SoylentNews is people
SoylentNews
Submitted via IRC for Fnord666
If hackers can convince your phone company to turn over your number to them, they can defeat two-factor authentication that relies on text messaging.
Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.
Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
(Score: 3, Insightful) by Knowledge Troll on Tuesday August 21 2018, @05:49PM
Bingo! And the fact that the end user in this case didn't do those things places a large portion of the blame on them for not performing due diligence in securing their pile of money. In this instance a very small portion of that $20 million could have gone to hiring a consultant that could have warned them about this. It's not good that users have to be so careful but in the absence of regulations and defined best practices that is how it has to be.
Though, objectively: there is no blocking issue for insuring cyptocurrency though the insurance companies may charge a lot to insure it because of the risk involved and no standard policy may exist for this, possibly yet. Additionally where this user went wrong was placing trust in two actors: AT&T and the exchange. They could have instead managed their own wallet and kept it all offline and relied only on themselves and the integrity of Bitcoin which is the lowest trust of other people possible in that system. Now we are squarely at the balance of risk based on theft vs risk based on being unable to use the funds because you can't authenticate yourself any longer.
That is a question with nuanced answers: there are cases where it makes sense to sue in that situation and where it does not and additionally: sue or not sue the end result has to also be evaluated.
Lets up the stakes more: if that flashlight stops working you could die. When is that a problem? Cave diving. Anyone that cave dives and does not carry a very high quality flashlight with them is an epic idiot or suicidal. Since this flashlight is now keeping people alive the standard consumer level flashlight you pluck off the shelf at the supermarket being mass manufactured to help people find a light socket in a dark corner doesn't cut the mustard. What you need instead is something manufactured with quality materials, a robust and overbuilt design, and a very strong quality control process that accounts for errors all the way from the suppliers to getting stuff out the door. You need someone who knows your life is on the line and builds the product for that use case.
Even with such a flashlight in cave diving you carry 3 of them because shit happens. Even the best QC process can let stuff slip through as a legitimate mistake. Nothing can ever be made perfect so you can't just reasonably sue every time something goes wrong even when using purpose built equipment. Personal responsibility comes down to understand the space you are operating in as well as the consequences.
Lets say all 3 flashlights fail, they are built specifically for cave diving, someone dies, and the family sues the manufacturer. Lets say the manufacturer is even liable here because they clearly made a mistake and manufactured it wrong. The family sues, the manufacturer improves their process and this doesn't happen again: that's the best case scenario I can think of.
But the diver is still dead. Suing doesn't bring him back. If they had 3 flashlights from different manufacturers they would not have had that single point of failure and could still be alive.
Even when the blame quite clearly lands exactly on someone else it still does not help the dead person.