$224M SIM Swap Fraud Lawsuit Against AT&T – Federal Judge Refuses To Dismiss Case

A federal judge has refused to dismiss a $224M lawsuit against telecom giant AT&T for a SIM swap attack that led to $24 million in stolen cryptocurrency.   

AT&T is facing court over allegations it violated the Federal Communications Act, a consumer contract, as well as several other laws, when hackers assumed the identity (and telephone account) of cryptocurrency investor Michael Terpin in 2017.  SIM-swapping is when scammers contact a carrier pretending to be their target in order to port the victim’s number to a SIM card that they control. It allows text messages and 2FA codes to be intercepted, facilitating account takeover attacks.   

Expert Comments:  

Paul Dunphy, Research Scientist at OneSpan’s Innovation Centre:  

SIM swap attacks continue to raise serious questions about the security of SMS for use in multi-factor authentication.   

Theft of cryptocurrency is currently a key driver for SIM swap attacks due to the large sums that can be quickly stolen, and the low chance that stolen funds can ever be recovered. Using SMS for multi factor authentication pushes the problem of securing online accounts to mobile network operators, whose number porting processes were historically not designed to withstand the attention of determined attackers.   

The result of this court case will have big implications for designers of multi factor authentication, and it will be interesting to see how mobile networks evolve the security of their number porting process in future. I’d advise that for high value accounts individuals should avoid using SMS for multi factor authentication, especially for cryptocurrency.

Experts Comments

Stay Tuned! Our Information Security Experts Community is responding .....

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.