Smartphone Crypto Hack: The $24 Million AT&T ‘Sim Swapping’ Mistake

How to protect your crypto if you’re a smartphone user? Don’t rely on your own devices (figuratively and literally).

Here is reason number #8,000 to protect your crypto: $24 million dollars worth of cryptocurrency were just hacked from a smartphone. U.S. investor and BitAngels founder, Michael Terpin, was attacked via an improperly acquired cell phone number from AT&T.

And, that’s likely not the last of it, with over $1.1 billion in cryptocurrency stolen in the first half of the year according to a June, 2018 CNBC article, you can bet your bottom dollar (or BTC) it will happen again.

It’s also worth noting there’s now an estimated 12,000 plus cryptocurrency marketplaces for hackers to pick from and plot accordingly.

All kidding aside, such recent hack is a perfect example of how a volatile and unregulated industry constantly avails investors and users to malicious and savvy hacking techniques, even when proper safeguards and protective measures are taken.

A tweet from Michael Terpin about the AT&T hack

Furthermore, this isn’t the first time this year a high-profile crypto investor and figure was the subject of a malicious online hack. Check out our past article detailing the nearly USD $2 million hack of Ian Balina’s funds through a compromised Evernote account.

First, let’s take a look at the hack that put Terpin out of over $24 million in cryptocurrency, the lawsuit commenced against AT&T for gross negligence and violation of their statutory duties, and several key takeaways and reminders investors should keep in mind when securing and storing their Bitcoin and other cryptocurrencies.

When debating whether to store your Bitcoin and cryptocurrency via cold storage, consider this principle: every time a hack occurs, no matter if it’s one Satoshi or two-thousand Bitcoin, it hurts the market and the price. Just don’t get hacked, even if you’re ‘okay’ with losing it.

1. Michael Terpin & the $24 Million Dollar Hack

So, you’re probably wondering, how is the world’s largest telecommunications company (and second largest mobile telephone services provider) responsible for a $24 million dollar cryptocurrency hack? Let’s take a look.

For those unfamiliar, Michael Terpin is the founder and CEO of the ‘Transform Group,’ a leading blockchain and ICO PR and strategic advisory firm, along with BitAngels, the world’s first “distributed veteran entrepreneur and angel investor group.” Terpin is no stranger to blockchain, and has been at the forefront of the crypto market, with over 31% of the crypto market represented by Transform Group and over 60 ICOs launched.

Transform Group ICO Market Share

 

That’s right, this is a man who knows the ins and outs of cryptocurrency and storage, having amassed a healthy personal and professional portfolio. So, if it can happen to him – a person who is storing and trading more than just a single month’s salary – it can happen to you.

The Facts: SIM Swapping

In a nearly 70-page complaint filed with the United States’ District Court in L.A., Terpin alleged roughly USD $24 million was stolen from his accounts through “digital identity theft” of his cell phone, noting AT&T as his cell phone service provider.

So, how did the hackers actually go about stealing roughly $24 million in tokens from Terpin?

Terpin’s complaint referenced the popular method of ‘SIM swapping’, where malicious users trick a service provider into transferring an already existing user’s phone number to a SIM card controlled by them, which can then be used to reset the existing user’s access to accounts, personal details, and passwords.

With the rise and sophistication of cryptocurrency and blockchain technology, so to have the ways malicious users and hackers who are seeking to uncover their share of the pie.

Terpin compared the act to a hotel handing over a room key, and key to the room safe, to a thief with a fake ID.

Furthermore, Terpin’s complaint charged AT&T with “willing cooperation with the hacker, gross negligence, violation of its statutory duties, and failure to adhere to its commitments in its Privacy Policy,” ultimately seeking over $224 million in punitive (punishment) damages. AT&T disputed such allegations, noting they “look forward to presenting [our] case in court.”

A statement discussing AT&T security issuesTerpin’s complaint also alleged AT&T customers have been the subject of more privacy violations than any other cell phone company and service provider.

Finally, Terpin’s complaint noted that while he had enabled two-factor authentication (2FA) on all of his accounts (along with employing the assistance of security experts and consultants), doing so was still futile where an “inside” employee essentially relinquishes your digital identity to a third-party.

A common trend that has recently plagued the crypto security-sphere is the voluntary (and involuntary) infiltration of mobile service providers by criminal gangs and hackers, who then are manipulated into assisting with a large-scale hack.

If you’d like to read up further and navigate Terpin’s 69-page complaint against AT&T, you can check it out here.

Now, let’s tackle several core takeaways and reminders investors and token holders should employ when securing their BTC and other cryptocurrencies.

2. Google Authenticator Over SMS

If you are storing any amount of cryptocurrency on a trading exchange, this should be the bare minimum an investor or user should employ to protect their crypto.

While mobile service providers, such as AT&T have proved to give up one’s digital identity altogether to hackers, there have also been countless instances of hackers exploiting known vulnerabilities in cell phone networks and intercepting SMS messages.

While it’s not a perfect solution, utilizing Google Authenticator is still an extremely effective way to combat malicious online attacks and hacks, as it generates time-sensitive codes (every 30 seconds) for users logging into an account. Such codes leave an extremely narrow window for malicious parties and hackers to access a person’s account.

Just remember to backup your Google Authenticator keys (by writing it down), in case you lose your keys or accidentally break or lose your cell phone.

CoolWallet Storage Tip: 

Before purchasing Bitcoin and other cryptocurrencies online, conduct some due diligence on what exchanges are some of the most reputable and safest. Does the exchange have a history of locking accounts for no reason? Have there been high-profile security breaches before? How easy is it to transfer and withdraw crypto from the exchange? These are just a few of the questions you should be asking yourself when deciding which exchange is right for you.

