Enlarge / An AT&T sign outside a company office in New York City.Getty Images | Roberto Machado Noa

A lawsuit against AT&T alleges that the carrier's employees helped hackers perform SIM-swap attacks on a customer and rob him of $1.8 million worth of cryptocurrency.

Plaintiff Seth Shapiro of Torrance, California, says that AT&T is liable for the acts of its employees and failed to implement systems and procedures to prevent them from pulling off the scheme. The complaint, filed on October 17 in US District Court for the Central District of California, says:

On at least four occasions between May 16, 2018 and May 18, 2019, AT&T employees obtained unauthorized access to Mr. Shapiro's AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control over Mr. Shapiro's AT&T wireless number from Mr. Shapiro's phone to a phone controlled by third-party hackers in exchange for money. The hackers then utilized their control over Mr. Shapiro's AT&T wireless number—including control secured through cooperation with AT&T employees—to access his personal and digital finance accounts and steal more than $1.8 million from Mr. Shapiro.

In a SIM-swap attack, "the SIM card associated with the victim's wireless account is switched from the victim's phone" to someone else's, which "effectively moves the victim's wireless phone—including any incoming data, texts, and phone calls associated with the victim's phone—from their phone to a phone controlled by the third party," the lawsuit notes.

"The hacker's phone then becomes the phone associated with the victim's carrier account, and the hacker receives all of the text messages and phone calls intended for the victim," the complaint continues. "Meanwhile, the victim's phone loses its connection to the carrier network."

In Shapiro's case, AT&T employees did not just unwittingly give hackers control over his phone, the lawsuit says. AT&T's "employees actively profited from this unauthorized access by knowingly giving control over his phone number to hackers for the purposes of robbing him," the lawsuit says.

Shapiro backs up his lawsuit with details from a criminal case filed by the US government against nine people, including former AT&T employees Robert Jack and Jarratt White.

"[C]riminal investigations reveal that a third-party (an individual identified by authorities as 'JD') paid Jack and White to change the SIM card associated with Mr. Shapiro's AT&T account from the SIM card in Mr. Shapiro's phone to a SIM card in a phone controlled by JD and others," the lawsuit said. JD paid White $4,300 to conduct SIM swaps, including the swaps in May 2018 that targeted Shapiro, and paid $585.25 to White, the lawsuit said.

These employees were "prolific SIM swappers," with White conducting 29 unauthorized SIM swaps in May 2018 and Jack conducting 12 unauthorized swaps that same month, the lawsuit said.

Shapiro's complaint said:

AT&T also informed law enforcement that the hacker involved in Mr. Shapiro's SIM swap had requested that 40 different AT&T wireless accounts be moved onto his phone (identified by its IMEI number) in the months leading up to Mr. Shapiro's swap. AT&T therefore had the technology to track how many different accounts were being [moved] on to the same telephone, as demonstrated by its ability to pull this information for law enforcement. Despite its ability to track this highly suspicious behavior, AT&T failed to use this technology to protect Mr. Shapiro's account. If AT&T had proper security safeguards in place, it would have recognized this behavior, flagged it as suspicious, and prevented any further SIM swaps onto that phone—thereby protecting Mr. Shapiro.

Shapiro is asking the court for financial damages, saying the company violated privacy requirements applied to common-carrier phone companies under the Communications Act. His lawsuit also accuses AT&T of violating the California Unfair Competition Law by failing to disclose its inadequate security practices and by making material misrepresentations "concerning its sale of access to and safeguarding of Mr. Shapiro's" private information. The suit also says AT&T is guilty of negligence and of violating the US Computer Fraud and Abuse Act.

Man put life savings in cryptocurrency

Shapiro's lawsuit describes him as "a two-time Emmy Award-winning media and technology expert" who regularly advises large companies. Shapiro, who has a wife and two children, said the $1.8 million worth of digital currency "constituted the entirety of the profits from the sale of Mr. Shapiro's family home and his life savings." That money also included funds for his business.

"The digital currency stolen during the SIM swap attacks also included cryptocurrency raised by Mr. Shapiro for a business venture. As a result of the theft, Mr. Shapiro had to end the venture and lay off all employees," the lawsuit said.

This is not the first such lawsuit filed against AT&T. The company was also sued by a man named Michael Terpin, who says that AT&T allowed a SIM-swap hack that cost him nearly $24 million worth of cryptocurrency.

In July, a federal judge allowed Terpin's suit against AT&T to move forward, despite AT&T's arguments that Terpin didn't adequately explain how the phone hack led to the loss of his cryptocurrency and that AT&T shouldn't be held responsible for the misconduct of hackers who stole the cryptocurrency. Terpin recently wrote an open letter to Federal Communications Commission Chairman Ajit Pai, urging him to issue new security requirements that carriers would have to follow to prevent SIM-swap attacks.

When contacted by Ars about the Shapiro case, AT&T said that "We dispute these allegations and look forward to presenting our case in court." AT&T also noted that it provides customers with information about SIM-swap scams at this webpage but did not provide any specific information disputing Shapiro's allegations.

Despite disputing Shapiro's lawsuit, AT&T says on that webpage that it is improving its technology and training to reduce the likelihood of SIM-swap attacks.

SIM-swap nightmare

The lawsuit details four incidents of SIM swapping in which Shapiro was the victim.

On May 16, 2018, Shapiro was attending a conference in New York City and noticed that his phone was no longer connected to the AT&T network. Shapiro suspected that he was being victimized by a SIM swap "and called AT&T in an attempt to secure his account," his lawsuit said. The call resulted in "lengthy holds" followed by an AT&T rep suspending Shapiro's service and telling Shapiro to visit an AT&T store.

At the store in Manhattan, Shapiro bought a new iPhone and a new SIM card as an AT&T rep advised, and AT&T employees "assured him that his SIM card would not be swapped again without his authorization," the lawsuit said.

But Shapiro says he was victimized by a second SIM attack "mere minutes later" while he was still in the store. He "immediately informed" AT&T employees of the second attack and they "informed him that he needed to wait until it was his turn to be assisted," the lawsuit said.

Shapiro ended up waiting 45 minutes for help in the AT&T store. The lawsuit said:

In that time, third-party individuals were able to use their control over Mr. Shapiro's AT&T cell phone number to access Mr. Shapiro's personal and financial accounts and rob him of approximately $1.8 million, all while Mr. Shapiro stood helplessly in the AT&T store asking for the company's help.

The attack was apparently exacerbated by the fact that many serviRead More – Source