Bitcoin thought leader Michael Terpin[1] lost $24 million in various altcoins last year, and he is suing AT&T to recover that as well as $200 million in punitive damages. While this story has been covered by a few major outlets, none of them dug deep into the complaint in a way we thought properly covered it. That is what we will try to do here.
The problem, according to Michael Terpin, is that he was hacked, twice. Once through a SIM swap social engineering hack before being put on their “high-risk and celebrity” security list, and once through a SIM swap social engineering hack after being put on their “high-risk and celebrity” list.
A SIM swap hack is a process where hackers use social engineering in order to pull off their crime. They go into a wireless carrier’s store or call them on the phone pretending to be their target. They then get their SIM information transferred to a new phone. A SIM card is a piece of removable hardware that holds personal information. It also links a phone number and the subscriber. It stands for “Subscriber Identity Module” and can be taken out and put into a new phone while keeping all the same information like the phone number and contacts. In this way, SIM cards are essential for two-factor authentication (2FA). In theory, there can’t be two SIM cards representing the phone number. So if you can prove you have the SIM card linked to an online account and that account’s password, it is a fairly safe way to secure an account. The only way a SIM card can represent someone else is if an employee of the carrier changes the specific card that represents that phone number. Ideally, this should only be
