T-Mobile Negligent in $290K Crypto Theft After SIM Swap, Says Plaintiff
Plaintiff Jesus Marcos lost “hundreds of thousands of dollars in money and cryptocurrency” as a result of T-Mobile’s negligence in a SIM swap, alleged his 18-count fraud complaint Tuesday (docket 5:24-cv-00085) in U.S. District Court for Central California in Riverside.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The Riverside County, California, resident is suing T-Mobile and Does 1-10, which could include T-Mobile third-party retailers, customer service centers or other employees or agents of the carrier, for the Jan. 23, 2022, transfer of control of Marcos’ account and phone number “using T-Mobile login credentials and a T-Mobile device to an unauthorized third party.” T-Mobile’s transfer -- "whether acting as the thief, a co-conspirator to the theft or through abject negligence" -- led to the “almost immediate theft of more than $290,429.12 in property, including cryptocurrency assets,” from Marcos, it said.
T-Mobile “transferred control” of Marcos’ account and phone number through an unauthorized SIM swap to an unauthorized individual, “disconnecting the telephone number from Plaintiff’s wireless phone’s SIM card and connecting the telephone number to a SIM-card under the control of the unauthorized individual,” the complaint said.
The carrier didn’t confirm a SIM swap had occurred on Marcos’ account until it sent him a letter in the mail on March 7, 2022, saying an “unknown party” assigned his phone line to a SIM card “in a device other than yours on 1/23/2022,” the complaint said. Despite T-Mobile’s assertion that an unknown party assigned Marcos’ phone line to a different SIM card, it “was instead a T-Mobile employee, agent, dealer and/or vendor” who assigned his phone line to a different SIM card, it said.
The complaint noted “numerous large-scale data breaches and thousands of instances of mishandling of customer account information” at T-Mobile since 2009 that have affected millions of customers, despite the carrier’s duties under Section 222 of the Communications Act to protect their confidential and customer proprietary network information (CPNI).
Safeguards carriers are required to implement under Title 47 of the Code of Federal Regulations include training personnel on when they’re authorized and not authorized to use customers’ CPNI, the complaint said. Carriers must take “reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI,” the complaint said, citing Title 47, and they must “authenticate a customer prior to disclosing CPNI based on customer-initiated telephone contact, online account access, or an in-store visit."
In stores, a carrier is allowed to disclose CPNI to a customer who first presents to the carrier or its agent a "valid photo ID matching the customer’s account information,” the complaint said. The complaint cited a 2007 “pretexting order” under 22 FCC Record 6927, citing the practice of “pretending to be a particular customer or other authorized person in order to obtain access to that customer’s call detail or other private communications records” and the need for the FCC to take additional steps to protect customers from carriers that fail to adequately protect CPNI.
The FCC modified its rules to impose additional security for carriers’ disclosure of CPNI and to require that law enforcement and customers be notified of security breaches involving CPNI, the complaint said. T-Mobile violated Section 222 and CPNI rules “and further ignored warnings of the Pretexting Order” when the carrier performed an unauthorized SIM swap on Marcos’ phone, providing control of his phone number and access to his confidential information to a T-Mobile employee or third party unknown to Marcos, “but likely known to T-Mobile,” it said.
SIM swaps, unlike data breaches where companies play a passive role, are “effectuated by the wireless carrier itself,” said the complaint. In Marcos’ case, T-Mobile “approved and allowed the SIM card change,” without Marcos’ authorization and without following its policies and procedures,” the complaint said. Once a third party has access to a legitimate user’s SIM card data, it can “seamlessly impersonate that customer,” in communications, requesting account access, downloading backup files or contacting vendors, it said.
Individuals known to hold cryptocurrency are a “common target of SIM-swapping,” the complaint said, because account information is often contained on users’ cellular phones, which allows criminals to transfer a legitimate user’s cryptocurrency to an account the third-party controls, it said.
Despite heightened attention to SIM swapping by the media and government regulators, T-Mobile has not taken security "seriously enough" to prevent account takeovers, to keep SIM-swap schemes from increasing in prevalence on its network, to secure employee/dealer credentials, “or to convince themselves as a company to stop engaging in practices that violate their customers’ rights and federal law,” the complaint said. The carrier has “resisted any implementation of restrictive additional safeguards for consumers and instead engaged in a similar pattern of deferring both responsibility and blame for their own negligence towards their customers,” the complaint said.
In response to a 2021 FCC NPRM to amend CPNI and local number portability rules to prevent SIM swapping, T-Mobile asserted it had “policies in place to combat SIM swap and port-out fraud by empowering customers and deterring malicious actors, including account protection, monitoring, and rapid response to suspected frauds,” the complaint noted. It also said it “has robust protections in place to help prevent fraudulent SIM swapping and port-outs from occurring,” it said.
But the carrier “abjectly failed in its duty” to safeguard Marcos’ personal and financial information by providing unauthorized access to his account, confidential proprietary information and CPNI, the complaint said. It failed to follow security procedures, “including the written identity theft program required under the Red Flag Rule” and failed to sufficiently hire or supervise its employees or agents in order to prevent the SIM swap, it said. It also failed to notify Marcos of changes to his account “in a prompt manner” or to notify law enforcement, it said.
Marcos’ claims include violations of California’s Arbitration and Consumer Privacy acts and Unfair Competition Law; the Communications, Stored Communications, Computer Fraud and Abuse and Fair Credit Reporting acts; negligence; and civil aiding and abetting, the complaint said.
The plaintiff seeks a declaration that T-Mobile’s wireless customer agreement in its terms and conditions is “unconscionable, void against public policy, and unenforceable in its entirety,” the complaint said. Marcos asserts T-Mobile’s customer contract is one of “adhesion" imposed by T-Mobile upon a party with “no bargaining power.” The contract “is literally ‘take it or leave it,'” the complaint said.
Marcos seeks actual, incidental, consequential, statutory, treble and punitive damages, plus attorneys’ fees, legal costs, injunctive relief, sanctions and pre- and post-judgment interest, the complaint said. T-Mobile didn't comment Wednesday.