Skip to content

Top Best Ask Show New Jobs

Man sues AT&T over 'SIM Swap' hack allegedly involving employees (opens in new tab)

(foxla.com)

242 pointsCrafty_Gurl6y ago119 comments

119 comments

77 comments · 19 top-level

sfteus6y ago· 10 in thread

Had this happen to me last week. Thankfully they only tried to get into a few e-mail accounts, which I was quick enough to get into, kill their session, and recover them before any real damage was done. AT&T of course claimed it was impossible for that to happen, despite a different phone showing up in my account, a bunch of unexplained SMS messages I never received, and two calls accessing my voicemail that I didn't make.

Currently working on finishing moving passwords from a Google account to my password manager and resetting them all, as well as replacing anything that uses an SMS 2FA with a time based authenticator or other alternative where possible. Planning on getting a FIDO key to use where I can. Also setting up a Voice number on an account that's used for nothing else besides 2FA in the instances where there is no better form of authentication.

sneeze-slayer6y ago

One thing I've noticed lately is that Google Voice numbers are working with fewer and fewer companies. For example, I don't think that they work with Wells Fargo or Chase. Wells Fargo said flat out that the phone number can't be validated.

sfteus6y ago

That's interesting, I appreciate the heads up. I'll have to see if I can find some other workaround whenever that pops up.

lotsofpulp6y ago

Did you have a PIN setup with ATT? I am trying to figure out which of their employees can modify the account without the PIN.

rwmurrayVT6y ago

There are thousands of AT&T and Verizon accounts for sale online with PIN, SSN, DoB, email address, email password, etc. Some of them are paired with known bank account login information, credit report, etc. They're less than 300 USD.. Once you have the phone and information you can either use fake ID + SSN + phone to use established credit line at a retailer or if you have banking information perform a wire transfer. It's rampant.

thatguy09006y ago

As of a year or two ago when I worked at a authorized att dealer, manager logins can access any account without a pin and any employee can access prepaid accounts without a pin.

Edit:for whatever its worth att does keep a record of what employees accessed an account and when, and notes when managers bypass the pin, so doing this an an employee seems really stupid to me.

sfteus6y ago

Yes, we have a PIN on the account. They did ask for it in store when I went to get a new SIM card.

Are things like this usually targeted, I.e. the hackers know enough about you to know who you are and you probably know their names or at least know someone they know? How do hackers even pick their targets?

bitcoinmoney6y ago

How did they know your email password and phone number at the same time?

sfteus6y ago

The main e-mail they targeted was included in several breaches, specifically of note the CafePress and Yahoo breaches, but various others as well. I would wager they just compiled data from each until they found something that worked.

r1ch6y ago

A scary amount of services will let you reset a password over SMS.

pjy046y ago· 10 in thread

Wasn’t there a pin on his account?

Employees are able to override the pin entering requirement. There is absolutely nothing you can do to stop this from happening if you happen to get targeted. (Speaking from experience)

caleb-allen6y ago

It is a liability to trust another party with keys to cryptocurrency with such high value.

To step out of the regulated financial system is to open oneself up to these liabilities with little recourse.

That is not to say that telecom companies should not fix this. They absolutely should.

green-eclipse6y ago

AT&T employees on the inside were in on the scam. There's more details in this other article:

https://www.foxla.com/news/fox-11-tracks-down-verizon-employ...

cactus20936y ago

It’s better than nothing that AT&T finally allows pins at all, but one thing that’s insane about it is every time you log in on the web there’s a checkbox to never ask for your pin again. It’s exactly where you’d expect a checkbox for something like “remember me”, except it opens up a huge security hole in your account if you accidentally check it.

Pins obviously have other issues that make no sense, like the incredibly low complexity allowed that would never be acceptable for a password. But even aside from that I guess AT&T also want everyone to turn their pin off? I hope they do lose a lawsuit and actually have to start giving a shit about pin swapping and make things more secure by default.

sowbug6y ago

Pretty sure that's only for the current device, not for the account.

