SIM Swap fraud is a pressing problem not only in the crypto world but identity fraud in general.
A fairly new scam, the con is hatched when a criminal takes over an individual’s mobile phone by cloning the hardware. Once the perpetrator controls the mobile phone, all too frequently they can reset many or all passwords using 2-factor security via SMS.
While 2-factor has been sold to consumers as a higher degree of security for personal accounts such as email, this claim is totally bogus. If you use SMS as the vehicle to secure your accounts, 2-factor becomes a virtual skeleton key handing control over to the bad guys to take what they want.
While mobile service providers have known about this problem for quite some time they have done little to fix the issue. SIM cards are easily available for purchase online via Amazon and eBay. Front line employees at the mobile operators can be in on the scam as well. Either that or the poorly trained employees are easily duped by the fraudsters. Accountability by the mobile operators simply does not exist.
Recently, a high profile cryptocurrency fraud case came to light when Michael Terpin was fleeced of $24 million in crypto. Terpin is the founder of Marketwired which he sold a number of years ago. More recently, Terpin has become very active in the blockchain world as a PR guru for the industry. He is also involved with the crypto focused Alphabit Fund.
In August of 2018, Terpin filed a $224 million lawsuit against AT&T (NYSE: T) – the mobile provider that opened the door for the theft of his crypto. Terpin alleges that AT&T is guilty of “fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and related charges.” The case is pending in the US District Court in Los Angeles.
A portion of the case hinges upon Terpin’s claim that AT&T “promised Terpin unbreachable security on its end through a unique, purportedly unchangeable password following a smaller SIM swap theft” that took place in 2017. It appears AT&T completely dropped the ball.
The law firm representing Terpin, Greenberg Glusker, has labeled AT&T as being negligent in protecting their customers from the “metastasizing cancer.”
The alleged perp of Terpin’s SIM Swap con is Nicholas Truglia – a New York City resident – who was arrested for the crimes.
Truglia has been described as a type of sociopath: a loser who’s illicit wealth were not sufficient to earn him any friends.
While living large on stolen money, Truglia apparently enjoyed beating his dog and robbing his own father.
Recently, Terpin’s lawyers have stepped up their legal actions by filing a RICO Act Claim. RICO, or the “Racketeer Influenced and Corrupt Organizations Act” was created in the 1970s to go after organized crime like the Mafia. Since enactment, the Act has been utilized to prosecute more than just the Mafia including financial crime. The law also includes a contains a provision that allows for a civil action by a private party to recover any damages.
CI has been told that Terpin’s SIM Swap lawsuit includes an $81 million RICO Act conversion and racketeering charge against the alleged primary SIM swapper Truglia.
Greenberg Glusker believes this is the first time that RICO has been used against a possible gang of crypto thieves but it may not be the last if recent events are any indication.
While using RICO to pursue Truglia may be novel, and aggressive, Terpin is not letting AT&T off the hook for their security shortcomings. Charges seeking “substantial punitive damages” alleging AT&T allowed employees and contractors to be bribed by criminals like Truglia are ongoing.
The allegations of the case against AT&T are that poor security controls facilitated the theft. Unfortunately, mobile providers do not appear to be overly concerned about this type of fraud as a recent discussion with a law enforcement representative indicates they are receiving multiple reports of SIM Swap fraud each week – even though they can easily be stopped by internal controls as mobile providers are the vector in the fraud.
Will AT&T, and other mobile providers, finally take user account security seriously? It is an excellent question that Terpin’s pursuit of justice may finally compel an answer and, hopefully, a change for mobile operators to become more responsible and accountable in their operations.
Terpin v. Truglia Conformed-Complaint-3117852-1