jcz1 wrote:T-Mobile Sued Over Theft of Customer's CryptocurrencyA T-Mobile customer is suing the carrier over a cryptocurrency heist.
Carlos Tapang claims that hackers broke into his cryptocurrency account because T-Mobile was fooled into transferring his account to AT&T. The hackers then used Tapang's wireless account to access his cryptocurrency account and sell virtual currencies for 2.875 in bitcoin.
Tapang, a resident of King County, Washington, noticed the theft when his phone lost its connection to T-Mobile on Nov. 7. He called the carrier, and learned that T-Mobile had canceled the service and transferred his phone number to AT&T.
"More specifically, unbeknownst to Mr. Tapang, T-Mobile had transferred control of his phone number to a device under the control of someone else," the lawsuit claims.
https://www.pcmag.com/news/359051/t-mob ... tocurrency
Looks like a new avenue of attack (at least new to me).
The article doesn't say how taking over someone's cell phone allowed access to their crypto. Any thoughts? One idea I had could be 2FA, and they already had his pwd on an exchange.
I'm guessing it wasn't stored on the phone, because they would need the physical device. Either way, it brings up a new thing to worry about, if your phone gives someone access.
From the article:
- In this case, the hackers targeted Tapang's wireless account, which was registered with one of his cryptocurrency accounts.
- The hackers had changed the passwords on one of Tapang's cryptocurrency accounts, and drained the funds inside.
- Prior to the heist, Tapang had enabled a PIN number that was supposedly needed to transfer his phone number to another carrier. But despite this, the hackers still tricked T-Mobile agents into porting Tapang's phone number to AT&T.
So it isn't 100% clear but it appears hackers fooled T-mobile into switching his account to AT&T and gaining access to his phone number. Somehow his phone number was likely linked to an exchange account where they drained his funds. So 1) he kept funds on a centralized exchange, 2) either he stored his password to his crypto exchange account on his phone (bad idea) or the hackers ALSO hacked his PC or wherever he stored his exchange account passwords. This is why we use strong passwords, 2FA, and stay as anonymous as possible on exchanges so that a hacker can't get you from just one angle. They need to hack your PC, get access to your phone number, and then you need to have $$$ sitting on an exchange.
I wonder if this dude will win the lawsuit.