Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday August 20 2018, @04:36PM   Printer-friendly
from the something-only-YOU-have-know-are dept.

Submitted via IRC for Fnord666

If hackers can convince your phone company to turn over your number to them, they can defeat two-factor authentication that relies on text messaging.

Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.

Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.

The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.

Source: https://www.fastcompany.com/90219499/att-gets-sued-over-two-factor-security-flaws-and-23m-cryptocurrency-theft


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by urza9814 on Monday August 20 2018, @06:03PM (18 children)

    by urza9814 (3954) on Monday August 20 2018, @06:03PM (#723853) Journal

    1) Yes, if they get hacked because they failed to properly secure their network, it is ABSOLUTELY their fault. If you call a doctor and request some random patients' medical records, you really think the doctor isn't going to get in trouble for violating HIPAA just because he didn't bother to verify your identity? Even if the patient specifically warned the doctor not to disclose those records? Why do these kinds of rules suddenly go out the window when we're discussing a computer program rather than a human being's training program? The computer obeys the rules you give it without fail, it doesn't have off days, it doesn't get sick, it ought to be perfect. If it's not, it's only because you explicitly told it not to be.

    2) AT&T did make specific promises about the security of this account -- they allowed the user to specify a password, and assured him that changes could not be made to his account without that password. Apparently, that was a lie. The customer has every right to sue for damages resulting from that lie.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 4, Interesting) by Knowledge Troll on Monday August 20 2018, @06:17PM (14 children)

    by Knowledge Troll (5948) on Monday August 20 2018, @06:17PM (#723857) Homepage Journal

    I don't see this as AT&T failing to meet their security obligations for the specific reason that this is a consumer level telecommunications service and the contract probably says explicitly that damages are going to be capped at some value with that value being low because AT&T has lawyers on staff to handle issues like liability. I hate AT&T but I also recognize that this specific vector is one of many inside the world wide telephone network some of which can't be remedied by the individual Telcos at all. Which is why communicating this kind of security information with out additional protections is itself irresponsible and falls squarely on the service provider.

    Do you apportion any blame to the service provider in this case?

    I think there is a reasonable argument to be made that standard consumer level telecommunications service is not suitable for security 10s of millions of dollars worth of funds.

    you really think the doctor isn't going to get in trouble for violating HIPAA just because he didn't bother to verify your identity? Even if the patient specifically warned the doctor not to disclose those records? Why do these kinds of rules suddenly go out the window when we're discussing a computer program rather than a human being's training program?

    There is the significant difference here: HIPPA is required by law and it clearly specifies what a violation is. Where is the law and if it exists what is the nature of it that requires AT&T to secure the individual accounts of their customers? Maybe such a law should exist but I don't know of it existing currently.

    • (Score: 3, Insightful) by urza9814 on Monday August 20 2018, @07:06PM

      by urza9814 (3954) on Monday August 20 2018, @07:06PM (#723876) Journal

      Yeah, I wouldn't say they should be liable for the entire amount, and I'm sure there's some wording in their contract to that effect...but they ought to be liable for SOMETHING considering that they outright lied to their customers about the security of their product. You can't guarantee 100% perfect security, but you sure as shit can guarantee that your employees are actually providing the product that you've sold as promised. If you can't even do that, you have no right to be in business at all.

    • (Score: 2) by urza9814 on Monday August 20 2018, @07:09PM (5 children)

      by urza9814 (3954) on Monday August 20 2018, @07:09PM (#723877) Journal

      There is the significant difference here: HIPPA is required by law and it clearly specifies what a violation is. Where is the law and if it exists what is the nature of it that requires AT&T to secure the individual accounts of their customers? Maybe such a law should exist but I don't know of it existing currently.

      Sorry for the double-post, missed this part when I wrote my first one. But yes, there are laws about this too -- fraud, implied warranty, false advertising, and other consumer protections. They blatantly lied to their customer about the security products which they sold to that customer. That is absolutely illegal, and there's probably nothing they can put in their contracts to protect them entirely. They aren't responsible for the customer storing their money in stupid places, but they're absolutely responsible for their own employees failing to provide the service as advertised.

