"AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud," the complaint argues. "AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care."
In an emailed response to Reuters, an AT&T spokesperson asserted: "We dispute these allegations and look forward to presenting our case in court."
Terpin is seeking a verdict for compensatory damages of $24 million and over $200 million for punitive damages to "attract the attention of AT&T's senior management long enough to spend serious money on an acceptable customer protection program and measures to ensure that its own employees are not complicit in theft and fraud."
The complaint alleges that Terpin, the founder of bitcoin angel investing group Bit Angels, failed to receive protection against SIM card swaps, despite AT&T's awareness of security vulnerabilities, including that its employees "cooperate with hackers in SIM swap frauds." Terpin was the victim of two hacks in seven months.
Terpin claims that following the first hack AT&T added protections to his account that were insufficient. Despite these added security measures, Terpin's telephone account was compromised by an "insider cooperating with the hacker." The hacker is alleged to have obtained Terpin's telephone number from an AT&T store employee without presenting valid identification or the required password.
Using Terpin's personal telephone number, the hacker was able to access Terpin's online wallets, absconding with nearly $24 million in cryptocurrency.
"It was AT&T's act of providing hackers with access to Mr.Terpin's telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur," the complaint asserts. "What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner."
According to the United States Fair Trade Commission, SIM card swapping (also known as SIM jacking or SIM splitting), is a growing form of identity theft. The commission describes the scam:
"[A thief will] impersonate the victim and call the victim's mobile phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim's phone number in the thieves' phone. The thieves are then able to make bank account transfers, responding to phone calls and text messages directed to the victim's phone number in order to complete the transactions."
While the service provider may be obligated to verify the identity of all callers seeking service on an account, Terpin's allegations suggest that this does not always happen. Additionally, thieves may also impersonate a service provider's representatives to obtain the needed information to elicit a SIM card swap.
The New York State Department of State's Division of Consumer Protection has issued a consumer alert warning AT&T customers of this type of scam. These scams are presenting a threat to mobile banking, due to the high proportion of banking customers having mobile telephone numbers linked to their accounts.
This isn't the first time SIM swapping has been used by thieves to steal digital asserts. In July, a 20-year-old SIM hijacker Joel Ortiz was arrested in California for allegedly working with associates to steal cryptocurrency valued at $5 million.