AT&T Employees Rob Seth Shapiro

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Multiple

Seth Shapiro stored his $1.8m in cryptocurrency on various third party exchanges and platforms, where SMS authentication via his cell phone number was available as an option to reset his password.

An AT&T employee had worked out a deal with a criminal outsider to perform sim swaps for payments, and used this arrangement to reset his passwords on multiple accounts including KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex.

This is a global/international case not involving a specific country.[1][2]

About Multiple

"Shapiro's lawsuit describes him as "a two-time Emmy Award-winning media and technology expert" who regularly advises large companies. Shapiro, who has a wife and two children, said the $1.8 million worth of digital currency "constituted the entirety of the profits from the sale of Mr. Shapiro's family home and his life savings." That money also included funds for his business."

"On May 16, 2018, Shapiro was attending a conference in New York City and noticed that his phone was no longer connected to the AT&T network. Shapiro suspected that he was being victimized by a SIM swap "and called AT&T in an attempt to secure his account," his lawsuit said. The call resulted in "lengthy holds" followed by an AT&T rep suspending Shapiro's service and telling Shapiro to visit an AT&T store."

"At the store in Manhattan, Shapiro bought a new iPhone and a new SIM card as an AT&T rep advised, and AT&T employees "assured him that his SIM card would not be swapped again without his authorization," the lawsuit said."

But Shapiro says he was victimized by a second SIM attack "mere minutes later" while he was still in the store. He "immediately informed" AT&T employees of the second attack and they "informed him that he needed to wait until it was his turn to be assisted," the lawsuit said. "Shapiro ended up waiting 45 minutes for help in the AT&T store."

"In that time, third-party individuals were able to use their control over Mr. Shapiro's AT&T cell phone number to access Mr. Shapiro's personal and financial accounts and rob him of approximately $1.8 million, all while Mr. Shapiro stood helplessly in the AT&T store asking for the company's help."

The third parties who gained control over Shapiro's wireless number "used that control to access and reset the passwords for Mr. Shapiro's accounts on cryptocurrency exchange platforms, including KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex," the lawsuit said. Hackers also changed the passwords "for approximately 15 of Mr. Shapiro's online accounts, including four email addresses, his Evernote account... and his PayPal account," the lawsuit said.

After taking control of his cryptocurrency accounts, "hackers then transferred Mr. Shapiro's currency from Mr. Shapiro's accounts into accounts that they controlled. In all, they stole more than $1.8 million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16, 2018," the lawsuit said.

"The digital currency stolen during the SIM swap attacks also included cryptocurrency raised by Mr. Shapiro for a business venture. As a result of the theft, Mr. Shapiro had to end the venture and lay off all employees," the lawsuit said.

"Plaintiff Seth Shapiro of Torrance, California, says that AT&T is liable for the acts of its employees and failed to implement systems and procedures to prevent them from pulling off the scheme. The complaint, filed on October 17 in US District Court for the Central District of California, says:"

"On at least four occasions between May 16, 2018 and May 18, 2019, AT&T employees obtained unauthorized access to Mr. Shapiro's AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control over Mr. Shapiro's AT&T wireless number from Mr. Shapiro's phone to a phone controlled by third-party hackers in exchange for money. The hackers then utilized their control over Mr. Shapiro's AT&T wireless number—including control secured through cooperation with AT&T employees—to access his personal and digital finance accounts and steal more than $1.8 million from Mr. Shapiro."

"Shapiro backs up his lawsuit with details from a criminal case filed by the US government against nine people, including former AT&T employees Robert Jack and Jarratt White."

""[C]riminal investigations reveal that a third-party (an individual identified by authorities as 'JD') paid Jack and White to change the SIM card associated with Mr. Shapiro's AT&T account from the SIM card in Mr. Shapiro's phone to a SIM card in a phone controlled by JD and others," the lawsuit said. JD paid White $4,300 to conduct SIM swaps, including the swaps in May 2018 that targeted Shapiro, and paid $585.25 to White, the lawsuit said."

"These employees were "prolific SIM swappers," with White conducting 29 unauthorized SIM swaps in May 2018 and Jack conducting 12 unauthorized swaps that same month, the lawsuit said."

"AT&T also informed law enforcement that the hacker involved in Mr. Shapiro's SIM swap had requested that 40 different AT&T wireless accounts be moved onto his phone (identified by its IMEI number) in the months leading up to Mr. Shapiro's swap. AT&T therefore had the technology to track how many different accounts were being [moved] on to the same telephone, as demonstrated by its ability to pull this information for law enforcement. Despite its ability to track this highly suspicious behavior, AT&T failed to use this technology to protect Mr. Shapiro's account. If AT&T had proper security safeguards in place, it would have recognized this behavior, flagged it as suspicious, and prevented any further SIM swaps onto that phone—thereby protecting Mr. Shapiro."

"When contacted by Ars about the Shapiro case, AT&T said, "We dispute these allegations and look forward to presenting our case in court." AT&T also noted that it provides customers with information about SIM-swap scams at this webpage but did not provide any specific information disputing Shapiro's allegations."

"Despite disputing Shapiro's lawsuit, AT&T says on that webpage that it is improving its technology and training to reduce the likelihood of SIM-swap attacks."

"Shapiro says that he remained an AT&T customer after the hack based on the company's assurances that it would protect his data going forward. He changed his AT&T account passcode on the company's advice, which was supposed to prevent further SIM swaps from happening without his consent. But "Mr. Shapiro's trust in AT&T was misplaced," as he ended up being victimized by SIM swaps twice more, in November 2018 and May 2019, the lawsuit said."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - AT&T Employees Rob Seth Shapiro
Date Event Description
May 16th, 2018 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $1,800,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The primary way to avoid this issue is not using SMS-based authentication. Instead, use an authentication factor which is based on physical hardware.

Services should also pay special care if a user resets their account and then immediately attempts a withdrawal. In this case, it is best to confirm with the user through additional means.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Man sues AT&T after fraudulent SIM swap led to $1.8M cryptocurrency theft | Ars Technica (Jun 26, 2022)
  2. What You Need to Know About SIM Swap Scams | AT&T CYBER AWARE (Aug 22, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=AT%26T_Employees_Rob_Seth_Shapiro&oldid=3575"