Submitted via IRC for Fnord666
If hackers can convince your phone company to turn over your number to them, they can defeat two-factor authentication that relies on text messaging.
Crypto investor Michael Terpin filed a $224 million lawsuit against AT&T in California federal court Wednesday alleging that the phone company’s negligence let hackers steal nearly $24 million in cryptocurrency from him, Reuters reports. He’s also seeking punitive damages.
Terpin says hackers were twice able to convince AT&T to connect his phone number to a SIM card they controlled, routing his calls and messages to them and enabling them to defeat two-factor authentication protections on his accounts. In one case, he says hackers also took control of his Skype account and convinced one of this clients to send money to them rather than Terpin.
The second hack came even after AT&T agreed to put an additional passcode on his account, when a fraudster visited an AT&T store in Connecticut and managed to hijack Terpin’s account without providing the code or a “scannable ID” as AT&T requires, he says.
(Score: 2) by sjames on Tuesday August 21 2018, @07:13PM
Actually, if the lack of the password had prevented intercepting the 2FA, it absolutely would have foiled the theft. It was an integral party of the theft.
It was explicitly agreed to by AT&T and then they didn't do it. As a direct result, the phone was hijacked and the 2FA was defeated.
And I already suggested a mechanism for password recovery for the likely case that someone forgets their password. It would actually be harder to scam than creating a fake ID good enough to fool a poorly paid representative in a store.