Last February, a college student accused of stealing $5 million by hijacking the phone numbers of at least 40 victims was sentenced to 10 years in prison. In a SIM (Subscriber Identification Module technology that authenticates a mobile phone subscribers) ruse, the hacker convinced a service provider to port the legitimate user’s SIM card to a device used by the robber.
The approach potentially allows hackers to bypass two-factor authentication (2FA) cybersecurity steps that MSPs and MSSPs increasingly embrace to lock-down their internal systems along with customer systems.
While SIM swapping is a little-known threat, it is growing in popularity among hackers, officials warn. At some point, mobile-centric managed security service providers (MSSPs) may get involved in detection and remediation. But for now, it’s the victims who are striking back in a case that could garner widespread attention from SIM victims and service providers.
SIM Card Swapping Victim Sues AT&T
One of the victims is suing AT&T in a $224 million case claiming that the telecom giant allowed hackers to pose as him to steal $24 million worth of cryptocurrency. A federal judge in Los Angeles has rebuffed AT&T’s request to dismiss all claims filed by Michael Terpin, who co-founded an angel group for bitcoin investors called BitAngels and a digital currency fund, BitAngels/Dapps Fund, according to a CNBC report.
Terpin filed the case in U.S. District Court in Los Angeles last summer, claiming that “AT&T’s willing cooperation with the hacker, gross negligence, violation of its statutory duties, and failure to adhere to its commitments in its Privacy Policy,” resulted in roughly $24 million worth of cryptocurrency was stolen from his account. Terpin blamed a “digital identity theft” of his account, the report said.
“The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card,” Terpin’s lead counsel Pierce O’Donnell said in a statement.
SIM Card Swapping: Victim's Allegations
Terpin claimed he was robbed on two separate occasions within a two-month period when AT&T was his service provider, CNBC’s report said. He fingered an AT&T store employee for acting as an insider working with the hacker, who Terpin said provided the hacker with his information.
“What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner,” the complaint alleged.
