American investor and founder of the BitAngels bitcoin angel group, Michael Terpin, has filed a $224 million lawsuit against AT&T, claiming that the telecommunications giant allowed criminals to steal his phone number – and, with it, $24 million of his crypotocurrency.
According to the suit filed on August 15th in California, AT&T failed to adequately protect Terpin’s digital presence on multiple occasions, leading to his phone number being taken over by criminals. Because one-time codes are often both sent to cellphones via SMS as part of multifactor authentication processes, and used as part of password-reset processes, criminals who steal someone’s phone number are frequently able to gain unauthorized access into various of that person’s financial, social media, and other accounts; apparently, criminals managed to exploit such tactics to access and steal $24 million from Terpin. (Note: If one-time passwords are used on the same system for both resetting passwords and for multi-factor authentication, the resulting authentication is, by definition, single factor.)
I have previously warned readers about the dangers of criminals trying to steal people’s phone numbers – if you are not yet familiar with such scams, please see the article Do Not Let Criminals Steal Your Cellphone Number With This Scam ASAP.
Wireless carrier computer systems often contain clear records of the phone numbers of various celebrities and other wealthy parties; it is no secret, therefore, that criminals often try to bribe the firms’ employees to provide them with both information about, and access to, such accounts.
The lawsuit against AT&T could set legal precedents as to what level of account-security wireless carriers can reasonably be expected to provide for their customers. Personally, I am highly skeptical as to whether current levels are truly adequate.
In recent years, for example, at least one major carrier has actually weakened a significant defense feature used to shield people’s accounts from crooks. For over a decade, Verzion allowed users to establish passwords which representatives would ask for prior to discussing an account with anyone calling in or visiting a Verizon store; recently, however, it seems that Verizon has adopted a PIN-based model – forcing some users to both shorten their passwords and to use strictly numeric codes rather than benefit from the much greater number of possible password permutations available with alphanumeric passwords. (Of course, you can use a numeric representation of an alphanumeric word – but, doing so means that multiple “words” will be deemed to be correct passwords.)
While some information-security experts have suggested that migrating from texted one-time codes to smartphone-app-generated codes could improve security, as codes are generated based on the device upon which they are created, not delivered to whoever possesses a more-easily-pilfered phone number, such an approach is hardly foolproof. Furthermore, as I discussed previously, app-based authentication creates inconvenience when migrating to a new phone – users often must individually reset authentication configurations on each and every site protected by codes generated by the app – and, many folks are simply not willing to adopt new technologies with such drawbacks.
Will the verdict in the Terpin-AT&T case serve to accelerate migration to a better form of authentication? Time will certainly tell.