If you accidentally leave your phone behind while out on the town, it’s easy to immediately feel panicked and worry it could end up stolen. After all, we keep a great deal of personal information of our phones, from contacts, login information, and access to our financial records. In the case of a crime called SIM swapping, the thief doesn’t even need to have your physical phone in hand to cause problems.
A SIM swap starts when a criminal reaches out to their targeted victim’s wireless phone provider. By either tricking the employee they are speaking to through pretending to be the targeted victim — or even potentially by bribery — they are able to have the victim’s phone number transferred to another SIM card remotely. Because phone numbers are often used to verify identity for various accounts, including banks, it’s then possible for the criminal to gain access to the victim’s private information and money.
For customers of the phone carrier T-Mobile, they may have thought their problems were limited to T-Mobile’s monthly bill price hike. However, a recent legal battle involving T-Mobile resulted in a $33 million arbitration award in favor of a SIM swapping victim. As details come to light in this case, T-Mobile is not coming out looking favorably. Instead, it is being accused of negligence.
What T-Mobile knew about SIM swapping
In early 2020, hackers used SIM swapping to target a T-Mobile customer. The hackers were able to steal $37 million worth of cryptocurrency from the customer. Though T-Mobile discovered what had happened within 16 minutes of the swap, the law firm that represented the victim, Greenberg Glusker, alleges that T-Mobile did not do enough to protect not only this victim, but its customers as a whole.
During the legal battle, T-Mobile was accused of not having enough security checks in place. For example, SIM swappers pretending to be the victim weren’t asked for further identity verifications, like PINs. T-Mobile also didn’t respond to strange phone activity including the phone number suddenly being used in a location far from the address it was registered to. T-Mobile only had about one hundred employees working on fraud prevention, and they were allegedly often undertrained on such tactics and handling millions of customer accounts. This is not the first time T-Mobile has come under legal fire, either, as evidenced by the 2016 lawsuit about deceptive service plans.
James Molen of Greenberg Glusker, who was involved in the legal battle, stated on the law firm’s website, “T-Mobile tried every argument to avoid responsibility, but the facts told a different story—T-Mobile failed to take the reasonable steps necessary to fix its porous security system and to protect its vulnerable customers. This trail blazing award is a crucial step in holding phone carriers accountable.”
Key takeaways from this situation
Phone carriers need to be held to a high standard. Greenberg Glusker has accused T-Mobile of attempting to seal important court documents of the case. Molen also said, “T-Mobile is trying to hide the truth. They fought accountability at every turn, from blaming the victim to obstructing evidence production. The public has a right to know how their phone provider is putting them at risk, and we are confident the court will ensure transparency.”
T-Mobile’s website encourages SIM Protection, which is available to postpaid customers. With SIM Protection enabled, you cannot move your number to a new SIM card unless that setting is disabled. However, if a criminal could bribe an employee to bypass security for a SIM swap previously, it begs the question what is being done to ensure it doesn’t happen again. A convincing criminal pretending to be the victim could potentially manipulate a T-Mobile employee into performing a SIM swap regardless of the SIM Protection setting. This further emphasizes that proper employee training and procedures for fraud detection and prevention are essential.
For customers of T-Mobile, or any phone carrier, it’s important to try to safeguard your information as much as possible behind passwords, PINs, and other measures. It’s good to know about the privacy settings on your phone and what they actually do, as sometimes the language can be misleading. Knowing more about what security measures your phone carrier has in place will help you in case you end up targeted one day.