According to cybersecurity specialists, every year thousands of users of telecommunications companies suffer hacking attacks that aim to take control of their phone numbers to perform identity fraud, extortion, among other felonies.
A very popular case is that of Michael Terpin, a cryptocurrency investor who, after noticing failures in his mobile phone service, called the company only to find out that a hacker had seized his personal phone number using a technique known as “SIM swap” attack. The victim claims that the threat actors subsequently accessed his Skype account and tricked one of his clients to perform a cryptocurrency transfer.
The cybersecurity team at AT&T, Terpin’s telecommunications company, agreed with the victim to implement a six-digit security code that should be entered in case any user requests to transfer the phone number from Terpin’s to another SIM card.
However, this security measure proved futile. Sometime after the first incident, Terpin claimed that, in complicity with an AT&T store, hackers swapped his phone back to another SIM card; Thanks to this, the criminals managed to steal more than $20M USD in virtual assets.
Michael Terpin decided to file a lawsuit for more than $25M USD against AT&T. The plaintiff asked the court to void the clauses in which the company waives liability for any security incidents related to its services. Terpin believes that users have no choice but to approve these terms to continue using telecommunications services.
On the other hand, the company asked the court to dismiss the case, as the plaintiff was unable to establish the link between the hacking of his phone number and the cryptocurrency theft. In his lawsuit, Terpin offers no details about the protections he implemented for his virtual assets and does not mention whether this information was vital to deploying the attack.
Although most of the charges filed by Terpin were dismissed, now he has a new 21-day deadline to resubmit his lawsuit; this time, the user will need to fully explain how the cryptocurrency was stolen, as well as the reasons why he believes AT&T has an important degree of responsibility in this incident.
According to cybersecurity experts from the International Institute of Cyber Security (IICS), these kinds of attacks focused on victims’ SIM cards are especially dangerous for members of the cryptocurrency community, as the nature of these assets prevent tracking a transaction in the event of theft or fraud.