Phone Numbers Are Security Weakpoint In Mobile Cryptocurrency

Crime, News, Regulation | August 20, 2018 By:

Entrepreneur Michael Terpin knew he had a problem when his AT&T phone went dead. He soon learned that there were bigger worries than a communications failure.

During the time his phone was out of commission, hackers managed to breach his cryptocurrency wallets and take more than three million tokens in native and staking wallets.

“The first attempt to freeze the line was not done correctly, so the hackers had control of my digital identity for close to an hour, during which they did all the damage,” said Terpin. The phone was “the only way they were able to get into the wallets in question, through a fairly sophisticated hack.  Contrary to what some media are inaccurately reporting, I did not lose any bitcoin and I did not have any online exchange accounts hacked.  These were smaller tokens in native or staking wallets, which do not have Google 2FA (a two-step authenticator) as a feature because they are not centralized.”

Terpin has filed a $223.8 million lawsuit against AT&T, alleging 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and related charges in US District Court in Los Angeles.

The suit arises from the January 7 theft of more than three million cryptocurrency tokens by way of a digital identity theft by an AT&T agent of Terpin’s cellphone account. The funds were then transferred to an international criminal gang being pursued by the FBI and multiple other federal and state law enforcement agencies.

This was not the first time Terpin had been hacked. But AT&T allegedly promised Terpin unbreachable security on its end through a unique, purportedly unchangeable password following a smaller SIM swap theft in June 2017. However, this time Terpin’s security was undone by low-level retail employees. They used their access to AT&T records to pass along crucial information that purportedly allowed the criminal gang to breach the accounts.

AT&T corporate communications spokesman Jim Greer said the company disputes the allegations and will challenge them in court.

But for now, Terpin has lost funds.


What happened to Terpin is not unusual and not confined to one carrier. There are entire communities of hackers training to hijack information, usually by bribing store employees for customer information. At the core of the attacks is a SIM card, a small removable chip in a mobile device that connects the phone to a provider’s network. When the SIM card is damaged, or a customer is switching phones, they can request a SIM swap.

What can happen in that switch is a target can be redirected to a SIM card and mobile phone that hackers control. Once they bribe the retail clerk for password information, they have access to all sorts of information.

Allison Nixon is the director of security research at Flashpoint, a security company in New York. She blames phone numbers more than the phones themselves.

“Phones are a physical object and a thief must be local to steal it,” Nixon said. “Phone numbers can be stolen remotely by attackers on the other side of the country. Given that premise, yes, the inappropriate use of phone numbers to prove identity is a concern. Any service provider that equates your phone number with your identity is making a risky choice. We know that by their nature, phone numbers are recycled, single phone numbers are often used by multiple people, and that they are legacy infrastructure. Telephone numbers were first used in 1879! What kind of reasonable identity document becomes invalid when you stop paying your monthly bill?”

There aren’t many easy or reasonable security precautions that the average person can take to better secure their phone number, Nixon adds. “It’s a fundamental problem with how the concept of identity works nowadays. Phone numbers are not meant to be kept secret, and were never originally intended to be an identity document.”

Nixon recommends using authenticator apps wherever you can, not phone numbers. “There are a lot of good authenticator apps for the phone. Some websites force you to use phone numbers, so security precautions can get pretty convoluted. People get secret secondary phone lines sometimes if they have been targeted before.”

As Terpin’s suit unfolds, he has some lessons learned to share. “After my prior (and much smaller) targeted hack in June, 2017, I was issued a high-security unique, unchangeable password that I was told with authority could not be compromised because it was on every AT&T record that no access could be granted without giving that file. I was never told that any low-level retail clerk has the authority to bypass this mandatory password, either because they’ve been bribed by a gang or are just grossly negligent (my file has the high security status prominently emblazoned on it).”

Until that problem of access is solved, Terpin warns, don’t use a phone number for identification.

“If you must put any kind of phone number as identification for anything, from email to software to DNS providers, either use Google Voice – or if it doesn’t accept VOIP numbers – or a prepaid service like Cricket. Google Fi, which has no SIM card, looks like it might work for this purpose too. Unquestionably, your greatest vulnerability is your phone is you’re a known owner of digital assets.”