SoylentNews is people
SoylentNews
Submitted via IRC for Fnord666
If hackers can convince your phone company to turn over your number to them, they can defeat two-factor authentication that relies on text messaging.
Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.
Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
(Score: 2) by Knowledge Troll on Monday August 20 2018, @07:45PM (4 children)
I think we actually agree but my view is just from how jaded I am. AT&T deserves to be held accountable for this and I don't like the current state of affairs so I'm not arguing for not fixing this. I think proving fraud on the part of AT&T will be unduly difficult, Comcast is still in business and they are much more prone to outright lying. Lets run with something easier to prove: negligence on the part of AT&T.
However suing AT&T even into the ground won't make SMS fit for this purpose. It still won't be fit for purpose if every US carrier shit bricks and fixed their user authentication as well. The are many flaws in SS7 which can only be corrected by replacing the entire system and that's quite the chore for a global protocol.
Lets get the telcos to actually authenticate users but also that's not going to make SMS 2FA secure.
And I still say that trusting 10s of millions of dollars worth of funds to normal consumer level security systems firmly falls into "I told you so", "you should have known better" and "blame the victim" territory even if the general public isn't astute enough to understand it. There just isn't any other alternative I can imagine.
(Score: 2) by All Your Lawn Are Belong To Us on Monday August 20 2018, @09:13PM (3 children)
Kreskin hat says the case will settle for an undisclosed sum (nowhere near $23 mil but still hefty) and AT&T will go on its' merry with some in-house re-education on phishing for its associates. No need to expend the money to actually secure the system (even marginally). AT&T Free Cash Flow in 2017 of $17.6 bn on $160.5 bn consolidated revenue. One percent on their free cash flow is $176 mn. They can pay this guy off completely and won't even feel it as an interest blip.
The other interesting thing..... I know there were other paths to go down than hold $23 mil live, but when it comes to cryptocurrency what methods and levels of security are acceptable when weighed against the need to be able to move fast when prices spike or drop? Maybe that's a condemnation of cryptocurrency all on its own: nothing stops you or indemnifies you from being robbed or cheated from it and therefore it is stupid to invest those kinds of sums in it. (Well, invest sums you can't afford the hit on, anyway - this still reads like AT&T could probably do this and not notice the loss). But what would acceptable security for high-dollar cryptocurrency accounts look like?
This sig for rent.
(Score: 3, Interesting) by Knowledge Troll on Monday August 20 2018, @09:57PM (2 children)
I wish I was rich enough to know the details of what multi million dollar checking accounts look like but I'm only privileged enough to know a little about them. I do know that people with that much money put them into accounts that are tailored to that specific use case - these are not standard consumer level accounts (also they don't cost more, they tend to pay interest even). I imagine that part of these high stake accounts include additional fraud protection and security. I'm just pointing this out as an existing case where normal consumer things do not do justice to gigantic piles of money.
For myself I would not want millions of dollars available and liquid at all - not in a checking account, a savings account or a hot wallet at any exchange. That just sounds like it is asking for trouble and I don't exchange funds enough to require that kind of liquid access.
Two factor authentication is a must but I would elect to keep the shared secret off line - it wouldn't even go on my cell phone because that can still be exfiltrated. U2F would be an extremely good choice with a hardware dongle or USB gumstick. Everyone will have to make a decision about the amount of risk they are willing to tolerate with having their funds stolen vs the risk they would tolerate for having the funds be unavailable because they can't use the authentication credentials for any specific reason.
Perhaps the TL;DR is: when it comes to $20 million one needs to have the minimal trust possible in other actors. In this case the person trusted their security to both the exchange and the telephone company when none of them deserved it. I wouldn't expose myself to that risk in the first place.
Though now if people know you have $20 million guarded by a USB gumstick on premsis they have lots of incentive to pay you a visit and have a "chat" about that gumstick. Even if you store it in a safe deposit box in a bank there is still the problem of being walked down to the bank with a gun in your back.
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday August 21 2018, @04:51PM (1 child)
Interesting, and will mod that way too...
I think the other thing it takes when it comes to $20 million is to have a system around it to protect it. Not just physical and data security as you mention but insurance and diversification of sources of deposit and an industry structure that has standards of acceptable practice and contingencies...... All the stuff that cryptocurrency isn't because it's a system based on trust not being necessary.
Now the question is will those structures be developed around the cryptocurrency world. Without it my guess is that cryptocurrency will always stay in the extreme-speculation/junk-bond level of investing confidence, entirely aside from volatility. And it puts me into the, "I'm sympathetic but dude throws mulitmillions into risky system dude has little right to complain." Sue, maybe - there may still be merit here based on AT&T's alleged failure to follow their procedure. But if you're already walking the dark streets at midnight can you sue when the flashlight you're sold goes out and you get mugged?
This sig for rent.
(Score: 3, Insightful) by Knowledge Troll on Tuesday August 21 2018, @05:49PM
Bingo! And the fact that the end user in this case didn't do those things places a large portion of the blame on them for not performing due diligence in securing their pile of money. In this instance a very small portion of that $20 million could have gone to hiring a consultant that could have warned them about this. It's not good that users have to be so careful but in the absence of regulations and defined best practices that is how it has to be.
Though, objectively: there is no blocking issue for insuring cyptocurrency though the insurance companies may charge a lot to insure it because of the risk involved and no standard policy may exist for this, possibly yet. Additionally where this user went wrong was placing trust in two actors: AT&T and the exchange. They could have instead managed their own wallet and kept it all offline and relied only on themselves and the integrity of Bitcoin which is the lowest trust of other people possible in that system. Now we are squarely at the balance of risk based on theft vs risk based on being unable to use the funds because you can't authenticate yourself any longer.
That is a question with nuanced answers: there are cases where it makes sense to sue in that situation and where it does not and additionally: sue or not sue the end result has to also be evaluated.
Lets up the stakes more: if that flashlight stops working you could die. When is that a problem? Cave diving. Anyone that cave dives and does not carry a very high quality flashlight with them is an epic idiot or suicidal. Since this flashlight is now keeping people alive the standard consumer level flashlight you pluck off the shelf at the supermarket being mass manufactured to help people find a light socket in a dark corner doesn't cut the mustard. What you need instead is something manufactured with quality materials, a robust and overbuilt design, and a very strong quality control process that accounts for errors all the way from the suppliers to getting stuff out the door. You need someone who knows your life is on the line and builds the product for that use case.
Even with such a flashlight in cave diving you carry 3 of them because shit happens. Even the best QC process can let stuff slip through as a legitimate mistake. Nothing can ever be made perfect so you can't just reasonably sue every time something goes wrong even when using purpose built equipment. Personal responsibility comes down to understand the space you are operating in as well as the consequences.
Lets say all 3 flashlights fail, they are built specifically for cave diving, someone dies, and the family sues the manufacturer. Lets say the manufacturer is even liable here because they clearly made a mistake and manufactured it wrong. The family sues, the manufacturer improves their process and this doesn't happen again: that's the best case scenario I can think of.
But the diver is still dead. Suing doesn't bring him back. If they had 3 flashlights from different manufacturers they would not have had that single point of failure and could still be alive.
Even when the blame quite clearly lands exactly on someone else it still does not help the dead person.