When i upgraded my phone, I had to get a new (micro?) sim and they didn't even ask for my ID or the old sim.

wil4216y ago

Exactly. I have a pin on my account after identity thieves opened a bunch of AT&T and Verizon accounts under my name (thanks Equifax!). Since this happened I’ve been in the AT&T stores when I bought an unlocked phone on two occasions. The employees at the store weren’t able to do a thing until I spoke with a special call center on the phone and did verifications.

One time there was something wrong on their end and no one could do anything until the system to verify my pin was back up.

ars6y ago

Would that have helped if there was an insider (AT&T supervisor) authorizing the transfer?

i.e. can a supervisor override lack of a PIN?

adrr6y ago

Pin is last 4 of social which isn’t hard to get.

wil4216y ago

No it is not. My pin is not my or my wife’s social. I was able to choose whatever I wanted.

asdfasgasdgasdg6y ago· 8 in thread

This is exactly the kind of thing that needs to start happening to actually motivate the companies to stop allowing this BS. Good luck!

Also, don't have your life savings in crypto, but if you must, then please for the love of everything holy don't put it someplace where a SIM swap attack is enough to get it out. Irreversible transactions are kind of the whole point of it, so you need to be much more careful with crypto credentials than, say, your bank password or credit card.

sliken6y ago

Indeed, listen to NIST: [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

skunkworker6y ago

Sad that one of my current banks (Chase) won't add TOTP to their login.

Edit: https://twitter.com/skunkworker/status/1131297869703438337

@ChaseSupport Hey Chase, when will offline TOTP be added for a more secure login?

Thank you for reaching out! What we have is the multi-factor authentication on all online accounts. You can visit https://tinyurl.com/y7r2fztd for more info on how we protect and secure your information. ^AA

cik6y ago

It's rather sad that Canadian banks still view SMS as the best way forward. They'll text you, they'll email you, they'll validate over the phone... all of which are really this same problem.

I'm waiting for the days our banks will accept multiple 2FA solutions.

ezoe6y ago

No matter how careful you are, the service(bank, SNS and everything) you're using aren't. If you hand over them a phone number and they think phone number alone can identity you, you're done for.

The only solution is not using the phone. The phone reached it's limit. It's not trustworthy communication method.

> Irreversible transactions are kind of the whole point of it

Just as a sidenote, the problem isn't that the transactions are irreversible, they're also irreversible for banks. You never reverse the actual transaction, you just create another transaction in the opposite direction. Sometimes banks accidentally sent money to the wrong (foreign) bank and kissed them goodbye. The other bank had no obligation to send it back and if the 2 don't have a relationship and don't plan on having one it's free money for the recipient.

The difference with crypto is that you're basically dealing with "untrustworthy" parties since there's no central trustworthy authority over the whole network. The advantage is that nobody can control the network. The disadvantage is that you have no leverage over the receiving party.

It's like a private individual ad-hoc lending money to a friend vs. lending money to a total stranger. There's probably no legal obligation to return it but friends most likely will.

asdfasgasdgasdg6y ago

From the perspective of the bank customer, in the US, bank transactions are reversible, by fiat. It does not matter to the customer whether the bank is out money or not. All that matters is that you are made whole in the case of a fraudulent transaction.

And they'll just hide their binding arbitration clauses.

jokoon6y ago

> Also, don't have your life savings in crypto

Exactly. Cryptocurrency, in my view, are meant to be intermediary currency. Keeping a lot of it is just too risky.

Tech nerds seem to like cryptocurrencies because it's a cool and fancy gadget, but the reality is that normal banks are more secure. If your money gets stolen, banks can trace it, cancel transactions, and there are insurances in place to recover your money. Governments are involved in bank security.

Currencies are not trivial things. Only libertarians and anti-government, anti-federal-reserve people will actually prefer cryptocurrencies to their own risk.

