SIM Swaps, the nefarious act when criminals surreptitiously take over your mobile phone with a different SIM card, hit crypto lending platform BlockFi earlier this month.
BlockFi quickly posted an “incident report” outlining the scam:
“From approximately 07:17 UTC to 08:43 UTC on May 14, 2020, a BlockFi employee’s phone number was breached and utilized by an unauthorized third party to access a portion of BlockFi’s encrypted back-office system. This type of breach is commonly referred to as a SIM port. The unauthorized third party was able to do this by obtaining unauthorized access to the employee’s phone and email via a cell phone network vulnerability. Based on the unauthorized third party’s actions, it appears that the perpetrator attempted to make unauthorized withdrawals of client funds using the BlockFi platform, but was unsuccessful in doing so. However, the unauthorized third party was able to access BlockFi client information typically used by BlockFi for retail marketing purposes throughout the duration of this incident.”
BlockFi said that the intrusion was detected and the “Incident Response Protocol” kicked in to safeguard information. That being said, the perp accessed the personal information of BlockFi users including; name, address, DOB, email addresses, and account history. Importantly, BlockFi reported that no funds were illicitly transferred nor stolen.
BlockFi said it has taken remedial actions to shore things up including recommending to users to incorporate an authentication app while removing personal emails and mobile numbers for device confirmations while using two-factor authentication. It was not too long ago that two-factor authentication was touted as a cyber-savior making it difficult for hackers to gain access to sensitive information but, in reality, 2FA has morphed into more of a digital skeleton key. Once a crook has taken over your phone they simply reset all of your passwords and off they go.
BlockFi is not alone in being trapped by the SWIM Swap hack (the specific mobile provider has not been disclosed). Perhaps the most prominent example of someone being defrauded due to a SIM Swap hack is Michael Terpin.
At the beginning of May, Terpin filed a lawsuit against an alleged ring-leader of criminals taking advantage of the security weak point. Terpin sued 18-year old Ellis Pinsky, a high school senior living in an upscale suburban New York City. Terpin claims that Pinsky was the perpetrator of a “sophisticated cybercrime spree” that saw over $100 million stolen in cryptocurrency – including his money. Pinsky was recently labeled a “Baby Al Capone” as the courts move to act on the civil suit.
But Terpin has not just sued Pinksy, for a whopping $71,415,375, or three times the original amount Pinsky alleged stole ($23,808,125), Terpin is also suing AT&T Mobile for over $200 million for negligence that enabled the security breach. Terpin originally filed the lawsuit against AT&T Mobile in 2018.
Terpin and his legal representatives have claimed:
“We contend that AT&T cannot simply get the matters of fraud or punitive damages dismissed before we have even gone to discovery. In fact, we expect to find this was not an isolated incident, but rather a pattern of SIM swaps and other negligent behavior that shows a pattern of moral disregard for its customers within the highest levels of the corporation responsible for consumer protection and for security.”
Terpin has stated that “high-risk protection” offered by AT&T was useless because employees and agents could easily bypass the system in place. So perhaps a better question is why hasn’t AT&T mobile, and all the other big mobile providers in the US, addressed such a widely known weakness in their mobile service operations?