Stories
Slash Boxes
Comments

SoylentNews is people

AT&T Gets Sued Over Two-Factor Security Flaws and $23M Cryptocurrency Theft

posted by martyb on Monday August 20 2018, @04:36PM   Printer-friendly
from the something-only-YOU-have-know-are dept.

MrPlow writes:

Submitted via IRC for Fnord666

If hackers can convince your phone company to turn over your number to them, they can defeat two-factor authentication that relies on text messaging.

Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.

Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.

The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.

Source: https://www.fastcompany.com/90219499/att-gets-sued-over-two-factor-security-flaws-and-23m-cryptocurrency-theft

Original Submission

 
This discussion has been archived. No new comments can be posted.
AT&T Gets Sued Over Two-Factor Security Flaws and $23M Cryptocurrency Theft | Log In/Create an Account | Top | 38 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Tuesday August 21 2018, @03:22PM (2 children)

    by Anonymous Coward on Tuesday August 21 2018, @03:22PM (#724209)

    Why don't we all have one?

  • (Score: 2) by Knowledge Troll on Tuesday August 21 2018, @03:26PM

    by Knowledge Troll (5948) on Tuesday August 21 2018, @03:26PM (#724213) Homepage Journal

    From what I've seen after enabling 2FA most places are completely happy to still allow account recovery via a mechanism such as a registered email address which then devolves 2FA into single factor authentication based on access to the email account.

    CS agents are also notoriously happy to help out and reset authentication credentials so customers can access their account.

    The only place that I know of that would go "sorry you are locked out, we can't help you, we will not reset the authentication information, this is for your account protection" was the place I worked at previously.

  • (Score: 2) by All Your Lawn Are Belong To Us on Tuesday August 21 2018, @04:54PM

    by All Your Lawn Are Belong To Us (6553) on Tuesday August 21 2018, @04:54PM (#724258) Journal

    Cause you lose your dongle or it is stolen and then you're just as screwed to get at your data as if it had been stolen?

    --
    This sig for rent.