Cryptocurrency theft exposes an overreliance on two-factor authentication

Our phones are rapidly becoming a massive single point of failure in our digital lives.

Aside from being the main repository of our contacts, our photo libraries and the tools we use to conduct our everyday lives, they are ever more relied upon for authentication. While dedicated tools such as code-generating apps remain relatively secure (at least, as long as we keep hold of our devices), many service providers rely on the most basic phone-call and SMS features to check we are who we claim to be.

If a malicious third party can get a phone number redirected to a device under their control, the impact on the victim’s life can be immense. This was the situation crypto entrepreneur and advocate Michael Terpin found himself in after his mobile phone number was twice hijacked by scammers and used to authorise transactions which cost him $23.8 million.

Terpin is suing AT&T over the incident, claiming demanding damages of $200 million as well as the replacement of the funds lost to the theft. He claims that AT&T had made promises to keep his number secure after the first incident, but allowed fraudsters to claim the number a second time without proper authentication. The suit goes so far as to accuse the AT&T operative who approved the SIM transfer of collusion with the criminals.

Terpin, a former PR executive and co-founder of Marketwired, a major press release distribution service, has been a strong supporter of blockchain and cryptocurrency for several years, operating or investing in numerous enterprises in the sector.

In court papers submitted in the central district of California on Wednesday, Terpin and his lawyers go into great detail on the background of the case and what they see as AT&T’s failings. The papers describe “SIM swap fraud,” also referred to as the port-out scam, as a “metastasizing cancer attacking AT&T customers.”

Many banks and other payment providers, including cryptocurrency exchanges, routinely rely on access to a provided phone number as absolute proof of identity. You call them up, they send a code to the mobile number they have on record, and if you can provide the code they trust that you are indeed you.

But phone service providers often need to redirect a number, for example if a mobile device is lost or stolen. Their processes for doing this rely on their own means of authenticating the person requesting the transfer, in the past often based on basic, easily defeated methods like asking for a mother’s maiden name, first pet or first street, which have become simple to dig out of social networks.

While most providers have started implementing more secure methods, usually a preset PIN code, these are generally optional upgrades which most users won’t bother to activate. Even when the extra security layers are activated, as Terpin’s case seems to show, they aren’t invariably applied correctly by the provider’s operatives.

It seems there are two lessons here. First, phone service companies need to apply much more rigorous methods for authenticating their customers, especially when they are requesting something as significant as a redirect or SIM replacement. And second, regardless of any such improvements providers manage to put in place, no one serious about security should be relying on access to a phone number as proof of identity.

AT&T told Reuters that it plans to contest Terpin’s suit. With the enhanced two-factor requirements under PSD2 coming into force soon, the case could have a serious impact on what new technologies payment providers decide to offer their customers to meet the requirement for truly reliable authentication.