CHICAGO (CBS) -- A crypto conundrum; it's clear that fraud occurred, yet no one is able to help out the victim. So a Northwest Indiana man is headed into the holidays out thousands of dollars.
Morning Insider Tim McNicholas shares a cautionary crypto tale.
It all started with a text. T-Mobile told Dan Tiberi his password changed. Just one problem.
"I did not initiate that change," Tiberi said. "So I decided to call T-Mobile, and when I did, unfortunately my phone would not make a phone call. So I thought that was even stranger."
Turns out, a hacker somehow got enough of his personal information to convince T-Mobile to switch his number to another phone.
It's called a sim swap, and it's a way for bad guys to get even more information, like the security passcodes used to log in to accounts online.
They hacked into Tiberi's account with the cryptocurrency exchange Coinbase, where they stole more than $7,300 worth of a cryptocurrency called Ethereum.
Coinbase acknowledged in emails to Tiberi that an "attacker" is responsible, but nonetheless he can't get his money back.
"Once a transaction has started, they can't stop it, and they are able to collect funds for that transaction that was completed by the hacker. To me that's absolutely ridiculous," Tiberi said.
We've reported on similar Coinbase hacks for months, including a Joliet man who lost more than $100,000 of Bitcoin back in May.
Coinbase's insurance covers theft if it's from a cybersecurity breach of Coinbase's own system, but not a stolen password.
"I would suggest to people that they should keep their passwords in a more secure manner in separate devices, or at least keep it encrypted on their computers or on their phones," said Lav Varshney, electrical and computer engineering professor at the University of Illinois at Urbana-Champaign.
In Tiberi's case, the hacker even bought more Ethereum on his account.
His bank blocked that transaction, but since it was already initiated, he said Coinbase started to seize his other kinds of crypto—like Litecoin, Chainlink, and Bitcoin—to cover it.
"You gotta keep your passwords changed and up to date constantly," Tiberi said.
We reached out to Coinbase, but haven't heard back yet.
T-Mobile didn't provide specifics on this case, but they did offer several safeguards to help protect customers:
"We have several safeguards in place to help protect against this crime and offer our customers a variety of options to help them protect their own information. T-Mobile accounts must have a 6-15 digit PIN, and a customer's number cannot be ported without verification of that PIN. T-Mobile also now offers Account Takeover Protection which adds additional security to accounts by blocking unauthorized users from transferring your lines to another wireless carrier. We encourage customers to contact us to discuss security measures available to them.
• More information about T-Mobile's commitment and reporting procedures is available here.
• More information on setting a customer PIN/Passcode is available here."
for more features.