Last week was blockchain week in New York, and on Wednesday I was at the Consensus conference to moderate a couple of panels, one of which was titled “Policing the Blockchain: Protecting Investors and Consumers.”
It was an exciting discussion for me, because one of the panelists, Michael Terpin, had been the victim of a SIM-swapping, or phone-number porting attack, in which thieves took control of his phone and email accounts and used their access to pillage some $24 million of Terpin’s cryptocurrency. I’d written a magazine feature for Fortune on the trend back in 2017, and it is now so common that several investors were hacked while attending last year’s Consensus conference; when I polled the audience at my panel, at least two people in the crowd admitted to having experienced a similar attack.
When I covered the issue almost two years ago, catching the culprits seemed rather hopeless, given the scant attention these cases were getting from law enforcement. But in Terpin’s case, investigators in California managed to track down at least one of the thieves, who has since pleaded guilty to stealing the crypto—and last week, days before our panel, a court awarded Terpin nearly $76 million in damages.
Finally, it seems, there is justice for victims of crypto theft.
But throughout the discussion another disturbing pattern emerged. Terpin’s investigation had led him to AT&T, his cellphone carrier at the time, which he is now suing in federal court. (AT&T ranks No. 9 on this year’s Fortune 500 list, which we just released last week.) Terpin, who runs a blockchain-focused PR firm, alleges that the attackers took control of his phone by convincing an AT&T store employee to switch his phone number to a new device despite not knowing his pin code. Often, Terpin said on the panel, attackers will bribe AT&T employees with $100 to override the pin requirement; more than 40 phone hacks track back to one employee in a store in Tucson, Arizona, he claimed.
An AT&T spokesperson told the New York Post last month that “Mr. Terpin is wrong, and we have asked the court to dismiss his complaint.”
But David Silver, a lawyer who specializes in going after cryptocurrency fraud, also sat on the panel. And not only was Silver a victim of the same type of attack when he, like Terpin, used AT&T for his cellphone carrier, but the lawyer is now representing more than 30 other clients who are suing AT&T for the attacks they suffered themselves. (While he is also pursuing similar cases against Verizon, T-Mobile and Sprint, they are far fewer in number, Silver said.)
While the hackers have gotten more sophisticated, Silver said, “for lack of a better term—hell, I’m on camera—AT&T is working with them.”
AT&T is “the absolute weak link,” added Terpin, who is now advocating for regulations that would put more security in place to prevent carriers from so easily handing over or bypassing customers’ pin numbers.
“Michael and I will both tell you, AT&T’s security isn’t worth the money you pay for it,” said Silver.
Their advice: “If you have an AT&T account, switch it over immediately to anybody else,” Terpin suggested. He recommends using Google Fi or T-Mobile instead.
For now, Silver is forced to argue his cases in private arbitration with AT&T, and according to him, the cellphone carrier is claiming that its terms of service shield it from liability in all such cryptocurrency thefts.