Is My Cell Phone Company Liable for SIM Card Hacking?
AT&T and the other cell phone carriers promise to keep your personal information private. Federal and state law also require strict data security protocols. But just how secure is your information? As many customers are finding out, the answer is “not very.” When you consider the information contained on a phone’s SIM card, a successful SIM swap could be financially devastating.
SIM Swapping Hacks
A SIM card swapping hack occurs when someone tricks the phone company’s customer service center or a local phone store into believing you lost a SIM card or that their phone’s card was damaged. The bad actor then requests their phone number be ported to a new phone. To pull off the scheme, the impostor has to convince the phone company that they are you.
When a SIM swap hack occurs, the victim loses phone service. But that is not all. The hacker gains access to all the sensitive data stored on the card including email access and passwords.
Even if you have two factor authentication, that won’t protect you assuming the confirmation text, call or email can be accessed through the cell phone.
SIM Swapping Hacks Are Real, Not Theoretical
The most recent data from the Federal Trade Commission says there were an average of 2,658 SIM swap hacks per month in 2016.
Recently several AT&T employees were caught stealing personal information from almost a quarter of a million customers and selling it. The FCC fined the company $25 million but those fines don’t do much for customers who find their financial lives a disaster after a successful hack.
Cryptocurrency Investor Loses Millions after SIM Swap Hack
Michael Terpin was a successful cryptocurrency investor. He was also an AT&T customer. Worried about his digital privacy and wary after a previous data breach, Terpin asked AT&T to apply advanced security enhancements to his account.
Did they work? If you are reading this story, you already know the answer.
An unknown hacker went to an AT&T store in Norwich, Connecticut and conned an employee to assign his number to a new phone. The store employee didn’t require ID nor a password. To do so, the worker should have demanded a government ID and required the impostor to recite Terpin’s six digit security code. That didn’t happen and incidents like this happen every day.
Immediately after stealing Terpin’s SIM, the hackers were able to steal $24 million from a cryptocurrency account. In the words of one attorney, what AT&T did is the equivalent of hotel desk clerk giving a thief with no ID or a phony ID the key to your hotel room and the key to the in-room safe.
AT&T has 140,000,000 customers in the United States. (Most without enhanced security measures.) In our opinion, they are doing nothing to protect customers.
[Full disclosure, AT&T permitted two phones belonging to the author’s law firm to have the SIM cards swapped. We were fortunate, no data was lost.]
Terpin didn’t sit back and do nothing and neither are we.
There is evidence that sophisticated hackers are today targeting cryptocurrency traders, lawyers and high net worth individuals.
While AT&T claims it Is protecting customer privacy, media reports say they are one of the worst offenders. But the problem is not limited to AT&T. T-Mobile has also been hit with SIM card hacking attacks. We have no doubt that other carriers such as U.S. Cellular and Verizon are also vulnerable.
A story called “How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards” outlines just how common this scary practice is. A Pasco County, Florida Sheriff’s Office investigation revealed instances where hackers were paying AT&T employees to assist them in their SIM swp hijacking schemes.
The Law and SIM Swap Hacking
Cell phone companies like AT&T are considered “common carriers.” Under the Federal Communications Act, carriers have “a duty to protect the confidentiality of proprietary information of, and relating to [their customers].”
The FCC has issued specific rules requiring carriers to prevent disclosure of customer information to unauthorized people. That means when a customer presents at a retail location, the carrier must obtain from the customer “a government issued means of personal identification with a photograph such as driver’s license, passport, or comparable ID that is not expired.”
The FCC takes seriously its rule and the obligation of the cellular companies to strictly follow those rules.
“[W]e hereby put carriers on notice that the Commission henceforth will infer from evidence that a pretexter has obtained unauthorized access to a customer’s [private data] that the carrier did not sufficiently protect that customer’s [data.] A carrier then must demonstrate that the steps it has taken to protect [customer data] from unauthorized disclosure, including the carrier’s policies and procedures, are reasonable in light of the threat posed by pretexting and the sensitivity of the customer information at issue.”
How Do I Sue AT&T for Allowing My SIM Card to be Hacked?
The law is clear that carriers must protect your data and protect you from unauthorized SIM card swaps. But suing them is not easy. Although some have tried, a provision in many cell phone new account agreements require disputes to be arbitrated.
Despite the Constitutional guarantee of every American to seek redress from the courts, the United States Supreme Court says you contract away that right. If your service agreement says you give up the right to sue, that provision is probably enforceable.
You don’t give up your claims but you may have given up your right to have those claims decided by a jury. In our opinion, jurors are more sympathetic to victims and less so towards corporate giants such as AT&T. Arbitration cases are not heard by a jury but instead heard by a single or three arbitrators.
We dislike mandatory arbitrations for the above reasons and because they are conducted mostly in secret. When a case takes place in secret, big companies can better hide their dirty laundry. There is also no appeal.
If My SIM Card Is Vulnerable How Can I Ever Be Secure?
Tips for Better Two Factor Authentication
Two party authentication is better than nothing but if the authentication comes to your phone by text, email or a call, it goes to the hacker if they have successfully swapped your SIM card. There are apps like Authy and Google Authenticator that allow two factor authentication but the authentication is tied to your actual device and not your phone number.
Another method is with a physical device such as Yubikey which clips on to your keychain. But if you are prone to lose your keys, the Yubikey won’t help.
Of course if your phone suddenly stops working, contact your carrier immediately. (Hopefully you are not trying this as an AT&T customer on a Sunday)
Help for Victims of SIM Swap Hacking
Are you the victim of a SIM Swap Theft? The attorneys at Mahany Law and our nationwide network of experienced attorneys are happy to assist. We generally do not accept cases with a loss of less than $250,000. For more information, contact us online or by email at
All inquiries protected by the attorney – client privilege and kept confidential. We consider cases nationwide. Most cases are handled on a contingent fee basis meaning we only get paid if we collect money for you.
Epilogue to Michael Terpin’s SIM Swap Hacking
The fateful day of the second SIM hack happened on a Sunday. As soon as Terpin learned his phone was dead, he says he immediately called AT&T to have his phone shut down. Because he was the victim of a previous hacking attempt, he correctly surmised that hackers were again trying to get passwords from his hacked SIM card. He says his urgent request was ignored.
His wife also called AT&T’s fraud department where she was promptly put on hold. In fact, no one ever answered. Apparently AT&T’s fraud department is closed on Sunday. In his lawyer’s words, “Mr. Terpn’s wife never reached AT&T’s fraud department because it apparently does not work (or is unavailable) on Sundays. But the hackers work on Sunday!”
Media reports tie the theft to a hacker named Nicolas Truglia. In addition to Terpin’s $24 million, Truglia and his gang are alleged to have stolen a total of $81 million. According to court records, Truglia said, “Nobody can get me in trouble. Nobody can put me in jail. I would bet my life on it, actually.”
He subsequently went to jail.
And why did Terpin sue AT&T instead of just suing Truglia? Our guess is that Truglia “pissed away” the money. One social media post allegedly posted by him says, “Stole 24 million can’t stay away form [sic] drugs.” He also bragged about private jet charters, expensive NYC condo rentals and the like. The deep pocket in this case is AT&T.
Need more info? Visit the FTC information page on mobile phone SIM hacking. Victim? See Our contact information above. We are lawyers willing to sue cell phone companies for their negligence for allowing these hacks to occur.