Dear Eric, brother in the Lord, I am so sad that this happened to you. I will tighten up what I store in my Google Account, deleting passwords for financial and social/search websites.
Thank you for writing this. My T-Mobile SIM card was “reassigned” last month and my Gemini account was hacked, but I received notification of the sell request and immediately froze my account. Fortunately no withdrawals were made. Your information helps me to understand what happened and what other accounts I need to check.
I know better than to hold crypto on exchanges due to my tech background, but I take a calculated risk on stablecoins to earn good interest. I never imagined someone could take over my phone number, it’s a scary thought since it’s used for authentication for many things.
The scary thing is T-Mobile obviously hasn’t fixed the problem/person. I agree with you, it sounds like an inside job, which is always the biggest security risk. And key management.
Yes I used Authy. I think once they “own” your cell number they can set up Authy on whatever device they’re using. But I’m unfamiliar with exactly how it works. Gemini had me have Authy reset and re-install. They also said to make sure to turn off “Allow additional devices”. But in this case, I doubt it would have made a difference. I’d like to know the inner workings of the 2FA apps too.
Eric, this is terrifying and I'm sorry it happened to you. So much of our technology, and hence our lives, is built on shifting sands.
I'm interested to understand why it would cost 100k and take two years to specifically get around the EULA's "contract of adhesion" and obtain standing. This doesn't quite sound right; or, rather, it sounds like an estimate for bringing the whole lawsuit to fruition rather than just enabling standing. Either way I would be interested to understand this aspect of your story better.
Based on my experience successfully winning a lawsuit in an area that few lawyers wanted to touch: typically in these situations you would want to find a motivated attorney who is clever enough to figure out where T-Mobile is vulnerable to paying a higher amount of damages, and thereby can create a situation worth underwriting for the both of you.
But perhaps this area of is yet more unfavorable than what I experienced; nonetheless my intuition is that smart lawyers (or sufficiently motivated laymen who can work through legal documents) can usually find the right point of leverage.
I think someone within T-Mobile made the transfer, and Kraken's protocol had a 'bug,' but as I can't get any information out of them, I'll never know.
Getting the standing to sue for negligence would require getting around the 'contract of adhesion' in the EULA. That would only take $20k or so, and maybe 6 months. Then there would be the suit for damages, which if we went to closure would be another $100k and another year. My attorney works for a big law firm, and he had no clue where anyone would be vulnerable, and neither did anyone in his firm. The FBI had zero to say about T-Mobile transferring my number or Kraken's removal of my withdrawal restriction.
When the estimate for my suit would be 1 year and $100k, and these things are usually underestimated, it does not make for a good investment. If I search online, all I get are scammers, so it's definitely something for word-of-mouth as opposed to using a search bar.
1. I guess my question is something to the effect of: what does "getting around the 'contract of adhesion' consist of? Why would that take $20k? I can't think of anything you could pay for that would resolve any of the legal issues surrounding standing. Unless they mean the litigation concerning standing would itself take $20k and six months to resolve.
2. Big law is usually not the place to go. Unless you need high quality boilerplate (whose value I do not denigrate), they are generally not willing to be helpful or creative unless you're a major client.
3. You may want to consider a less pedigreed attorney who is not necessarily a specialist and pays less attention to the substantive details of the case.
The salient fact seems to me this: T-Mobile probably does not want a lawsuit on these facts because the public would be terrified if they knew something like this could happen. Therefore it does seem to me there's at least something to win a settlement from, and if you have a lawyer who knows how to scare T-Mobile's legal department and file an individous-sounding suit you might be able to get something out of it.
Judges have very little ability to sort through technical information; you can allege all sorts of things without much evidence and still scare your opponent badly if your narrative is suitable.
I would say in this context standing is *the primary issue* because there's a reasonable chance you make the rest of it work. Once you get past that I think T-Mobile would be quite likely to settle, and quite handsomely so if you can come up with a claim that involves punitive damages, or something that goes beyond the limited measure of restitution.
Again, I speak only from my experience; I'm not a lawyer. But I did win a reasonably tough suit in a situation where the preponderance of lawyers - everyone from small time practitioners to Big Law partners - told me it wouldn't be possible, even with a large outlay.
