Why you should never use SMS for important two factor authentication

3 Min Read
521 Words


Seth Shapiro, an AT&T user had their cryptocurrency stolen during a heist thanks to AT&T handing over control of the victim's cell phone number during a robbery.

Roughly $1.9 Million USD of various cryptocurrencies were stolen when an AT&T staff member ported a number to a hacker's SIM card.

Any second-factor authentication that uses SMS is at risk for this to happen as support staff can be easily convinced to port user numbers to criminals SIM cards. Once they have a clone of the victim's SIM, they are able to confirm SMS security prompts to gain access to Exchanges, Banks, and various critical services.

With Crypto, there is nothing you can do to recover funds sent through exchanges and even personal wallets. There have been numerous cases of victims and their family members being threatened at gunpoint to give over hardware wallet passcodes.

Seth Shapiro is suing AT&T for enabling the theft of his tokens. AT&T was sued in 2018 by another victim under a similar situation. In the previous case, Michael Terpin lost over $24 Million USD in cryptocurrency. Michael Terpin won a judgement for $75.8 Million dollars against the hacker, but will not likely recover any funds as a result of the judgement. He is also suing AT&T who enabled the theft which is still in process. In February, a judge granted Michael Terpin permission to proceed with the lawsuit against AT&T. Michael's lawsuit is for $200 Million dollars in punitive damages.

Seth has been unable to obtain approval by a judge to move forward with his case against AT&T.

In both cases, AT&T was asked to be special protections on their account to prevent this situation. Any customer can contact their mobile provider to request additional security on critical account changes and this it is highly suggested you do so, even if it may not work every time.

Ultimately, it is down to the low paid and poorly trained support rep that takes the call, or the next one that takes the second and third call if the hacker is unsuccessful. With security, you have to win every battle where the hacker only has to win once.

""AT&T failed to implement sufficient data security systems and procedures and failed to supervise its own personnel, instead standing by as its employees used their position at the company to gain unauthorized access to Mr Shapiro's account in order to rob, extort and threaten him in exchange for money,"
- Seth Shapiro's Lawsuit Filings

AT&T is, of course, trying to get the case dismissed, while unsuccessful so far, they have prevented Shapiro from getting approval for his case. This will likely go on for years until a settlement is reached or Shapiro is unable to continue paying his legal services.

According to an interview with CoinTelegraph, Seth's tokens were around 1,200 Ethereum stolen from his Bittrex account, around $400,000 was stolen from Wax Cryptocurrency account, and almost $1M USD worth of crypto for a project he was working on.

Securely chat with me on Keybase

Why you should vote me as witness