A US entrepreneur and cryptocurrency investor has filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud.
Lawyers acting on behalf of Michael Terpin filed 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and other charges in a US District Court in Los Angeles yesterday.
On January 7, an AT&T agent in a Connecticut store is alleged to have agreed to transfer Terpin's mobile phone number to a new SIM, which an “international criminal gang” then used to commit major identity fraud.
Specifically, they were able to circumvent 2FA security on his cryptocurrency accounts by intercepting one-time SMS passcodes to access them and then transfer funds to the tune of $24m elsewhere.
“Even after AT&T had placed vaunted additional protection on his account after an earlier incident, an imposter posing as Mr Terpin was able to easily obtain Mr Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password,” the complaint alleges.
“It was AT&T’s act of providing hackers with access to Mr Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur. What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewellery in the safe from the rightful owner.”
The complaint further alleges that AT&T’s 140 million customers are at a similar risk of SIM swap fraud “because it has become too big to care.”
AT&T is disputing the allegations and claims to be looking forward to “presenting our case in court.”