The trick in my case was convincing a lawyer that there was enough liability on the other side to warrant taking part of the case on contingency; it ended up being a big win for both of us. So finding the right lawyer, which took me nearly 12 months and forty interviews, was the main thing: it turned out to be Ron deSantis' roommate from Harvard Law, a Cuban immigrant who was running a one man shop in Nashua, New Hampshire.
Again, I can only speak from my experience. But I wish you the best and suggest you don't easily capitulate on this; there probably is a way through. Resilience and grit have a way of paying off in these situations.
Can't imagine one could win that one. The original sin was to use SMS as a security device.
SMS is not designed to be secure, it's all plain text and unencrypted, nor is a phone number supposed to be in any way secure ID. All telcos probably disclaim any responsibility for such off-label uses in their terms.
Kraken, on the other hand, may have allowed email+SMS as sole form of authentication, which is irresponsible of them. In the old days you at least got a letter in the post to reset lost credentials (not very good, but harder to hack and gives more time to react) but everyone wants quick and easy. The stonewalling from Kraken is not surprising...
Kraken says to contact customer support if you lose Authenticator, which is normal (self service bypass would be crazy). Then they may allow email+sms, with maybe some personal data that a hacker can find, at the discretion of operator and/or fraud detection software. May be guessing wrong, but it is certain there is a bypass, because they can't just lock out everyone who loses their phone.
I saw several emails from Kraken during my back after the fact, and none mentioned this. Further, the hacker got on to my Coinbase account, which also requires Google Authenticator, and again I saw no records indicating an SMS or email was used to obviate the Authenticator code requirement.
Dear Eric, brother in the Lord, I am so sad that this happened to you. I will tighten up what I store in my Google Account, deleting passwords for financial and social/search websites.
Wow, Eric. I'm so sorry this happened to you.
Thank you for writing this. My T-Mobile SIM card was “reassigned” last month and my Gemini account was hacked, but I received notification of the sell request and immediately froze my account. Fortunately no withdrawals were made. Your information helps me to understand what happened and what other accounts I need to check.
I know better than to hold crypto on exchanges due to my tech background, but I take a calculated risk on stablecoins to earn good interest. I never imagined someone could take over my phone number, it’s a scary thought since it’s used for authentication for many things.
Lucky you! BTW, did you use Authy? I'm still trying to figure out how they repopulated, or got around, these things (Authy and Authenticator).
The scary thing is T-Mobile obviously hasn’t fixed the problem/person. I agree with you, it sounds like an inside job, which is always the biggest security risk. And key management.
Yes I used Authy. I think once they “own” your cell number they can set up Authy on whatever device they’re using. But I’m unfamiliar with exactly how it works. Gemini had me have Authy reset and re-install. They also said to make sure to turn off “Allow additional devices”. But in this case, I doubt it would have made a difference. I’d like to know the inner workings of the 2FA apps too.
Eric, this is terrifying and I'm sorry it happened to you. So much of our technology, and hence our lives, is built on shifting sands.
I'm interested to understand why it would cost 100k and take two years to specifically get around the EULA's "contract of adhesion" and obtain standing. This doesn't quite sound right; or, rather, it sounds like an estimate for bringing the whole lawsuit to fruition rather than just enabling standing. Either way I would be interested to understand this aspect of your story better.
Based on my experience successfully winning a lawsuit in an area that few lawyers wanted to touch: typically in these situations you would want to find a motivated attorney who is clever enough to figure out where T-Mobile is vulnerable to paying a higher amount of damages, and thereby can create a situation worth underwriting for the both of you.
But perhaps this area of is yet more unfavorable than what I experienced; nonetheless my intuition is that smart lawyers (or sufficiently motivated laymen who can work through legal documents) can usually find the right point of leverage.
I think someone within T-Mobile made the transfer, and Kraken's protocol had a 'bug,' but as I can't get any information out of them, I'll never know.
