T-mobile getting sued due to alleged cryptocurrency theft

[NemesisPrime_691]

Apparently, T-mobile is being sued by a man named Carlos Tapang, on claims of porting his T-mobile phone number to someone else. Tapang states that he had a PIN set for any request to port his T-mobile number, which the T-mobile rep did not verify while porting the numbers to the thieves.

 

Quote from The Verge:

Quote

Carlos Tapang of Washington state accuses T-Mobile of having “improperly allowed wrongdoers to access” his wireless account on November 7th last year. The hackers then cancelled his number and transferred it to an AT&T account under their control. “T-Mobile was unable to contain this security breach until the next day,” when it finally got the number back from AT&T, Tapang alleges in the suit.

 

Android police gives a detailed account on this:

Quote

According to the complaint, Carlos Tapang had a PIN attached to his T-Mobile account for all number porting requests. However, the T-Mobile rep didn't ask for the PIN when thieves called to get Tapang's number ported. They moved the number to a device on AT&T and used that to retrieve a 2-factor code via SMS. With access to Tapang's online wallet, they siphoned all his coins and vanished into the night.

 

Reportedly, around 2.875 BTC were stolen worth 20k USD at the time. The theft took place in November last year.

Quote

The theft took place in November last year and resulted in Tapang losing 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins. The thieves converted his crypto into 2.875 Bitcoins worth about $20,000 at the time. BitConnect collapsed recently (and was most likely a Ponzi scheme), but what matters is the value of the coins when they were stolen.

 

Source: http://www.androidpolice.com/2018/02/06/t-mobile-sued-porting-mans-number-thieves-stole-cryptocurrency/

https://www.theverge.com/2018/2/5/16976114/tmobile-cryptocurrency-bitcoin-hack-security-breach-lawsuit

 

To be honest, this could blow up pretty badly for T-mobile if it turns out to be true. Also, I don't see any fault of the guy who got scammed as he appeared to take precautions to prevent something like this to happen. The T-mobile rep that took the call and ported the number, may be punished badly though.

 

PS - This was my first Tech News and Reviews post, so a little feedback will be much appreciated.

 

[johnukguy]

Good, companies like AT&T deserve to go down in flames for the shit they pull.

[captain_to_fire]

Reminds me a lot when Linus' accounts got hacked because some shenanigans managed to reactivate his old SIM card which can be used for resetting his accounts. I wonder why @LinusTech didn't took legal action against his old wireless carrier?

[Blademaster91]

Seems like it is kind of the guys fault for associating and trusting the T-Mobile account with their cryptocurrency.

[Guest]

Having a wee laugh cause this guy will be the only one to get his money back now that Bitcoin is crashing

(not in a mean way sorry if you invested a lot in bitcoin and its not working out for you , as a joke)

[Coaxialgamer]

18 minutes ago, Blademaster91 said:

Seems like it is kind of the guys fault for associating and trusting the T-Mobile account with their cryptocurrency.

That's not what happened. 

[Blademaster91]

17 minutes ago, Coaxialgamer said:

That's not what happened. 

Well more like it could have been avoided if they didn't use SMS 2FA on their coin wallet. Interesting to happen now as Bitcoin is crashing,though I do think that T-mobile will likely settle it since $20k isn't much to them and would be good PR to reimburse them the value lost.

[Nocte]

39 minutes ago, RorzNZ said:

Having a wee laugh cause this guy will be the only one to get his money back now that Bitcoin is crashing

(not in a mean way sorry if you invested a lot in bitcoin and its not working out for you , as a joke)

It didn't crash. It would crash if it went below the latest low ($5500), which it didn't. Now it has actually been going up and is over 8k again lol. 

[Jito463]

2 hours ago, johnukguy said:

Good, companies like AT&T deserve to go down in flames

The problem was with T-Mobile, not AT&T......

[Coaxialgamer]

3 hours ago, Blademaster91 said:

Well more like it could have been avoided if they didn't use SMS 2FA on their coin wallet. Interesting to happen now as Bitcoin is crashing,though I do think that T-mobile will likely settle it since $20k isn't much to them and would be good PR to reimburse them the value lost.

Bitcoin is recovering...  It's at 8200$ now vs 6200 a couple days ago

[Suika]

Reminds me of when I accidentally ported over the wrong Sprint phone number to a Verizon account. Despite having the wrong billing address and PIN, the number still made it to Verizon, making me question the process and the security of porting, and if T-Mobile is really alone in the porting attack.

[Drak3]

The list of reasons that T Mobile is a shit company keeps growing.

[vanished]

So this is about someone who used SMS two factor and T-mobile gave his SIM to some attacker, allowing them to get his codes, even after he had tried to setup additional security with them to avoid this exact thing?  Hm, sounds familiar doesn't it?

 

Well if I am understanding that correctly, I hope this guy wins the lawsuit, and I hope he gets his money back plus a large bonus.  Not because I really think this guy deserves it (on that I am rather indifferent), but because it might finally send a message to these incompetent providers that this kind of thing does happen, it has serious consequences, and they can and will be held responsible.

[Mooshi]

Lol...TMobile. Verizon REQUIRES the account PIN to do anything.

