Just last Sunday, a Washington man filed a lawsuit against T-Mobile for failing to protect his phone number, which eventually led to thousands of dollars’ worth of his cryptocurrency being stolen.
Back in November, Carlos Tapang was faced with a grim situation in which his phone number was compromised by malicious actors. The hackers were able to port his number to an account under their control on AT&T, and reset his account passwords most likely though SMS-based two-factor authentication.
According to a recent report from Law360, Tapang’s complaint involves targeting T-Mobile for their inability to provide adequate security measures to protect his account. The failure on the carrier’s end allowed malicious actors to port Tapang’s number out, and steal his cryptocurrency by gaining access to associated accounts.
“As a result of this breach of security, Mr. Tapang’s exchange account was subjected to unauthorized transfers; he was deprived of his use of his cell phone number and required to expend time, energy, and expense to address and resolve this financial disruption and mitigate the consequences; and he also suffered consequent emotional distress.”
Hackers reportedly drained Tapang’s accounts of the OmiseGo and Bitconnect tokens that he owned, and likely won’t be returning them anytime soon.
Although T-Mobile’s sales and marketing materials claim that there are security measures in place to prevent these forms of attacks, it seems as if that wasn’t the case with this recent breach.
T-Mobile never added a pin to Tapang’s account as requested, and hackers called the service repeatedly in order to reach a representative willing to make the transfer. After the porting, Tapang was unable to access his phone number and had to do whatever he could to secure his holdings and rescue his accounts.
Hacks of this nature began as early as 2016, with a case notably involving another T-Mobile customer that had his number changed and cryptocurrency stolen. The hackers transferred the number of the affected party to their control, reset his passwords, and took control of his exchange accounts in order to drain him of his holdings. As soon as the hackers had the phone number in their possession, resetting passwords on critical accounts was as easy as pushing a button.
The process involves calling up the targeted party’s mobile provider and asking to port their number to a device in the hacker’s possession. The hacker will pose as the targeted party, and provide any answers to security questions that they might have access to through a variety of means.
One of the major ways in which exchanges can prevent these types of hacks and further protect their customers is disabling two-factor authentication through SMS, and route it through a proprietary authentication application. Although not bulletproof, it may have the power to lessen the frequency of these cases in the future.
At the end of the day, users might have control of their physical devices, but their assigned phone numbers are in the control of their carrier.
Featured image from Shutterstock.