      • (Score: 2) by Knowledge Troll on Monday August 20 2018, @07:45PM (4 children)

        by Knowledge Troll (5948) on Monday August 20 2018, @07:45PM (#723884) Homepage Journal

        I think we actually agree but my view is just from how jaded I am. AT&T deserves to be held accountable for this and I don't like the current state of affairs so I'm not arguing for not fixing this. I think proving fraud on the part of AT&T will be unduly difficult, Comcast is still in business and they are much more prone to outright lying. Lets run with something easier to prove: negligence on the part of AT&T.

        However suing AT&T even into the ground won't make SMS fit for this purpose. It still won't be fit for purpose if every US carrier shit bricks and fixed their user authentication as well. The are many flaws in SS7 which can only be corrected by replacing the entire system and that's quite the chore for a global protocol.

        Lets get the telcos to actually authenticate users but also that's not going to make SMS 2FA secure.

        And I still say that trusting 10s of millions of dollars worth of funds to normal consumer level security systems firmly falls into "I told you so", "you should have known better" and "blame the victim" territory even if the general public isn't astute enough to understand it. There just isn't any other alternative I can imagine.

        • (Score: 2) by All Your Lawn Are Belong To Us on Monday August 20 2018, @09:13PM (3 children)

          by All Your Lawn Are Belong To Us (6553) on Monday August 20 2018, @09:13PM (#723916) Journal

          Kreskin hat says the case will settle for an undisclosed sum (nowhere near $23 mil but still hefty) and AT&T will go on its' merry with some in-house re-education on phishing for its associates. No need to expend the money to actually secure the system (even marginally). AT&T Free Cash Flow in 2017 of $17.6 bn on $160.5 bn consolidated revenue. One percent on their free cash flow is $176 mn. They can pay this guy off completely and won't even feel it as an interest blip.

          The other interesting thing..... I know there were other paths to go down than hold $23 mil live, but when it comes to cryptocurrency what methods and levels of security are acceptable when weighed against the need to be able to move fast when prices spike or drop? Maybe that's a condemnation of cryptocurrency all on its own: nothing stops you or indemnifies you from being robbed or cheated from it and therefore it is stupid to invest those kinds of sums in it. (Well, invest sums you can't afford the hit on, anyway - this still reads like AT&T could probably do this and not notice the loss). But what would acceptable security for high-dollar cryptocurrency accounts look like?

          --
          This sig for rent.
          • (Score: 3, Interesting) by Knowledge Troll on Monday August 20 2018, @09:57PM (2 children)

            by Knowledge Troll (5948) on Monday August 20 2018, @09:57PM (#723936) Homepage Journal

            But what would acceptable security for high-dollar cryptocurrency accounts look like?

            I wish I was rich enough to know the details of what multi million dollar checking accounts look like but I'm only privileged enough to know a little about them. I do know that people with that much money put them into accounts that are tailored to that specific use case - these are not standard consumer level accounts (also they don't cost more, they tend to pay interest even). I imagine that part of these high stake accounts include additional fraud protection and security. I'm just pointing this out as an existing case where normal consumer things do not do justice to gigantic piles of money.

            For myself I would not want millions of dollars available and liquid at all - not in a checking account, a savings account or a hot wallet at any exchange. That just sounds like it is asking for trouble and I don't exchange funds enough to require that kind of liquid access.

            Two factor authentication is a must but I would elect to keep the shared secret off line - it wouldn't even go on my cell phone because that can still be exfiltrated. U2F would be an extremely good choice with a hardware dongle or USB gumstick. Everyone will have to make a decision about the amount of risk they are willing to tolerate with having their funds stolen vs the risk they would tolerate for having the funds be unavailable because they can't use the authentication credentials for any specific reason.

            Perhaps the TL;DR is: when it comes to $20 million one needs to have the minimal trust possible in other actors. In this case the person trusted their security to both the exchange and the telephone company when none of them deserved it. I wouldn't expose myself to that risk in the first place.