I get that the AT&T employee is guilty, but the victim was asking for it.

sdan6y ago· 7 in thread

This is exactly why I’m only faithful to FIDO U2F keys. Got a couple and ensure they’re safe. No one’s hacking my accounts unless they crack both my passwords and rob me physically... which at this point doesn’t seem like it’s going to happen.

“Hello thanks for calling. I understand you want to reset your password. To verify it’s really you may I have your cryptographically impregnable super token? Oh it’s lost, I see, how about can you verify your billing zip? Splendid you’re all reset.”

sdan6y ago

Suppose we take Coinbase (I don't use it, but I've heard SIM swapping is done regularly with Coinbase):

Suppose you lose all your physical keys: I don't think you can social engineer hack Coinbase (pretty sure most companies won't allow people to just give away your password/send a reset email to some other email).

Or suppose you get them to send me an email to reset my password. But my email also has FIDO u2f! And I know as a fact you can't social hack my email provider.

555556y ago

I think he's saying that the private keys to his crypto never leave physical hardware. There is no phone number to call if he loses them, but on the other hand what you are describing is impossible.

rb8086y ago

What happens if the keys get lost or destroyed? It seems like a never ending problem.

munchbunny6y ago

Keep two or three, put one in a bank or a safe at home. That should be enough redundancy for most people. As long as you can still get in to revoke/enroll stuff you should be okay.

It’s not so much a problem as it is a balance of security, redundancy, and effort. You decide where you want to be on that balance of considerations.

sliken6y ago

Get 2 keys, keep one in a safe place. Add both to your important accounts.

Then also setup TOTP, so if you lose both keys and have a working cell phone with the app installed you can still login.

sdan6y ago

I have one at work/keep on my computer and one at home.

Some websites allow TOTP which is still safer than SMS, but if I lose one, I'll get another one while I use the 2nd.

techsupporter6y ago· 6 in thread

I wish him the best of luck but considering AT&T was a party in the big Supreme Court decision setting the precedent, I predict this falls down the dark hole of mandatory, binding arbitration about twelve minutes after the first hearing on a motion to dismiss and compel arbitration.

We’ve collectively given up our rights to sue in many instances (including when signing up for HN-backed services run by people who should know better).

xkcd-sucks6y ago

> (including when signing up for HN-backed services run by people who know they can get away with it)

lbatx6y ago

I don't think so. This guy is the second (or third or whatever) person to sue AT&T over a SIM swap. The first case is already moving to trial: https://www.coindesk.com/att-fails-to-win-dismissal-in-24-mi....

ikeboy6y ago

So it gets moved to arbitration. If anything, it will move quicker and cost him less than a court case would.

sneeze-slayer6y ago

Binding arbitration is almost unilaterally bad for consumers.

See: https://www.nytimes.com/2015/11/01/business/dealbook/arbitra...

pjc506y ago

.. but is guaranteed to rule in favor of the bigger party.

elliekelly6y ago

If by “him” you mean AT&T, definitely.

fortran776y ago· 4 in thread

He's got good evidence. The SIM-swappers have actually been convicted. ATT says it's "an industry" problem, but it's 100% their problem. They are doing nothing to stop employees from robbing their customers.

Of course the victim could probably have protected his "life savings" better, but that's not the point.

AT&T's going to say "you don't own that phone number--it's ours--and we never said it was intended for verifying your identity. Take it up with whoever stole your number and your--wait, someone stole your cryptocurrency? You realize banks are insured against mistakes like this and bitcoin wallets aren't, right?"

Losing your life’s savings in an irrevocable way is a feature of crypto currency. Not a bug!

Except AT&T themselves use the phone number as a form of identity verification / 2nd factor so that argument doesn't really hold up.

Also insurance doesn't always hold up in cases like this, especially if the company was aware of the weakness and chose to do nothing about it.

mikelward6y ago

Their employees and their systems.

Ideally it wouldn't be possible for a single employee to do this.

camkego6y ago· 3 in thread

The amazing thing is with Wells Fargo that if you have a RSA SecurID 2FA FOB for access to your bank accounts, and you have a phone number configured for the account, you can use EITHER the 2FA RSA one-time pin, OR SMS verification to log into your bank account web page.

