P Xenos and M Bacina
AT&T sued over SIM-swapping crypto scandal
California resident Seth Shapiro has filed a lawsuit against wireless service giant AT&T. Shapiro alleges that AT&T employees helped to perpetrate a SIM-swap which resulted in the theft of over $1.8 million in total, including cryptocurrencies.
The complaint claims that Shapiro is “a two-time Emmy Award-winning media and technology expert, author, and adjunct professor at the University of Southern California School of Cinematic Arts.” The lawsuit alleges that between May 16 and May 18, AT&T employees transferred access to Shapiro’s mobile phone to outside hackers:
AT&T employees obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control [...] to a phone controlled by third-party hackers in exchange for money. [...] The hackers then utilized their control over Mr. Shapiro’s AT&T wireless number [...] to access his personal and digital finance accounts and steal more than $1.8 million.
The document states that these actions allowed the hackers to also access Shapiro’s personal accounts on several cryptocurrency exchanges:
While third parties had control over Mr. Shapiro's AT&T wireless number, they used that control to access and reset the passwords for Mr. Shapiro's accounts on cryptocurrency exchange platforms including KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex.
Shapiro also claims that he has fallen victim to SIM-swapping on multiple occasions, as his personal information and online accounts had previously leaked in the past.
SIM swapping is a serious problem in the US, and historically has been tied more closely to identity theft. However the rise of mobile phones being used as a 2 factor authentication device (via SMS) has driven an corresponding rise in SIM swapping so that hackers can then move to seize control (and empty) bank accounts, run up massive phone bills to paid services, and steal cryptocurrencies.
What can you do to avoid becoming a victim of online crime? Here are a few simple steps that can make a big difference:
Stop using SMS 2 factor authentication, use Google Authenticator or another third party tool (and back up your restoration phrase in hard copy!);
Switch to a password manager with a very strong master password (1Password and Lastpass are great options);
Lock down your social media privacy settings, keep your birthday details offline and don't post anything you wouldn't be comfortable being on the front page of the newspapers/Google;
Switch to secure browsing services like Brave or DuckDuckGo to reduce the amount of your data which is being collected online;
Pay for content - searching for pirate material is increasingly a fast way to get hacked.