            Though now if people know you have $20 million guarded by a USB gumstick on premsis they have lots of incentive to pay you a visit and have a "chat" about that gumstick. Even if you store it in a safe deposit box in a bank there is still the problem of being walked down to the bank with a gun in your back.

            • (Score: 2) by All Your Lawn Are Belong To Us on Tuesday August 21 2018, @04:51PM (1 child)

              by All Your Lawn Are Belong To Us (6553) on Tuesday August 21 2018, @04:51PM (#724256) Journal

              Interesting, and will mod that way too...

              I think the other thing it takes when it comes to $20 million is to have a system around it to protect it. Not just physical and data security as you mention but insurance and diversification of sources of deposit and an industry structure that has standards of acceptable practice and contingencies...... All the stuff that cryptocurrency isn't because it's a system based on trust not being necessary.

              Now the question is will those structures be developed around the cryptocurrency world. Without it my guess is that cryptocurrency will always stay in the extreme-speculation/junk-bond level of investing confidence, entirely aside from volatility. And it puts me into the, "I'm sympathetic but dude throws mulitmillions into risky system dude has little right to complain." Sue, maybe - there may still be merit here based on AT&T's alleged failure to follow their procedure. But if you're already walking the dark streets at midnight can you sue when the flashlight you're sold goes out and you get mugged?

              --
              This sig for rent.
              • (Score: 3, Insightful) by Knowledge Troll on Tuesday August 21 2018, @05:49PM

                by Knowledge Troll (5948) on Tuesday August 21 2018, @05:49PM (#724278) Homepage Journal

                I think the other thing it takes when it comes to $20 million is to have a system around it to protect it. ..... All the stuff that cryptocurrency isn't because it's a system based on trust not being necessary.

                Bingo! And the fact that the end user in this case didn't do those things places a large portion of the blame on them for not performing due diligence in securing their pile of money. In this instance a very small portion of that $20 million could have gone to hiring a consultant that could have warned them about this. It's not good that users have to be so careful but in the absence of regulations and defined best practices that is how it has to be.

                Though, objectively: there is no blocking issue for insuring cyptocurrency though the insurance companies may charge a lot to insure it because of the risk involved and no standard policy may exist for this, possibly yet. Additionally where this user went wrong was placing trust in two actors: AT&T and the exchange. They could have instead managed their own wallet and kept it all offline and relied only on themselves and the integrity of Bitcoin which is the lowest trust of other people possible in that system. Now we are squarely at the balance of risk based on theft vs risk based on being unable to use the funds because you can't authenticate yourself any longer.

                But if you're already walking the dark streets at midnight can you sue when the flashlight you're sold goes out and you get mugged?

                That is a question with nuanced answers: there are cases where it makes sense to sue in that situation and where it does not and additionally: sue or not sue the end result has to also be evaluated.

                Lets up the stakes more: if that flashlight stops working you could die. When is that a problem? Cave diving. Anyone that cave dives and does not carry a very high quality flashlight with them is an epic idiot or suicidal. Since this flashlight is now keeping people alive the standard consumer level flashlight you pluck off the shelf at the supermarket being mass manufactured to help people find a light socket in a dark corner doesn't cut the mustard. What you need instead is something manufactured with quality materials, a robust and overbuilt design, and a very strong quality control process that accounts for errors all the way from the suppliers to getting stuff out the door. You need someone who knows your life is on the line and builds the product for that use case.

                Even with such a flashlight in cave diving you carry 3 of them because shit happens. Even the best QC process can let stuff slip through as a legitimate mistake. Nothing can ever be made perfect so you can't just reasonably sue every time something goes wrong even when using purpose built equipment. Personal responsibility comes down to understand the space you are operating in as well as the consequences.

                Lets say all 3 flashlights fail, they are built specifically for cave diving, someone dies, and the family sues the manufacturer. Lets say the manufacturer is even liable here because they clearly made a mistake and manufactured it wrong. The family sues, the manufacturer improves their process and this doesn't happen again: that's the best case scenario I can think of.