Getting the standing to sue for negligence would require getting around the 'contract of adhesion' in the EULA. That would only take $20k or so, and maybe 6 months. Then there would be the suit for damages, which if we went to closure would be another $100k and another year. My attorney works for a big law firm, and he had no clue where anyone would be vulnerable, and neither did anyone in his firm. The FBI had zero to say about T-Mobile transferring my number or Kraken's removal of my withdrawal restriction.
When the estimate for my suit would be 1 year and $100k, and these things are usually underestimated, it does not make for a good investment. If I search online, all I get are scammers, so it's definitely something for word-of-mouth as opposed to using a search bar.
1. I guess my question is something to the effect of: what does "getting around the 'contract of adhesion' consist of? Why would that take $20k? I can't think of anything you could pay for that would resolve any of the legal issues surrounding standing. Unless they mean the litigation concerning standing would itself take $20k and six months to resolve.
2. Big law is usually not the place to go. Unless you need high quality boilerplate (whose value I do not denigrate), they are generally not willing to be helpful or creative unless you're a major client.
3. You may want to consider a less pedigreed attorney who is not necessarily a specialist and pays less attention to the substantive details of the case.
The salient fact seems to me this: T-Mobile probably does not want a lawsuit on these facts because the public would be terrified if they knew something like this could happen. Therefore it does seem to me there's at least something to win a settlement from, and if you have a lawyer who knows how to scare T-Mobile's legal department and file an individous-sounding suit you might be able to get something out of it.
Judges have very little ability to sort through technical information; you can allege all sorts of things without much evidence and still scare your opponent badly if your narrative is suitable.
I would say in this context standing is *the primary issue* because there's a reasonable chance you make the rest of it work. Once you get past that I think T-Mobile would be quite likely to settle, and quite handsomely so if you can come up with a claim that involves punitive damages, or something that goes beyond the limited measure of restitution.
Again, I speak only from my experience; I'm not a lawyer. But I did win a reasonably tough suit in a situation where the preponderance of lawyers - everyone from small time practitioners to Big Law partners - told me it wouldn't be possible, even with a large outlay.
The trick in my case was convincing a lawyer that there was enough liability on the other side to warrant taking part of the case on contingency; it ended up being a big win for both of us. So finding the right lawyer, which took me nearly 12 months and forty interviews, was the main thing: it turned out to be Ron deSantis' roommate from Harvard Law, a Cuban immigrant who was running a one man shop in Nashua, New Hampshire.
Again, I can only speak from my experience. But I wish you the best and suggest you don't easily capitulate on this; there probably is a way through. Resilience and grit have a way of paying off in these situations.
Eric, thank you for sharing. If this can happen to you it can certainly happen to anyone, so sorry.
Total bummer. But thanks for the details. Hopefully this helps others. Im changing my protocol now.
Do you know which provision in T-Mobile's EULA prevents you from having standing? They seem to be the most culpable in this sad tale.
No. It defies my non-lawyerly intuition, but I suppose that's why EULA agreements are ubiquitous.
Can't imagine one could win that one. The original sin was to use SMS as a security device.
SMS is not designed to be secure, it's all plain text and unencrypted, nor is a phone number supposed to be in any way secure ID. All telcos probably disclaim any responsibility for such off-label uses in their terms.
Kraken, on the other hand, may have allowed email+SMS as sole form of authentication, which is irresponsible of them. In the old days you at least got a letter in the post to reset lost credentials (not very good, but harder to hack and gives more time to react) but everyone wants quick and easy. The stonewalling from Kraken is not surprising...
I have tried various ways to trick Kraken and I always get asked for my Authenticator code, which is different than SMS. Still puzzled.
Kraken says to contact customer support if you lose Authenticator, which is normal (self service bypass would be crazy). Then they may allow email+sms, with maybe some personal data that a hacker can find, at the discretion of operator and/or fraud detection software. May be guessing wrong, but it is certain there is a bypass, because they can't just lock out everyone who loses their phone.
I saw several emails from Kraken during my back after the fact, and none mentioned this. Further, the hacker got on to my Coinbase account, which also requires Google Authenticator, and again I saw no records indicating an SMS or email was used to obviate the Authenticator code requirement.