A lawsuit against AT&T alleges that the carrier's employees helped hackers perform SIM-swap attacks on a customer and rob him of $1.8 million worth of cryptocurrency.

Plaintiff Seth Shapiro of Torrance, California, says that AT&T is liable for the acts of its employees and failed to implement systems and procedures to prevent them from pulling off the scheme. The complaint, filed on October 17 in US District Court for the Central District of California, says:

On at least four occasions between May 16, 2018 and May 18, 2019, AT&T employees obtained unauthorized access to Mr. Shapiro's AT&T wireless account, viewed his confidential and proprietary personal information, and transferred control over Mr. Shapiro's AT&T wireless number from Mr. Shapiro's phone to a phone controlled by third-party hackers in exchange for money. The hackers then utilized their control over Mr. Shapiro's AT&T wireless number—including control secured through cooperation with AT&T employees—to access his personal and digital finance accounts and steal more than $1.8 million from Mr. Shapiro.

In a SIM-swap attack, "the SIM card associated with the victim's wireless account is switched from the victim's phone" to someone else's, which "effectively moves the victim's wireless phone—including any incoming data, texts, and phone calls associated with the victim's phone—from their phone to a phone controlled by the third party," the lawsuit notes.

"The hacker's phone then becomes the phone associated with the victim's carrier account, and the hacker receives all of the text messages and phone calls intended for the victim," the complaint continues. "Meanwhile, the victim's phone loses its connection to the carrier network."

In Shapiro's case, AT&T employees did not just unwittingly give hackers control over his phone, the lawsuit says. AT&T's "employees actively profited from this unauthorized access by knowingly giving control over his phone number to hackers for the purposes of robbing him," the lawsuit says.

Shapiro backs up his lawsuit with details from a criminal case filed by the US government against nine people, including former AT&T employees Robert Jack and Jarratt White.

"[C]riminal investigations reveal that a third-party (an individual identified by authorities as 'JD') paid Jack and White to change the SIM card associated with Mr. Shapiro's AT&T account from the SIM card in Mr. Shapiro's phone to a SIM card in a phone controlled by JD and others," the lawsuit said. JD paid White $4,300 to conduct SIM swaps, including the swaps in May 2018 that targeted Shapiro, and paid $585.25 to White, the lawsuit said.

These employees were "prolific SIM swappers," with White conducting 29 unauthorized SIM swaps in May 2018 and Jack conducting 12 unauthorized swaps that same month, the lawsuit said.

Shapiro's complaint said:

AT&T also informed law enforcement that the hacker involved in Mr. Shapiro's SIM swap had requested that 40 different AT&T wireless accounts be moved onto his phone (identified by its IMEI number) in the months leading up to Mr. Shapiro's swap. AT&T therefore had the technology to track how many different accounts were being [moved] on to the same telephone, as demonstrated by its ability to pull this information for law enforcement. Despite its ability to track this highly suspicious behavior, AT&T failed to use this technology to protect Mr. Shapiro's account. If AT&T had proper security safeguards in place, it would have recognized this behavior, flagged it as suspicious, and prevented any further SIM swaps onto that phone—thereby protecting Mr. Shapiro.

Shapiro is asking the court for financial damages, saying the company violated privacy requirements applied to common-carrier phone companies under the Communications Act. His lawsuit also accuses AT&T of violating the California Unfair Competition Law by failing to disclose its inadequate security practices and by making material misrepresentations "concerning its sale of access to and safeguarding of Mr. Shapiro's" private information. The suit also says AT&T is guilty of negligence and of violating the US Computer Fraud and Abuse Act.

Man put life savings in cryptocurrency

Shapiro's lawsuit describes him as "a two-time Emmy Award-winning media and technology expert" who regularly advises large companies. Shapiro, who has a wife and two children, said the $1.8 million worth of digital currency "constituted the entirety of the profits from the sale of Mr. Shapiro's family home and his life savings." That money also included funds for his business.

"The digital currency stolen during the SIM swap attacks also included cryptocurrency raised by Mr. Shapiro for a business venture. As a result of the theft, Mr. Shapiro had to end the venture and lay off all employees," the lawsuit said.

This is not the first such lawsuit filed against AT&T. The company was also sued by a man named Michael Terpin, who says that AT&T allowed a SIM-swap hack that cost him nearly $24 million worth of cryptocurrency.

