Michael Terpin is a well-known investor in the cryptocurrency industry, but you perhaps know him best as the individual who lost a whopping $24 million in one of the most publicized SIM swap fraud cases in history. In an open letter published by Coindesk on October 21, Terpin is demanding that the Chairman of the United States Federal Communication Commission (FCC) Ajit Pai take decisive action against mobile carriers to put an end to SIM swap fraud once and for all.
A couple of years ago, about $24 million was stolen from Terpin’s accounts in a SIM swap hack in which he blames his mobile carrier, AT&T, for their ‘gross negligence’ that resulted in the hack. He alleges that the carrier had failed to put in place basic security protocols that would have prevented his loss and that criminals continue to take advantage of their failure to steal from unsuspecting users.
Terpin reveals in the letter that he has been approached by over 50 victims of SIM swapping hacks who have lost millions of dollars in these fraud schemes that seem to be happening with more frequency and greater losses to the victims even today. He wonders why the FCC had gone after robocalling with so much vigor yet no one ever lost millions of dollars in them, yet SIM swapping is not considered a ‘top priority’ despite the harm it continues to inflict on mobile users.
“I’m sick and tired of this. This is happening while they [AT&T] deny it,” he said. “There will be no future of a billion people making use of blockchain unless the phone carriers fix this problem.”
Carriers must bolster customer security
Terpin, in his open letter to Pai, recommends that the FCC require all mobile carriers in the United States to take extra measures to secure user passwords and personal identification numbers (PINs) from their employees to better protect the users from these kinds of fraud. He insists that the carriers should also be required to inform their customers of high-security plans they offer, which must include a ‘no port’ option. This option would prevent SIM swapping frauds by requiring that a SIM swap request goes through the fraud department for checks and authorization before SIM information is ported to a new phone.
The open letter to FCC lays bare a number of facts that FCC must consider while revising the rules and regulations that guide customer safety as far as mobile carriers are concerned. One of the most notable is the fact that mobile SIMs are no longer just number cards that identify the user’s phone to the carrier, but also a module tied to the user’s identity and ‘key’ to many other aspects of life including financial services and social media accounts.
To put a stop to sim swapping frauds, or in the least make it more difficult for the scammers, Terpin urges the FCC chairman to consider the effect such cases of fraud have on the future generation of people. This is a group of people who look forward to making all their investments in cryptocurrencies and look forward to the transforming benefits of blockchain in general. However, the fear of ‘getting hacked’ and losing everything is very real, and it is something the FCC is tasked to deal with.
How the SIM swapping fraud works
Terpin’s demands are coming at a time when cases of SIM swapping frauds have become very prevalent all over the United States. Also known as ‘SIM splitting,’ ‘port-out scam,’ or simjacking, this account takeover fraud targets weaknesses in 2-factor authentication (2FA) or two-step authentication.
In many cases, mobile carriers’ ability to easily and seamlessly port a customer’s phone number to a different SIM is all the fraudsters need to exploit to gain access to the victim’s account and money. The fraudsters often pose as the legitimate owner of a mobile phone number to dupe the mobile carrier to authorize the porting of the victim’s number to a new device then use two-factor authentication to fully reset associated accounts.
The problem is bigger than the FCC assumes
In his August 2018 suit against AT&T, Terpin laid blame fully on the network, claiming that they were complicit in the hack because the carrier’s employees played a part in the SIM swap process and subsequent theft that spanned over a period of seven months. He alleges that the company and its employees violated the Federal Communications Act, breached the subscriber contract, and violated a number of other legal regulations. He is seeking compensation to the tune of $23.8 million and $200 million in punitive damages against AT&T.
Just a few months ago, Twitter’s CEO Jack Dorsey’s Twitter account was hacked using this exploit method. This demonstrates just how unsafe everyone is from this new form of crime. Terpin notes that the new generation of sim swappers are actually sophisticated and organized criminals, some of them operating in gangs, and should be dealt with more seriousness than is currently accorded. He suggests that to further help the task force mandated by Homeland Security and FBI to investigate such cases of fraud, FCC should immediately initiate a comprehensive study with recommendations for mandatory reforms by mobile carriers, just as was done for robocalls.
Coincidentally, Terpin’s exclusive open letter to the FCC was published by Coindesk on the same day as another sim swapping fraud victim Seth Shapiro was filing a suit against AT&T for the part the company played in a hack that saw him lose over $1.8 million worth of cryptocurrencies from his exchange accounts.