3. Cold Storage & Offline Wallets Reign Supreme

CoolWallet S Platform“It’s surprising just how easy it is without any tech skill to commit cybercrimes like ransomware.”

– Rick McElroy, Security Strategist for Carbon Black

While online Bitcoin and cryptocurrency wallets (along with storing your crypto on a trading exchange) are fine for investors storing small amounts of funds, once you crossover into the realm of “I can’t afford to lose this” territory, then you need to move your funds offline for storage.

Think of offline Bitcoin and cryptocurrency wallets as your own personal vault or safe, removed entirely from “hot” and hacker-prone Internet connections and other malicious attacks. Cold storage keeps user’s private keys offline and enables users to physically authorize and execute transactions – typically by pressing several buttons and verifying signatures before transaction confirmation.

And, with malicious attacks and hacks against cryptocurrency hardware wallets a rarity, you can rest assured your Bitcoin, Ethereum, and other cryptocurrencies are stored safely. Furthermore, several offline Bitcoin wallets allow you to store your cryptocurrency at the tips of your fingers, take for instance the CoolWallet S.

The CoolWallet S is the definition of secure crypto storage “on the go,” authorizing users to safely store their Bitcoin and other cryptocurrencies at their fingertips. Not only does the CoolWallet S pair with iPhone and Android, but it supports a fast, convenient, and easy set up, allowing users to anonymously secure their investments within mere minutes.

Furthermore, CoolWallet eliminates clunky and irksome USB cables, and is:

  • Waterproof,
  • Cold & heat resistant,
  • Impact resistant, &
  • Tamper-proof.

Mix in a recent partnership with MetaCert Protocol – the world’s most comprehensive verified address database – and CoolWallet ensures users are not only protected against malicious hacks and overrides, but fraud as well.

To read up further about the CoolWallet S and how it is overhauling traditional cryptocurrency hardware wallets and storage, check out our FAQ here.

And, if you’re wondering about the best cryptocurrency wallets in all of blockchain for securing and storing your cryptocurrencies, head on over to our ‘Cryptocurrency Guides’ corner to read up on the best Bitcoin and Ethereum wallets in out there.

4. Verify Everything & Proceed With Caution

Unfortunately, phishing is rampant in the crypto-sphere. For those unsure of what exactly phishing is, it’s defined as the fraudulent disguising of oneself as a trustworthy company or entity in order to obtain specially protected and personal information, such as one’s passwords, credit card numbers, or usernames.

At present, phishing scams are the most common method for hackers and other malicious users looking to grab a slice of a person’s crypto. And, the worst part of it all? They are actually becoming pretty good at disguising themselves as legitimate persons and entities.

From fake Vitalik Buterin Twitter accounts, to punycode text, all the way to fake ads, phishing scammers and malicious actors are taking advantage of the average person’s inability to verify and double-check basic information.

The solution? Double-check everything. Trust your gut, if something seems off, it probably is. After all, why would Vitalik Buterin (founder of Ethereum) be directly messaging you to let you know you just won 10 ETH (in exchange for sending him 1 ETH).

Whether it’s a website URL or transaction address, cryptocurrency investors and users should always be taking a second glance at the information, ID, or logo presented to them. Below are just several things you should look out for when accessing a website or confirming a transaction.

  • Is the website secure? If you’re dealing with a legitimate website and entity, when logging onto their website you should immediately notice the word “secure” next to the URL, along with the “https” in green text. Green text indicates the website has obtained its necessary security and trust certificates, allowing users to rest assured knowing they are actually using the proper website they intended to go to.
  • Do the transaction IDs match? Whether you’re using and exchange or cold storage to authorize a transaction, you’ll likely be prompted with a final confirmation containing the respective transaction addresses. Use this as an opportunity to verify that the first and last five numbers or letters in the transaction address matches up with the intended address.
  • Bookmark all important web pages: It’s not unheard of for users to mistype a URL when logging into a website, something which popular phishing scams are aware of and prey upon. Make sure to bookmark all important and frequently accessed pages, doing so will eliminate any error on your end of entering in the wrong URL or other information.

While the above three tips may seem like common sense, trust us, these are extremely common mistakes which are committed by even the most seasoned cryptocurrency investors.

Some other common methods of cryptocurrency hacks and attacks include; social engineering, physical acquisition of one’s device, computer viruses, and DDOS attacks. If you can, avoid storing your Ethereum, Bitcoin, and other cryptocurrencies with a centralized entity, and start moving your funds over to a hot wallet or hardware wallet.

Final Thoughts

A tweet from Bruce FentonWhile a bit overdone and in jest, suggesting Terpin should be awarded $10 billion in Bitcoin, mobile service provider security (or lack thereof) is quickly becoming a fundamental and popular method for cryptocurrency hacks, and should be dealt with accordingly.  

While an unfortunate happening in cryptocurrency and the world of blockchain, the hack and SIM swapping of Michael Terpin’s AT&T account, and subsequently his cryptocurrency, is another important (and all too frequent) lesson in how easy it is to fall victim to malicious attacks in this volatile cryptocurrency ecosystem.

Protecting and securing your Bitcoin and other cryptocurrencies may seem like an overwhelming and arduous process, however, there are countless, proactive steps you can take in order to do so. So, the next time you are purchasing and seeking to store your cryptocurrencies, make sure to:

  • Remain vigilant,
  • Double-check everything, and
  • When in doubt – opt for cold storage.

 

 

 

 

3 Responses

Leave a Reply