In 2021 the average person has the equivalent of a super computer from the early to mid 2000’s in their pocket. People spend significant amounts of time glued to their smartphones doing tasks such as playing games, trading stocks, shopping, checking on their bank accounts, and socializing and communicating with friends and family. There is no doubt smartphones are embedded in our daily lives and we use them for a myriad of things both personal and public. So why not protect our smartphones like we protect our homes and cars by locking them up? Well most smartphone users do. But what if someone had the ability to just give the key to your smartphone to someone else? Imagine someone getting access to your bank accounts, retirement accounts, stocks or crypto assets. It is very possible you or someone you know is walking around with access to hundreds of thousands or millions of dollars right in their pocket.
The media is fast to put out stories regarding data breaches. The big one I am sure everyone has heard of is the Equifax Breach of 2017. Equifax is in the business of data collection and reporting credit histories to hosts of businesses. This has allowed millions of people to access credit such as loans for cars, houses and even education, which is great. The breach of 2017 was caused by a hole in the server software Equifax used and a failure of Equifax to apply available security patches for nearly three months. A known problem they did not fix. Hackers were able to access the Equifax servers, which in a properly run server system, while concerning, is not the end of the world. The problem is Equifax did not properly secure and store the information contained in their databases. Equifax either used poor encryption or none at all. This resulted in the exposure of some 150 million Americans’ sensitive personal data. That is nearly half of all American citizens’ names, social security numbers, addresses and other identifying information. So yes, this was a big news story and deserved the coverage it received. However, most people whose information was part of the breached have not suffered financial loss, yet, but rather they face the potential of identity theft, a value for which is difficult to quantify.
An often not publicized hack going around for the past few years is the so-called SIM swap scheme. In this article we’ll discuss SIM swap, but the Port Out scheme is almost identical in nature and we will use the terms interchangeably. They are not covered as much as big data breaches such as the Target customer breach or the Equifax breach of 2017 since a SIM swap or Port Out usually only affects one person at a time.
A SIM (an acronym for Subscriber Identity Module) is a card inside nearly every smartphone or cell phone, or other device connected to a mobile network. The SIM contains various types of information allowing your device to connect to your carrier’s network using your information, mainly your phone number. GSM networks such as AT&T and T-Mobile use SIM cards, while CDMA carriers, such as Verizon, don’t necessarily use SIM cards because the information is embedded on the phone itself. SIM cards make portability of your information and phone number to a new device very easy, which is great for consumers wanting to upgrade or replace a broken device. If you lose your phone with your SIM then you would need to get a new phone with a new SIM and re-link them to your old account and phone number and then you’re back in business. The same applies for a CDMA phones not using SIMs. This is where the SIM swap (port out for CDMA) scheme comes into play.
Typically the person or impostor trying to implement the SIM swap will have some information on their target such as name, address, phone number and possibly birth date or social security number. How they get this information is anyone’s guess, but maybe Equifax can tell you, or maybe it was just Google who helped them. Sometimes the impostor will bribe a carrier employee, or the employee is in on the scheme as well. While there have been cases of the impostor going into a physical mobile carrier store, more often than not the impostor will call up the target’s mobile carrier and say they lost their phone and they have a new SIM and phone they would like to use with their old phone number. In either scenario, after verifying some information such as billing address to the customer service rep, the customer service rep is more than happy to help the impostor with their problem. The impostor reads some information from the phone which identifies the device and SIM so the representative can connect the new phone to the carrier’s network. Once that is done the impostor’s phone is now connected to the network using the target’s phone number. The target’s device is disconnected from the network and is now unusable. The impostor can now send and receive phone calls and text messages as if they were the target.
Unfortunately the impostor isn’t using the target’s phone number to prank people. They are using it gain access to the target’s accounts, whether they are financial, social media or something else. The impostor does this by going to each account and asking to reset the credentials such as the username and password. Most of us have forgotten passwords and when we try to reset them we usually receive a text message on our smartphone with a PIN to verify our identity and then reset the credentials. The impostor now has access to the phone number linked to the account and thus the text message sent containing the reset PIN. The impostor then successfully resets the password to the account with the PIN and will then most likely transfers any money, crypto asset or other valuable transferrable items to their own accounts often using intermediaries to hide their identities and the stolen property. Once the SIM swap is completed, an impostor can drain a bank or crypto account in as little as 4 minutes. For some accounts the transaction can be canceled, but for others such as crypto, the transactions are often final and irreversible.
Obviously the impostor is at fault. But how can we catch the impostor when we know nothing about them? What has been happening recently is to shift the fault to the party who could have or should have prevented the damage, which is the mobile carrier. The carrier essentially gave away the keys to their customers’ accounts and information.
There are growing amounts of SIM swap victims seeking compensation based on various forms of negligence. But for the carrier doing the SIM swap, the scheme could not have happened and the customer would not have lost something. Negligence in the simplest form is a party, here the carrier, owed some a duty of care to another, its customer, and the carrier breached that duty. The duty the carrier owed to its customer would be to protect the customer’s personal information and perhaps especially the information the FCC calls Customer Proprietary Network Information (CPNI). Furthermore, it must be proven the failure of the carrier to protect their customer’s information was the actual cause of the customer’s loss and the damages were foreseeable in the eyes of the carrier.
There are countless scenarios and legal theories in which negligence can be claimed and they can be quite complex and nuanced. In pursuing damages in a SIM swap scheme, claims are often based on negligence in the carrier’s policies and procedures regarding SIM swaps, and employee hiring and supervision. Gross negligence, while similar to negligence goes further alleging a party acted knowingly with indifference or disregard, is also a path a victim can pursue to recover damages. Additionally, claims based on negligence per se, meaning the carrier’s violation of a regulation is in itself negligent have merit as well. For negligence and gross negligence, the victim must prove but for the carrier’s action, the customer would not have been injured. While the facts and circumstances to each claim are different, typically these are the theories used to pursue a legal claim against a carrier for an unauthorized SIM swap. If Equifax was held liable for having faulty procedures and not acting, why shouldn’t mobile carriers be responsible for SIM swap schemes and port outs?
If you or someone you know has been a victim of a SIM swap or Port Out, please call our office at 646-499-5700 to see if we can help you.
Thanks for reading.
By The Law Offices of Lau & Nicolello
March 10, 2021