I mean this is a bank, are these guys for real?

Yes, although there is actually a lower transaction limit on sessions initiated with SMS 2FA vs SecurID.

Which almost furthers the point that this is bad, isn’t this an acknowledgement by them that SMS 2FA is less secure? If it’s less secure and you have SecurID, why can’t I disable SMS?

2sk216y ago

Thats really bad. Chase doesn't even offer the option of non-phone 2FA

darkhorn6y ago· 3 in thread

How do you know if someone has obtained a SIM card with your identity? Do you have a web site for this, like https://www.turkiye.gov.tr/mobil-hat-sorgulama ?

wmf6y ago

Usually your phone stops working because your old SIM card gets disabled.

rwmurrayVT6y ago

You can also add an authorized user or open up an entirely new line. You won't notice until you receive your bill.

What if they obtain a SIM card from another mobile provider with a different phone number?

usaphp6y ago· 3 in thread

> and within minutes, the hackers had stolen $1.8 million in cryptocurrency from him

> It essentially destroyed our financial future, our entire life savings was stolen

Who keeps their entire life savings in crypto?

judge20206y ago

With that much money not using a hardware wallet is short-sighted.

tyingq6y ago

Even that leaves it in a crazy volatile currency. Adrenaline junkie I guess, assuming it really was their life savings.

nguoi6y ago

When they say 'life savings' (conjuring the image of money saved slowly, over a lifetime), what they really mean is 'gambling profits'.

geofft6y ago· 1 in thread

> When FOX 11 reached out to AT&T for comment on the SIM swap lawsuits against them, the company responded “This is an industry problem,” and referred us to the CTIA for more information.

And AT&T is the industry leader.

I don't even see how it's an industry problem - AT&T didn't do thorough verification before swapping the SIM, there's nothing broader about it.

dev_dull6y ago· 1 in thread

I’ve mostly disabled 2fa via phone where alternatives exist. Unfortunately some services (such as twitter) require you to verify a number (you can sign up, but you’ll quickly be account-locked without providing a number)

I’m still wondering why I can’t use Touch ID to do U2F...

MaxGabriel6y ago

Touch ID support for WebAuthn is live in the latest Chrome!

ghostpepper6y ago· 1 in thread

I am not condoning or justifying criminal behaviour but I have to wonder why on earth he would have his life savings in cryptocurrency, protected only by SMS 2FA, if he knew someone else this had happened to?

sdan6y ago

He clearly isn’t educated enough (not to be mean).

Especially if you’re going around with that much crypto always always remember:

Not your keys, not your coins.

Always store cold storage and set aside some for trading if you want. And if you’re trading, always use FIDO U2F physical keys.

runn1ng6y ago· 1 in thread

The lesson here is not to sue AT&T. The lesson here is to stop investing in cryptocurrency.

colejohnson666y ago

So it’s all the guy’s fault for the problem and AT&T has no fault? Could it be they both made a mistake?

sdan6y ago

If you're into crypto, remember:

Not your keys, not your coins.

chii6y ago

This is why SMS verification is insecure.

megous6y ago

Phone number is not something you own, it's just a record on someone else's computer system. It's really weird that it passes as "something you own" part of multi-factor auth for so many serious companies.

gertrunde6y ago

I love the response: "This is an industry problem."

Translation: "All telcos are equally bad at this, so who are you going to switch to? So why should we bother fixing it? What's in it for us?"

arminiusreturns6y ago

To me this is more about the lack of internal controls and auditing of those controls at ATT. I know someone who is a supervisor fairly high up with them and I suspect has abused that power to spy on an ex, but she assures me "he can't because of the internal flags"... I figure there are a multitude of ways around that. Events like this don't give me confidence that I am wrong.

This is why sms as 2FA is terrible: cell phone companies are not hardened.

j / k navigate · click thread line to collapse