$1 800 000 USD
DESCRIPTION OF EVENTS
"Shapiro's lawsuit describes him as "a two-time Emmy Award-winning media and technology expert" who regularly advises large companies. Shapiro, who has a wife and two children, said the $1.8 million worth of digital currency "constituted the entirety of the profits from the sale of Mr. Shapiro's family home and his life savings." That money also included funds for his business."
"On May 16, 2018, Shapiro was attending a conference in New York City and noticed that his phone was no longer connected to the AT&T network. Shapiro suspected that he was being victimized by a SIM swap "and called AT&T in an attempt to secure his account," his lawsuit said. The call resulted in "lengthy holds" followed by an AT&T rep suspending Shapiro's service and telling Shapiro to visit an AT&T store."
"At the store in Manhattan, Shapiro bought a new iPhone and a new SIM card as an AT&T rep advised, and AT&T employees "assured him that his SIM card would not be swapped again without his authorization," the lawsuit said."
But Shapiro says he was victimized by a second SIM attack "mere minutes later" while he was still in the store. He "immediately informed" AT&T employees of the second attack and they "informed him that he needed to wait until it was his turn to be assisted," the lawsuit said. "Shapiro ended up waiting 45 minutes for help in the AT&T store."
"In that time, third-party individuals were able to use their control over Mr. Shapiro's AT&T cell phone number to access Mr. Shapiro's personal and financial accounts and rob him of approximately $1.8 million, all while Mr. Shapiro stood helplessly in the AT&T store asking for the company's help."
The third parties who gained control over Shapiro's wireless number "used that control to access and reset the passwords for Mr. Shapiro's accounts on cryptocurrency exchange platforms, including KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex," the lawsuit said. Hackers also changed the passwords "for approximately 15 of Mr. Shapiro's online accounts, including four email addresses, his Evernote account... and his PayPal account," the lawsuit said.
After taking control of his cryptocurrency accounts, "hackers then transferred Mr. Shapiro's currency from Mr. Shapiro's accounts into accounts that they controlled. In all, they stole more than $1.8 million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16, 2018," the lawsuit said.
"The digital currency stolen during the SIM swap attacks also included cryptocurrency raised by Mr. Shapiro for a business venture. As a result of the theft, Mr. Shapiro had to end the venture and lay off all employees," the lawsuit said.
"Plaintiff Seth Shapiro of Torrance, California, says that AT&T is liable for the acts of its employees and failed to implement systems and procedures to prevent them from pulling off the scheme. The complaint, filed on October 17 in US District Court for the Central District of California, says:"
"On at least four occasions between May 16, 2018 and May 18, 2019, AT&T employees obtained unauthorized access to Mr. Shapiro's AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control over Mr. Shapiro's AT&T wireless number from Mr. Shapiro's phone to a phone controlled by third-party hackers in exchange for money. The hackers then utilized their control over Mr. Shapiro's AT&T wireless number—including control secured through cooperation with AT&T employees—to access his personal and digital finance accounts and steal more than $1.8 million from Mr. Shapiro."
"Shapiro backs up his lawsuit with details from a criminal case filed by the US government against nine people, including former AT&T employees Robert Jack and Jarratt White."
""[C]riminal investigations reveal that a third-party (an individual identified by authorities as 'JD') paid Jack and White to change the SIM card associated with Mr. Shapiro's AT&T account from the SIM card in Mr. Shapiro's phone to a SIM card in a phone controlled by JD and others," the lawsuit said. JD paid White $4,300 to conduct SIM swaps, including the swaps in May 2018 that targeted Shapiro, and paid $585.25 to White, the lawsuit said."
"These employees were "prolific SIM swappers," with White conducting 29 unauthorized SIM swaps in May 2018 and Jack conducting 12 unauthorized swaps that same month, the lawsuit said."
"AT&T also informed law enforcement that the hacker involved in Mr. Shapiro's SIM swap had requested that 40 different AT&T wireless accounts be moved onto his phone (identified by its IMEI number) in the months leading up to Mr. Shapiro's swap. AT&T therefore had the technology to track how many different accounts were being [moved] on to the same telephone, as demonstrated by its ability to pull this information for law enforcement. Despite its ability to track this highly suspicious behavior, AT&T failed to use this technology to protect Mr. Shapiro's account. If AT&T had proper security safeguards in place, it would have recognized this behavior, flagged it as suspicious, and prevented any further SIM swaps onto that phone—thereby protecting Mr. Shapiro."
"When contacted by Ars about the Shapiro case, AT&T said, "We dispute these allegations and look forward to presenting our case in court." AT&T also noted that it provides customers with information about SIM-swap scams at this webpage but did not provide any specific information disputing Shapiro's allegations."
"Despite disputing Shapiro's lawsuit, AT&T says on that webpage that it is improving its technology and training to reduce the likelihood of SIM-swap attacks."
"Shapiro says that he remained an AT&T customer after the hack based on the company's assurances that it would protect his data going forward. He changed his AT&T account passcode on the company's advice, which was supposed to prevent further SIM swaps from happening without his consent. But "Mr. Shapiro's trust in AT&T was misplaced," as he ended up being victimized by SIM swaps twice more, in November 2018 and May 2019, the lawsuit said."
Seth Shapiro stored his $1.8m in cryptocurrency on various third party exchanges and platforms, where SMS authentication via his cell phone number was available as an option to reset his password.
An AT&T employee had worked out a deal with a criminal outsider to perform sim swaps for payments, and used this arrangement to reset his passwords on multiple accounts including KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex.
HOW COULD THIS HAVE BEEN PREVENTED?
The primary way to avoid this issue is not using SMS-based authentication. Instead, use an authentication factor which is based on physical hardware.
Services should also pay special care if a user resets their account and then immediately attempts a withdrawal. In this case, it is best to confirm with the user through additional means.