AT&T will be forced to defend itself in court after a judge refused to throw out a $224m lawsuit alleging the firm is liable for handing over the defendant’s SIM card to hackers.
The telco giant is in the dock after entrepreneur Michael Terpin was hit by a classic SIM swap attack, in which hackers persuaded an AT&T agent in a Connecticut store to transfer his mobile phone number to a new SIM.
They were then able to intercept one-time passcodes sent via text to unlock Terpin’s cryptocurrency accounts and drain it of funds worth an estimated $24m.
In August last year, Terpin’s lawyers filed 16 counts of fraud, including gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, and failure to supervise its employees and investigate their criminal background.
More broadly, Terpin is arguing that AT&Ts contract is too one-sided.
“Mr Terpin’s claim seeks to declare AT&T’s wireless customer agreement as unconscionable, void against public policy, and unenforceable in its entirety,” presiding judge Otis Wright said. “Specifically, he objects to the exculpatory provision that exempts AT&T from liability from its own negligence, acts or omissions of a third party, or damages or injury caused by the use of the device.”
Wright ruled that Terpin’s lawyers had “sufficiently alleged” that AT&T may have violated the Federal Communications Act by allowing unauthorized access to their client’s accounts – meaning the $224m lawsuit will proceed.
“Judge Wright strongly repudiated AT&T’s audacious bid to prevent Michael from demonstrating to a jury the carrier’s contempt for consumers’ privacy and utter disregard of its legal obligations to prevent this very type of SIM swap and financial crime,” noted Terpin’s lead counsel Pierce O’Donnell. “The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card.”
The case will be watched eagerly by other telco providers as SIM swapping becomes increasingly commonplace.
It’s believed that Terpin’s nemesis on this occasion was a gang led by New Yorker Nicolas Truglia, the arrested “Bitcoin bandit” who used phishing techniques and fake ID documents bought on the dark web to con telco support operatives into porting customer phone numbers.
Paul Dunphy, research scientist at OneSpan’s Innovation Centre, said the attacks also raise serious questions about the use of SMS in multi-factor authentication (MFA).
“The result of this court case will have big implications for designers of multi-factor authentication, and it will be interesting to see how mobile networks evolve the security of their number porting process in future,” he added. “I’d advise that for high value accounts individuals should avoid using SMS for multi-factor authentication, especially for cryptocurrency.”