A federal judge has refused to dismiss a $224M lawsuit against telecom giant AT&T for a SIM swap attack that led to $24 million in stolen cryptocurrency.
SIM-swapping is when scammers contact a carrier pretending to be their target in order to port the victim’s number to a SIM card that they control. It allows text messages and 2FA codes to be intercepted, facilitating account takeover attacks.
AT&T is facing court over allegations it violated the Federal Communications Act, a consumer contract, as well as several other laws, when hackers assumed the identity and telephone account of cryptocurrency investor Michael Terpin in 2017.
The results of the case could have implications for financial institutions which use SMS as a means of verifying account holders. Back in 2017 telecom operator 02 confirmed that hackers had exploited SS7 weaknesses in messages used by German banks.
More recently, the UK's Metro Bank confirmed that a number of its customers had funds stolen as a result of a SIM swap scam. The incident is believed to be part of a wider attack on UK banks, although no others have yet gone public.
Using SMS for multi factor authentication pushes the problem of securing online accounts to mobile network operators, whose number porting processes were historically not designed to withstand the attention of determined attackers.
Paul Dunphy, research scientist at OneSpan, says: "The result of this court case will have big implications for designers of multi factor authentication, and it will be interesting to see how mobile networks evolve the security of their number porting process in future. I’d advise that for high value accounts individuals should avoid using SMS for multi factor authentication, especially for cryptocurrency."