Distributed Workforce, Content

SIM Card Swap Attacks: Will Lawsuit Pressure Two Factor Authentication?

Last February, a college student accused of stealing $5 million by hijacking the phone numbers of at least 40 victims was sentenced to 10 years in prison. In a SIM (Subscriber Identification Module technology that authenticates a mobile phone subscribers) ruse, the hacker convinced a service provider to port the legitimate user’s SIM card to a device used by the robber.

The approach potentially allows hackers to bypass two-factor authentication (2FA) cybersecurity steps that MSPs and MSSPs increasingly embrace to lock-down their internal systems along with customer systems.

While SIM swapping is a little-known threat, it is growing in popularity among hackers, officials warn. At some point, mobile-centric managed security service providers (MSSPs) may get involved in detection and remediation. But for now, it’s the victims who are striking back in a case that could garner widespread attention from SIM victims and service providers.

SIM Card Swapping Victim Sues AT&T

One of the victims is suing AT&T in a $224 million case claiming that the telecom giant allowed hackers to pose as him to steal $24 million worth of cryptocurrency. A federal judge in Los Angeles has rebuffed AT&T’s request to dismiss all claims filed by Michael Terpin, who co-founded an angel group for bitcoin investors called BitAngels and a digital currency fund, BitAngels/Dapps Fund, according to a CNBC report.

Terpin filed the case in U.S. District Court in Los Angeles last summer, claiming that “AT&T’s willing cooperation with the hacker, gross negligence, violation of its statutory duties, and failure to adhere to its commitments in its Privacy Policy,” resulted in roughly $24 million worth of cryptocurrency was stolen from his account. Terpin blamed a “digital identity theft” of his account, the report said.

“The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card,” Terpin’s lead counsel Pierce O’Donnell said in a statement.

SIM Card Swapping: Victim's Allegations

Terpin claimed he was robbed on two separate occasions within a two-month period when AT&T was his service provider, CNBC’s report said. He fingered an AT&T store employee for acting as an insider working with the hacker, who Terpin said provided the hacker with his information.

“What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner,” the complaint alleged.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.