Carlos Tapang, a former T-Mobile customer, is suing the multi-billion dollar telecom over the theft of 2.875 Bitcoins, worth around $24,150 at press time.
According to the official lawsuit document shared by Law360, T-Mobile transferred the account of Tapang, without his authorization, to AT&T. Hackers then gained access to the AT&T account to penetrate the cryptocurrency trading account of Tapang and sell his Bitcoins.
Essentially, the hackers stole the identity of Tapang, went through a basic identity verification with T-Mobile customer representatives, and stole the funds Tapang had stored on a cryptocurrency exchange. The lawsuit described the case as an example of classic identity theft, in which hackers gained access to sensitive financial information by stealing personal data such as social security numbers and birth dates.
Most major cryptocurrency exchanges encourage users to enable two-factor authorization (2FA) via third party applications like Google Authenticator or Authy, instead of SMS. If traders opt to receive their second-level verification requests via SMS, hackers could gain access to the trader’s exchange account by compromising his mobile phone account.
In 2016, WhalePanda, a well-known expert in the cryptocurrency sector, wrote that users should never use SMS for 2FA because it is the easiest 2FA system to hack. With basic identity information, hackers can call telecom customer representatives and request changes or cancellation of accounts. This is called “social engineering.” WhalePanda explained:
“Don’t use SMS for 2FA. That’s the easiest one to ‘hack.’ Instead, use other 2FA tools like Authy. I‘ve been using it for a while now and it’s really handy since it allows you to back everything up easily and it’s easier when you switch phones. Make sure to use 2FA everywhere possible. On the exchange, on your email, on your password manager.”
In May 2017, Venture Capital Investor Cody Brown and the founder of ScrollKit, experienced a similar issue with Verizon when he lost $8,000 worth of Bitcoin stored on his Coinbase account. At the time, Brown told investors in the cryptocurrency sector to not use SMS to for 2FA. Brown wrote:
“I had no idea how easy Verizon and others make it for people to swipe your phone with basic information within minutes. Make sure you use GAuth or Authy or something else supporting TOTP tokens; consider a FIDO U2F device as well for your Gmail account.”
Tapang’s lawsuit emphasized that he was never notified of the cancellation of his account and the transference of his mobile phone number to AT&T. The document reads:
“More specifically, unbeknownst to Mr. Tapang, T-Mobile had transferred control of his phone number to a device under the control of someone else. T-Mobile admitted to Mr. Tapang that, based on its records, he did not authorize the cancellation and transfer of his phone number to AT&T. T-Mobile was unable to contain this security breach until the next day or so when T-Mobile was finally able to get Mr. Tapang’s phone number back from AT&T.”
While T-Mobile was eventually able to recover Tapang’s mobile account, by then it was already too late. Tapang is demanding that T-Mobile reimburse all of his lost funds since the company had admitted its fault in canceling his mobile phone account.