Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.
Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
“We dispute these allegations and look forward to presenting our case in court,” AT&T told Reuters.
The trouble is, experts have said, it’s often relatively simple to trick phone company employees into reassigning numbers to thieves in what’s called a “SIM swap” scam. Once they control the number, they can intercept texts for two-factor authentication programs and password resets, quickly hijacking other accounts. The victim sometimes even struggles to contact the phone company, since his or her phone is disabled once the new SIM card is activated. Crypto investors have been a particular target, presumably since stolen digital funds are relatively hard to trace. Victims have included Black Lives Matter activist DeRay McKesson.
Last week, security journalist Brian Krebs reported that a 25-year-old Florida man was arrested for being part of a multistate SIM swap scam ring, using the technique to steal bank accounts. Police were allegedly first alerted by a worried mom who heard one of the conspirators on the phone pretending to be an AT&T employee.
Protect yourself: Experts recommend using a non-phone-based two-factor-authentication system when it’s available, such as Google Authenticator or Microsoft Authenticator. If you do have a service that requires phone authentication, one possibility is to connect it with a number that’s not widely associated with you, even if that means getting a separate number just for that purpose.
You can also ask your phone company to put additional passwords on your account, though that may not always help if an employee doesn’t follow procedures or is even in cahoots with the criminals.