T-Mobile US let hackers nick my phone number, drain my crypto-wallets, cries man who lost $20k

PIN 'ignored' – no wonder T-Mob has put out an alert

By Shaun Nichols in San Francisco


A bloke from Washington is suing T-Mobile USA after miscreants were able to steal his phone number and take all his crypto-coins.

Carlos Tapang this week told the US state's western district court that the telco broke America's Federal Communications Act when, in November of last year, it allowed strangers to get control of Tapang's phone number and use it to take over his cryptocurrency wallets and drain thousands of dollars in digital money.

According to Tapang's complaint [PDF], the raid occurred on November 7 last year when someone contacted T-Mob and asked the carrier to transfer his number to a device on AT&T's network.

Rather than ask for a PIN to authorize the transfer, which Tapang claims he asked the telco to require as a safety precaution, T-Mobile staff simply signed ported the number as requested, letting AT&T assign the cell number to a device controlled by the criminals, it is alleged. From there, the thieves used the cell number to reset the password on Tapang's online cryptocurrency account – which was linked to that number – and then take over its wallets and drain his funds.

In total, Tapang's suit claims the pilfered currency amounted to 2.875 Bitcoins, worth approximately $20,350 at the time. The wallets held 1,000 OmiseGo (OMG) tokens, and 19.6 BitConnect coins, which were converted into BTC by the crooks, it is claimed.

Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks


Tapang does not appear to be the only person to have allegedly had a phone number stolen via a fraudulent port-out request. Enough victims have reported account thefts that T-Mob has set up a website to deal with the issue. Punters are told to set up a PIN to protect their numbers, but according to Tapang that safeguard is useless.

Because the biz failed to require the PIN and allowed the number to be transferred without any authentication, Tapang has accused the cell network of negligence, and therefore responsible for the hack.

"T-Mobile has failed to establish or implement reasonable policies, procedures, or regulations governing the creation and authentication of user credentials for authorized customers accessing T-Mobile accounts, creating unreasonable risk of unauthorized access," the suit read.

"As such, at all times material hereto, T-Mobile has failed to ensure that only authorized persons have such access and that customer accounts are secure."

Now, Tapang is seeking a jury trial to determine damages for allegedly violating the Federal Communications Act, breach of contract, negligence, and breaking Washington's consumer protection act.

T-Mobile USA did not respond to a request for comment on the lawsuit. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Mobile networks are killing Wi-Fi for speed around the world

And that means smartphones will need to get smarter

Ofcom asks networks, ISPs: Hey, wouldn't it be nice if you let customers know the best deal once their contract's up?

You know, they've paid for the phone a few times over now...

Little FYI: Wi-Fi calling services on AT&T, T-Mobile US, Verizon are insecure, say boffins

Subscribers using wireless calls wide open to attack

FBI's flawed phone tally blamed on programming error. 7,800 unbreakable mobes? Er, um...

We meant 1,000. Maybe 2,000

FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week

Roundup The good, the bad, and the ugly from infosec

UK's BT: It's not unusual to pull Huawei from our core mobile networks

It came with the package when we swallowed EE

Schadenfreude for UK mobile networks over the tumult at Carphone

Analysis That's what you get for selling unlocked phones

AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don't believe them

Fool me once, shame on, shame on you. Fool me, you can't get fooled again*, OK

US lawmakers furious (again) as mobile networks caught (again) selling your emergency location data to bounty hunters (again)

Analysis Privacy advocates stunned that explicit rules ignored, blame head of FCC

2017: The FBI alerts parents to dangers of Internet of Sh*t toys

Families urged to brush up on opsec, check for privacy leaks, patch security flaws, if possible