The Bittrex Cryptography Exchange is being sued for a SIM card exchange allowing criminals to obtain 100 bitcoins, which currently stands at nearly a million dollars worth.
The case resembles other high-profile recent flights in which a hacker takes control of a victim's mobile phone to loot encrypted online accounts: the exchange was made by the AT & T cellular carrier, l money was withdrawn from Bittrex and hacking took control of the victim online. identity.
The hacking against Seattle-based angel investor Gregg Bennett, however, has not been resolved by investigators, unlike others that have been made public as part of legal filings.
In that case, Bennett sued the Washington County Superior Court in Washington State alleging that Bittrex had violated its own published security protocols and ignored the privacy standards. industry, thus missing the opportunity to prevent burglary. He also alleged that Bittrex had not acted like the piracy of April 15, 2019 was underway or had reacted quickly enough once he had reported it directly.
The Washington State Regulator's Regulatory Financial Examiner, the Department of Financial Institutions, concluded that Bittrex had not "taken reasonable steps to respond" to Bennett's notice and " seemed "to have violated his own conditions of service, in a signed contract. letter dated August 30, 2019 provided to CoinDesk by Bennett.
Although various legal entities have been informed of the hacking, they have not yet announced any criminal charges in this case. As a result, we do not know where Bennett's bitcoin is.
Bittrex declined to comment specifically on Bennett's hacking and the lawsuit.
CEO Bill Shihara spoke with CoinDesk about other recent SIM card hackers, saying the exchange had robust security to prevent account violations, including authentication. two-factor and checking email when an unknown IP address connected to an account.
These "slowdowns" could lead to complaints from some users, he said, but "they actually avoid many accounts being hacked".
But since a target's e-mail can also be violated, it's best to never trust his phone as the last security stop – once it's taken care of, everything can be accessible, a- he said:
"I think it's a problem that requires a lot of solutions and many layers of security. And unfortunately, one of the mantras we often use and publish is that at the end of the day, you can not trust your phone. You should know that you may lose control of your phone. "
The role of AT & T
Bennett told CoinDesk that he suspected his hacking was "an internal job" because he had stated that his PIN and even his Social Security number had been changed, which would imply that someone from the telephone company played a role.
However, AT & T is not named in the Bennett lawsuit, while it is the subject of similar cases filed by Seth Shapiro and Michael Terpin.
The Bennett case only concerns security issues in Bittrex, but the door has remained open. AT & T "will not escape my anger," he said.
AT & T spokesman Jim Greer said he could only reiterate his earlier responses to SIM card piracy: customers should avoid relying on their cell phones for reasons of security.
"Fraudulent SIM card swaps are a form of theft committed by sophisticated criminals. We work closely with our industry, law enforcement and consumers to stop this type of crime and prevent it, "Greer said.
Bennett says Bittrex should have known that something strange was coming up.
The hacks came from a Florida IP address and an NT operating system, never used before – the two signs, in his mind, that it should be clear that he was not the one who accessed the account.
Bennett alleges in the lawsuit that the hackers eventually emptied 100 bitcoins from his account – the maximum daily withdrawal allowed. In fact, he had a series of coins that the pirates had stolen at prices lower than those of the market, converted into 30 extra bitcoins and traded with them.
They even came back the next day to recover their remaining 35 bitcoins, but at that time, Bennett said he managed to get Bittrex to close the account and withdrawals unauthorized.
Bennett's lawsuit alleges that Bittrex did not follow industry safety standards in its case.
Beyond the different IP addresses and operating systems, his lawyers claimed that Bittrex should also have imposed a 24-hour suspension of withdrawal after changing the password, which according to other exchanges.
"What I blame Bittrex for is their inability to see suspicious activity obvious," Bennett said.
Image of the SIM card via Shutterstock