                But the diver is still dead. Suing doesn't bring him back. If they had 3 flashlights from different manufacturers they would not have had that single point of failure and could still be alive.

                Even when the blame quite clearly lands exactly on someone else it still does not help the dead person.

    • (Score: 2) by sjames on Tuesday August 21 2018, @07:12AM (6 children)

      by sjames (2882) on Tuesday August 21 2018, @07:12AM (#724074) Journal

      At the same time, AT&T certainly bears some responsibility to secure user accounts from hijacking, and even moreso since they agreed to an additional security procedure which they then ignored entirely. As for limiting liability, just because it's in the contract doesn't mean the courts are obligated to follow it. Courts throw out contract terms as unconscionable all the time.

      • (Score: 2) by Knowledge Troll on Tuesday August 21 2018, @03:24PM (5 children)

        by Knowledge Troll (5948) on Tuesday August 21 2018, @03:24PM (#724210) Homepage Journal

        AT&T certainly bears some responsibility to secure user accounts from hijacking

        I don't disagree with that but I don't feel like it's going to happen. Here is one reason why: no one really cares. Here's how to prove it:

        Given that AT&T is enormous, slow to change, and one staff member making a legitimate mistake can ruin this whole thing (ie this problem exists even if AT&T improves) and they don't have a culture of security to draw from, how many people would pay more money to a telecommunications provider to get features such as strong authentication of users?

        When I ran into this exact problem with my previous cell provider I canceled the service and moved to a pre-paid option where the agents have no access to the account with out a PIN. This was the only thing I could find that would meet my requirements for account takeover.

        AT&T was wrong, AT&T needs to improve, but that does not mean that personal responsibility here does not stand. Complaining about AT&T and trying to get that fixed is admirable but does nothing to help protect $20 million.

        • (Score: 2) by sjames on Tuesday August 21 2018, @05:35PM (4 children)

          by sjames (2882) on Tuesday August 21 2018, @05:35PM (#724277) Journal

          If the courts decide not caring will cost substantial money. they'll start caring.

          • (Score: 2) by Knowledge Troll on Tuesday August 21 2018, @06:02PM (3 children)

            by Knowledge Troll (5948) on Tuesday August 21 2018, @06:02PM (#724285) Homepage Journal

            If the courts decide not caring will cost substantial money. they'll start caring.

            Let me ask a question here: what is the correct procedure for authenticating a customer when they are dealing with something like AT&T?

            Think it all out - what is the burden of proof for the customer? How is this information transmitted? Are they going to have to show up in person with a driver's license? Who is responsible for forged documents? What about evaluation of quality of forgery? Which documents? Is a drivers license good enough or do you need a passport? How about the case where a fraudster convinces the government to issue an ID that allows them to impersonate you?

            The reason I ask is because I have heavily considered trying to create a company that would "correctly" and "strongly" authenticate the customers and I can tell you this is entirely non-obvious and highly non-trivial.

            So if the courts decide AT&T needs to be punished for not meeting an undefined metric what is that metric to be defined as?

            As long as the metric remains undefined the only means for resolution is deciding what is and is not reasonable in a court in front of a judge and possibly jury. In that situation even I would argue consumer level things are not reasonable fit for something like securing $20 million worth of funds.

            So what does the "Telecommunication Providers Must Authenticate Users Worth A Shit And Puppies Are Cute" bill that Congress needs to pass going to say?

            On the surface it seems like they could all do at least as good as the average bar with an ID scanner but that means you always go to a physical location for every customer service anything that involves authentication.

            Do you see why a second class of service is a more appropriate fit for this? The vast majority of people don't need this level of security and aren't going to be interested in that. For a large portion of people there will not be any convenient physical location to go to. For many getting to a physical location is going to be very very difficult. There is also the cost of implementation which will cause prices to go up.

            I would personally like a service that has that kind of security but I'm fucking weird.

