messages and 2FA codes to be intercepted, facilitating account takeover attacks.
Paul Dunphy, Research Scientist at OneSpan’s Innovation Centre;
“SIM swap attacks continue to raise serious questions about the security of SMS for use in multi-factor authentication.
Theft of cryptocurrency is currently a key driver for SIM swap attacks due to the large sums that can be quickly stolen, and the low chance that stolen funds can ever be recovered. Using SMS for multi factor authentication pushes the problem of securing online accounts to mobile network operators, whose number porting processes were historically not designed to withstand the attention of determined attackers.
Theft of cryptocurrency is currently a key driver for SIM swap attacks due to the large sums that can be quickly stolen – Paul Dunphy
The result of this court case will have big implications for designers of multi factor authentication, and it will be interesting to see how mobile networks evolve the security of their number porting process in future. I’d advise that for high value accounts individuals should avoid using SMS for multi factor authentication, especially for cryptocurrency.”
The case comes at a time when calls for tighter ID-protocols to be implemented with some like Adam Vaziri of Blockpass championing the establishment of user-controlled self- sovereign identity;
“We need to conceive a system that addresses verification at a core level, which is biometric but – and it’s a big ‘but’ – without undermining the citizens themselves by putting them in a worse situation.”