On February 4th a Seattle man filed suit against T-Mobile over an incident that started on November 7, 2017 when he noticed that his phone had restarted andbeen wiped of information, and then realized that he could not access the T-Mobile network.
The man, Carlos Tapang, contacted T-Mobile and found that his phone number had been transferred to AT&T. T-Mobile was able to get the phone number back the next day. But, in the meantime, while the thieves had access to his phone number on a new device, they were able to request a password changes onhis Google and Microsoft accounts and, with information found there, login toone of his cryptocurrency accounts and drain it.
Tapang’s suit against T-Mobile claims that:
- T-Mobile’s lack of adequate security improperly allowed wrongdoers to gain control of his phone number on November 7, 2017.
- T-Mobil failed to add a promised PIN code to Tapang’s account prior to the incident.
- The hackers called T-Mobile customer support repeatedly, impersonating Tapang, and eventually tricked an agent into cancelling Tapang’s account and then transfer his phone number to a new AT&T device under the hackers’control, without requiring “secret question and answer” full identity verification.
- Aftergaining control of Tapang’s phone number on a new device, the hackers were able to change the password on one of Tapang’s cryptocurrency accounts, exchange19.6 BitConnect coins and 1,000 OmiseGo (OMG) tokensfor 2.875 Bitcoin, and then transfer the Bitcoins out of his account. (BitConnect collapsed recently due to a likely Ponzi scheme, but what matters here is the value of the coins when they were stolen)
- After being notified of the security breach, T-Mobile was unable to get the number back from AT&T until the next day.
- T-Mobile had warned customers about identity theft scams that involve transferring a phone number to another carrier, and had encouraged customers to create a PIN passcode, which Tapang did.
- Other T-Mobile customers had complained online about similar phone porting scams, one alleging a similar Bitcoin-related heist.
As a result, Tapang’s lawsuit:
- Accuses T-Mobile of failing to train its employees to prevent the identity theft schemes.
- Alleges that “As a result of this breach of security, Mr. Tapang’s exchange account was subjected to unauthorized transfers; he was deprived of his use of his cell phone number and required to expend time, energy, and expense to address and resolve this financial disruption and mitigate the consequences; and he also suffered consequent emotional distress.”
- Asks for damages, noting that the price of Bitcoin was $7,118 on November 7th, so an immediate cash out by the hackers would have netted $20,466 USD.
- Asks for injunctive relief, which could result in an order that T-Mobile strengthen its call centeranti-number-jackingsecurity.
Tapang is the founder of Pure Money Technology, a company that helps merchants accept and process purchases made with cryptocurrencies.
Cryptocurrency exchanges can prevent phone number porting hacksby eliminating two-factor SMSauthentication for online wallet access, instead routing it through proprietary software. Exchange membershave control of their physical devices, but their assigned phone numbers are in the control of their carrier.