A federal judge has refused to dismiss a $224M lawsuit against telecom giant AT&T for a SIM swap attack that led to $24 million in stolen cryptocurrency.
AT&T is facing court over allegations it violated the Federal Communications Act, a consumer contract, as well as several other laws, when hackers assumed the identity (and telephone account) of cryptocurrency investor Michael Terpin in 2017. SIM-swapping is when scammers contact a carrier pretending to be their target in order to port the victim’s number to a SIM card that they control. It allows text messages and 2FA codes to be intercepted, facilitating account takeover attacks.
Paul Dunphy, Research Scientist at OneSpan’s Innovation Centre:
SIM swap attacks continue to raise serious questions about the security of SMS for use in multi-factor authentication.
Theft of cryptocurrency is currently a key driver for SIM swap attacks due to the large sums that can be quickly stolen, and the low chance that stolen funds can ever be recovered. Using SMS for multi factor authentication pushes the problem of securing online accounts to mobile network operators, whose number porting processes were historically not designed to withstand the attention of determined attackers.
The result of this court case will have big implications for designers of multi factor authentication, and it will be interesting to see how mobile networks evolve the security of their number porting process in future. I’d advise that for high value accounts individuals should avoid using SMS for multi factor authentication, especially for cryptocurrency.