[mr moose]

20 hours ago, Eibe said:

It didn't crash. It would crash if it went below the latest low ($5500), which it didn't. Now it has actually been going up and is over 8k again lol. 

 

Why do people keep saying this?  The definition of crash in finance is quite broad.  Just like the term bubble has no defined values that determine it to be a "bubble" neither does a crash.   A crash is simply a sudden loss of value on any stock or commodity.     It went down hard and fast, regardless if it climbs back, stays down or otherwise does somersaults in the back yard, nothing will change the fact it crashed.  

 

EDIT: more on topic, with everything being 2fa (banking, steam, ebay and paypal,  etc) mobile carriers are now the guardians of all security whether they like it or not.  Time to step up telco's.

 

 

 

 

[KuJoe]

For anybody out there who uses 2FA on their phone via SMS or phone call, I highly recommend getting a 2nd phone with a different number that you've never used before for your 2FA. Their are phone services out there that don't cost a cent and give you SMS, voice, and data for free with a dedicated phone number.

 

After LMG's stuff got hacked, I went out and got a new phone and phone number for all of my important stuff that is too ignorant to support anything other than SMS.

[KuJoe]

15 hours ago, Ryan_Vickers said:

because it might finally send a message to these incompetent providers that this kind of thing does happen

To play devil's advocate here I think that consumers also need to get this message. Next time a consumer wants to write a bad review because their provider was "giving them a hard time", hopefully they'll STFU and consider that all of the hoops they just jumped through because they forgot their password was to protect them and not because the rep thought it would be funny.

[KuJoe]

19 minutes ago, mr moose said:

Time to step up telco's software developers.

Fixed that for you. Security that relies on SMS is just as bad as security that relies on password.

[mr moose]

4 minutes ago, KuJoe said:

Fixed that for you. Security that relies on SMS is just as bad as security that relies on password.

so what would you propose for better authentication?   Personally I don't know, except to say that this is the way everyone is going and I have no choice, so if it isn't good enough then the telco's are going to have to make it as good as they can or a better proposal has to be made.

 

 

Also on a different note, I have it on LTT authority that bitcoin is superior to convention currency because it can be tracked.  Can someone explain how this happened?

[KuJoe]

5 minutes ago, mr moose said:

so what would you propose for better authentication?   Personally I don't know, except to say that this is the way everyone is going and I have no choice, so if it isn't good enough then the telco's are going to have to make it as good as they can or a better proposal has to be made.

 

 

Also on a different note, I have it on LTT authority that bitcoin is superior to convention currency because it can be tracked.  Can someone explain how this happened?

There are plenty of better options, Google Authenticator is the most popular but there's RSA SecurID and DuoSecurity which are really nice also. Both are independent of your phone number so the attack would need physical access to your phone to access your 2FA.

 

As for the bitcoin being tracked, you can follow the path of a bitcoin via the blockchain so all you need to know is when it's spent on something that identifies you to trace it. This is why the hackers who did the ransomeware attack haven't withdrawn their bitcoins yet because once they do the internet can track them down much easier.

[mr moose]

14 minutes ago, KuJoe said:

There are plenty of better options, Google Authenticator is the most popular but there's RSA SecurID and DuoSecurity which are really nice also. Both are independent of your phone number so the attack would need physical access to your phone to access your 2FA.

 

As for the bitcoin being tracked, you can follow the path of a bitcoin via the blockchain so all you need to know is when it's spent on something that identifies you to trace it. This is why the hackers who did the ransomeware attack haven't withdrawn their bitcoins yet because once they do the internet can track them down much easier.

Cheers.

[LAwLz]

1 hour ago, mr moose said:

so what would you propose for better authentication?   Personally I don't know, except to say that this is the way everyone is going and I have no choice, so if it isn't good enough then the telco's are going to have to make it as good as they can or a better proposal has to be made.

2 step authentication over SMS is bad though. Not only is the encryption often weak or non-existing, it is also susceptible to attacks like these.

Solutions like Google Authenticator or other TOTP/HOTP programs are better. They don't suffer from any of the SMS drawbacks. They are not tied to your phone number, and the communication can be properly encrypted and validated.

[vanished]

7 hours ago, KuJoe said:

To play devil's advocate here I think that consumers also need to get this message. Next time a consumer wants to write a bad review because their provider was "giving them a hard time", hopefully they'll STFU and consider that all of the hoops they just jumped through because they forgot their password was to protect them and not because the rep thought it would be funny.

That is true, and is part of the equation, but in the mean time, an acceptable middle ground would be to at least offer proper security for those who explicitly request it, rather than just no one.

[Fetzie]

15 hours ago, Ryan_Vickers said:

That is true, and is part of the equation, but in the mean time, an acceptable middle ground would be to at least offer proper security for those who explicitly request it, rather than just no one.

And, if someone explicitly sets up a PIN to control access to a service then the provider should actually require it.

[Big Head Tech]

On 2/7/2018 at 6:37 PM, Mooshi said:

Lol...TMobile. Verizon REQUIRES the account PIN to do anything.

For porting Verizon Requires an account number too!