Sim Swapping AT&T

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

A client of an unnamed US-based exchange had their account breached after relying on SMS-based 2FA. The client is taking their mobile provider to court in an attempt to gain some recovery.

This exchange or platform is based in United States, or the incident targeted people primarily in United States.^{[1][2][3][4][5][6][7][8]}

About Unknown

"An AT&T customer filed a lawsuit against the company last week accusing it of failing to provide “reasonable and appropriate security to prevent unauthorized access to its customer wireless accounts.” This has led to the theft of cryptocurrency from the plaintiff’s crypto exchange account."

"An AT&T customer, Jamarquis Etheridge, filed a lawsuit in the district court for the Southern District of Texas against AT&T Inc. and AT&T Mobility LLC Wednesday." "On or around Sept 10, bad actors were able to infiltrate Etheridge’s wireless account without authorization and drain his cryptocurrency account. AT&T was slow at reacting and unable to contain the security breach until the next day."

"Etheridge, a resident of the U.S. state of Texas, has been a customer of AT&T since 2009. He claims to be a victim of “SIM swapping,” also known as “SIM hijacking.” SIM swapping is a common scam that AT&T is no stranger to."

"Plaintiff Jamarquis Etheridge, a Texas resident, filed the suit in the state’s District Court on Sept 15. In it, Etheridge is claiming that AT&T failed to provide reasonable and appropriate security to prevent unauthorized access to his wireless account."

"The court document filed by Etheridge’s attorney, Richard E. Brown, states that on or about Sept. 10, 2020, AT&T “allowed wrongdoers access to plaintiff Etheridge’s wireless account and, without his authorization,”"

"AT&T was unable to contain this security breach until the next day, enabling wrongdoers to drain plaintiff Etheridge’s cryptocurrency exchange account."

"The plaintiff claims that as a result of AT&T’s actions or inactions, he has suffered and continues to suffer actual damages, including the loss of 159.8 ETH, lost time, embarrassment and humiliation, aggravation and frustration, fear, anxiety, financial uncertainty, unease, emotional distress, and various expenses."

“As a result of this breach of security, Plaintiff Etheridge’s exchange account was subjected to unauthorized transfers; he was deprived of his use of his cell phone number and required to expend time, energy, and expense to address and resolve this financial disruption and mitigate the consequences; and he also suffered consequent emotion[al] distress,” the filing says.

"As a result of AT&T’s failures if not active participation in SIM swap theft that was inflicted upon him, Plaintiff Etheridge has had over 159.8 ETHEREUM Tokens of assets stolen from him." "The plaintiff, who has been a customer of AT&T since 2009, was unable to use his cell phone number to mitigate the incursion and ended up losing 159.8 in ETH worth approximately $560,000 at the time."

"On or about September 10, 2020, Plaintiff noticed his phone service was not working and immediately called AT&T to find out that his service was compromised. Without obtaining Plaintiff’s permission, his phone service had a four (4) digit passcode as well. While on the phone with the agent, Plaintiff was told to update a new passcode to his account and the agent would add “extra” security measures to Plaintiff’s account."

"Plaintiff’s phone was restored hours later. The following day, Plaintiff’s phone service was not working again and Plaintiff immediately called AT&T to see why this was happening and the agent said it was because the first agent only added Plaintiff’s SIM back to the account and did not disable the fraudulent SIM. The actions of the first agent was how the fraudsters were able to deplete most of Plaintiff’s cryptocurrency account."

"For redress, the man seeks a variety of damages and his attorneys’ fees and costs. The lawsuit also states that it reserves the right to convert into a class action on behalf of similarly aggrieved Texans and out-of-state residents. The plaintiff is represented by Richard E. Brown Attorney at Law PC."

This exchange or platform is based in United States, or the incident targeted people primarily in United States.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $560,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

In order to be effective, authentication factors need to be varied. Having all factors either publicly determinable or common to one factor allows for a breach of the account. Adding factors which are specific to hardware, held by separate individuals, or require identification will improve security. Platforms should provide greater flexibility for customization and more factors to customers. Reliance on SMS-based authentication should be avoided.

It's recommended that platform owners be made aware of all common breach factors (and especially the limitations of SMS-based factors). It makes sense for new platforms to receive 2 separate reviews of their authentication security policies by experts prior to launching.

Under our proposed framework, customers of platforms may be eligible to claim against their losses from an account breach. This would include a thorough review of both the claim and the platform's security policies prior to discretionary reimbursement from the industry insurance fund.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References