In July, a federal judge allowed Terpin's suit against AT&T to move forward despite AT&T's arguments that Terpin didn't adequately explain how the phone hack led to the loss of his cryptocurrency and that AT&T shouldn't be held responsible for the misconduct of hackers who stole the cryptocurrency. Terpin recently wrote an open letter to Federal Communications Commission Chairman Ajit Pai, urging him to issue new security requirements that carriers would have to follow to prevent SIM-swap attacks.

When contacted by Ars about the Shapiro case, AT&T said, "We dispute these allegations and look forward to presenting our case in court." AT&T also noted that it provides customers with information about SIM-swap scams at this webpage but did not provide any specific information disputing Shapiro's allegations.

Despite disputing Shapiro's lawsuit, AT&T says on that webpage that it is improving its technology and training to reduce the likelihood of SIM-swap attacks.

SIM-swap nightmare

The lawsuit details four incidents of SIM swapping in which Shapiro was the victim.

On May 16, 2018, Shapiro was attending a conference in New York City and noticed that his phone was no longer connected to the AT&T network. Shapiro suspected that he was being victimized by a SIM swap "and called AT&T in an attempt to secure his account," his lawsuit said. The call resulted in "lengthy holds" followed by an AT&T rep suspending Shapiro's service and telling Shapiro to visit an AT&T store.

At the store in Manhattan, Shapiro bought a new iPhone and a new SIM card as an AT&T rep advised, and AT&T employees "assured him that his SIM card would not be swapped again without his authorization," the lawsuit said.

But Shapiro says he was victimized by a second SIM attack "mere minutes later" while he was still in the store. He "immediately informed" AT&T employees of the second attack and they "informed him that he needed to wait until it was his turn to be assisted," the lawsuit said.

Shapiro ended up waiting 45 minutes for help in the AT&T store. The lawsuit said:

In that time, third-party individuals were able to use their control over Mr. Shapiro's AT&T cell phone number to access Mr. Shapiro's personal and financial accounts and rob him of approximately $1.8 million, all while Mr. Shapiro stood helplessly in the AT&T store asking for the company's help.

The attack was apparently exacerbated by the fact that many services use mobile phone numbers as the second factor in login systems protected by two-factor authentication. Hackers also can take control of various accounts by "exploiting password reset links sent via text message," the lawsuit noted.

The third parties who gained control over Shapiro's wireless number "used that control to access and reset the passwords for Mr. Shapiro's accounts on cryptocurrency exchange platforms, including KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex," the lawsuit said. Hackers also changed the passwords "for approximately 15 of Mr. Shapiro's online accounts, including four email addresses, his Evernote account... and his PayPal account," the lawsuit said.

After taking control of his cryptocurrency accounts, "hackers then transferred Mr. Shapiro's currency from Mr. Shapiro's accounts into accounts that they controlled. In all, they stole more than $1.8 million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16, 2018," the lawsuit said.

14 hours later...

Shapiro says he regained access to his email and other personal accounts within 14 hours, but he never regained access to several cryptocurrency accounts and had already lost the money. As we noted in a previous article, thefts of cryptocurrency are likely permanent "since no one has the authority to cancel transactions once they're committed to the blockchain."

Shapiro says that he remained an AT&T customer after the hack based on the company's assurances that it would protect his data going forward. He changed his AT&T account passcode on the company's advice, which was supposed to prevent further SIM swaps from happening without his consent. But "Mr. Shapiro's trust in AT&T was misplaced," as he ended up being victimized by SIM swaps twice more, in November 2018 and May 2019, the lawsuit said.

Shapiro says he received a letter from AT&T in May 2019 informing him that "an employee of one of [AT&T's] service providers accessed [Mr. Shapiro's] Customer Proprietary Network Information [CPNI] without authorization." The letter also said that AT&T "notified federal law enforcement concerning the unauthorized access of your CPNI as required by Federal Communications Commission regulations."

In the lawsuit, Shapiro blames AT&T for making it possible to perform SIM swaps without his consent. AT&T's failure to establish a proper level of security means that its promises to consumers were misleading, the lawsuit said:

AT&T failed to establish a consent mechanism that verified proper authorization before Mr. Shapiro's account and the data therein was used without his authorization or consent, and disclosed to third parties. Mr. Shapiro's privacy and personal information was not safe, as demonstrated by the repeated breaches of his AT&T account. AT&T's statement that it would protect customers' privacy and keep their personal information safe is therefore a material misrepresentation.

AT&T's promise to users that it doesn't sell personal information was also false, the lawsuit says.

"As alleged fully above, AT&T employees sold access to Mr. Shapiro's AT&T account to third parties," the lawsuit said. "AT&T's statement that it would not sell customers' personal information is therefore a material misrepresentation."