            • (Score: 2) by sjames on Tuesday August 21 2018, @06:22PM (2 children)

              by sjames (2882) on Tuesday August 21 2018, @06:22PM (#724292) Journal

              In the case at hand, as pre-arranged with the customer, knowledge of a password was the criterion. Had the AT&T employee actually asked for the password as AT&T and the customer agreed, this wouldn't have happened.

              An alternative that might be offered if agreed with the customer is that a letter is sent to the billing address containing a password that will then be accepted for changing the service. That way when the customer fails to keep track of the password, there remains a way to make a needed change.

              It isn't perfect security, but it would make any shenanigans much more hands-on and add a clear felony for tampering with U.S. mail.

              • (Score: 2) by Knowledge Troll on Tuesday August 21 2018, @06:45PM (1 child)

                by Knowledge Troll (5948) on Tuesday August 21 2018, @06:45PM (#724309) Homepage Journal

                Had the AT&T employee actually asked for the password as AT&T and the customer agreed, this wouldn't have happened.

                Considering part of the claim is that someone went down to the location in person yet AT&T didn't use a "scanable" ID is part of the claim and we are talking $20 million here I don't think that password was going to stand in the way.

                Of all the things to fault I suggest that showing up in person and not checking the ID is the biggest fuck up because someone can always go "well I forgot my password" and the CS agents are going to be happy to help them get access again. In cases like this the physical presence with physical ID is a requirement and AT&T, if we take the plantif's word for it, did not follow their own policy for the ID.

                I suggest though that even that ID check is not obvious on how to handle it and it is not going to tolerate very good forgeries very well.

                The idea of having a password sent in the mail is pretty good. Though for $20 million I bet it is easy to afford paying someone to steal the mail for 5 days in a row.

                • (Score: 2) by sjames on Tuesday August 21 2018, @07:13PM

                  by sjames (2882) on Tuesday August 21 2018, @07:13PM (#724316) Journal

                  Actually, if the lack of the password had prevented intercepting the 2FA, it absolutely would have foiled the theft. It was an integral party of the theft.

                  It was explicitly agreed to by AT&T and then they didn't do it. As a direct result, the phone was hijacked and the 2FA was defeated.

                  And I already suggested a mechanism for password recovery for the likely case that someone forgets their password. It would actually be harder to scam than creating a fake ID good enough to fool a poorly paid representative in a store.

  • (Score: 2) by legont on Tuesday August 21 2018, @01:41AM (2 children)

    by legont (4179) on Tuesday August 21 2018, @01:41AM (#724017)

    If you call a doctor and request some random patients' medical records, you really think the doctor isn't going to get in trouble for violating HIPAA just because he didn't bother to verify your identity?

    To be fair, doctor's records are usually protected by a $10 lock that is pick-able in under 5 minutes. However, the doctor is not responsible for an outright robbery of client's data. What AT&T needs is to move the liability to the state. It will sure happen one day - happening now - because without it capitalism can not work.

    How that liability moving works in Internet days? Government forces regulations on companies and as long as the company in questions complies with the letter of the regulation, it is off the hook no matter how stupid the protection is.

    All of them, especially finance, are working on it right now.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
    • (Score: 2) by All Your Lawn Are Belong To Us on Tuesday August 21 2018, @02:19PM (1 child)

      by All Your Lawn Are Belong To Us (6553) on Tuesday August 21 2018, @02:19PM (#724173) Journal

      If there's enough money in it.

      Then you've got the other side of the spectrum like PCIDSS that moves the liability straight onto the shoulders of the merchant and away from the industry or the government. If a credit card breach happens it will be invariable that the merchant will have violated PCIDSS somehow. And the merchant will be responsible, no matter how many layers of consultants or auditors they hire.

      --
      This sig for rent.
      • (Score: 2) by legont on Thursday August 23 2018, @12:56AM

        by legont (4179) on Thursday August 23 2018, @12:56AM (#724979)

        True, there is a triage between businesses, and the governments did not finish their job either. However, the main point still stays - liability got to be reasonably moved from businesses or there will be no businesses.

        --
        "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.