Michael Terpin, well known within the cryptocurrency industry, was a victim of a serious theft of crypto several years ago as approximately $24 million in crypto was stolen from his accounts via a Sim Swap hack. Terpin went on to file a lawsuit against AT&T for “gross negligence” as he alleged that the mobile carrier had failed in basic securities protocols. At the time, Terpin stated:
“Somebody needed to sue AT&T for fraud and gross negligence in letting criminals SIM swap. I just did.”
A Sim Swap hack is where an individual takes control of an individual’s mobile phone account. By convincing a mobile carrier to authorize a new phone with the target’s mobile number, the fraudster can utilize two-factor authentication to reset passwords on accounts using the higher-level security. In brief, two-factor authentication can turn a hacked phone into a skeleton key.
While mobile carriers are aware of the scam, for some reason carriers have not established controls to guard against this type of hack. Terpin is suing AT&T for $224 million. The case is working its way through the courts this very moment.
Earlier today, via his representatives, Terpin shared a letter addressed to Ajit Pai, Chairman of the Federal Communications Commission (FCC).
The letter, republished below, arrives on the same day that Crowdfund Insider has covered another civil lawsuit filed against AT&T for allegedly failing to prevent crypto theft.
An Open Letter to Ajit Pai, Chairman of the FCC
I have watched over the years as the FCC has made many laudable decisions on behalf of consumers, including protection from telemarketers; data portability; and just in the past few months a new push to combat robocalls, which you called a “scourge” and “a top priority” for the FCC. Indeed, there are more than 200 articles on the FCC website mentioning robocalls – and yet not one addressing the fastest growing cancer on the mobile consumer landscape: the hacking of personal information, accounts, identity theft and money via a growing crime called “SIM swapping” or “simjacking.”
The theft of a consumer’s SIM (subscriber identity module) is tied to much more than just the ability to send and receive phone calls and texts to the correct device. Since the mobile industry encouraged software providers to use SMS texts as a second factor of authentication (also known as 2FA) for everything from email and social networks to application software and financial services accounts, as well as enabled wireless transfer of SIM ownership to new devices, it has emboldened a pernicious new wave of organized crime: SIM swappers.
Twitter CEO Jack Dorsey’s SIM swapping, which enabled a group of hackers to take over his identity on Twitter and post racist tweets, was the most high-profile case of SIM swapping, but far from the most damaging. In the blockchain and cryptocurrency world, where I have been working as an investor, advisor and marketer since 2013, there have been hundreds of millions of dollars of hacks of cryptocurrency, including exchanges, where the hack was enabled by the
ease of stealing a key executive or investor’s digital identity and authority via this crime.
In general, SIM swaps are orchestrated by highly sophisticated, repeat offender, criminal gangs (some of which are finally being arrested and in one case so far, convicted and sentenced). An entire new task force (REACT) was set up last year by Homeland Security and the Santa Clara County Sheriff’s Department to help investigate these crimes (the FBI and other agencies also have their fair share of cases, including mine, which I will summarize below).
On January 7, 2018, after having obtained “high security” protection on the two carriers I used (AT&T and T-Mobile) following a prior, smaller SIM swap seven months earlier, as well as spending weeks with the industry’s top security professionals to add even more protection to my assets, I was hit again by a criminal gang on my AT&T account (my T-Mobile account, whose high-
security provision included a “no port” directive, was unaffected; AT&T does not offer a“do not port” option to consumers). We contend the hack began with an AT&T representative in Connecticut retail store turning over my credentials to the gang, resulted in the loss of $24million.
I am not alone, of course. The REACT Task Force has taken on hundreds of cases (including newones every month I refer to them; since I announced my lawsuit, I have been contacted by more than 50 individuals who experienced similar hacks, with losses in a few instances of more than $10 million). On Friday, another investor sued AT&T for the $1.8 million taken from him in a similar SIM Swap during the May 2018 Consensus conference. In his case, the AT&T representative who sold his information to a criminal gang has already been arrested by Homeland Security for this theft and 40 others; one of his hackers has been arrested and convicted.Chairman Pai, you and the FCC have the unique opportunity and authority to end this scourge quickly and effectively by taking three actions:
3) Initiate an immediate, comprehensive study (as was done for robocalls) with recommendations for mandatory reforms by the carriers.
Chairman Pai, I will be attending your opening keynote at Mobile World Congress Americas in Los Angeles on Tuesday (I’m a speaker myself on Thursday, addressing how carriers can add user value and make considerable revenue by integrating blockchain technology into its current offerings). I look forward to the opportunity to address this with you and your fellow commissioners.
+1 (646) 926-6420
cc: Meredith Attwell Baker, president and CEO, CTIA