Lax Security Allowed 3 SIM Swaps on T-Mobile Customer's Number, Says Suit
Despite assurances from T-Mobile that it had implemented security measures to prevent additional SIM swaps of Abhishek Gurnani's wireless phone number, the carrier “did nothing to prevent future attacks,” alleged Gurnani's class action Tuesday (docket 1:24-cv-05088) in U.S. District Court for Northern Illinois in Chicago.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Gurnani, who has had a T-Mobile account for over 20 years, alleged he was the victim of three SIM swap attacks Dec. 28-Dec. 31, in which unauthorized third parties took over his phone number and used it to access his bank and other accounts. After the first attack, and prior to the subsequent ones, T-Mobile assured the Illinois resident that it had put security measures in place to prevent additional ones, the complaint said.
Gurnani’s phone displayed “SOS” in place of the typical signal strength meter on Dec. 28, indicating to him that his phone was no longer "properly registered" with T-Mobile’s cellular network and could only make emergency calls, which he called a symptom of a SIM swap attack.
Unauthorized third parties don’t require direct access, physically or digitally, to a user’s phone’s SIM card to port out the phone’s “identity” onto a second SIM card because cellular providers can do a port remotely, noted the complaint. That means a “persuasive, angry, or persistent hacker” can convince a customer service agent to transfer a phone number to a new device, or, some hackers “bribe wireless provider employees to obtain or bypass a user's account password,” alleged the complaint.
As soon as the phone number is transferred to the hacker's SIM card, the hacker begins resetting passwords on the user's digital accounts using text message codes, the complaint said. “Then, account by account, usually starting with e-mail, the hacker gains control of the user's information, content, and assets,” it said. A SIM swap isn’t “technically sophisticated,” the complaint said, saying it requires only persuasion or persistence, “or an unscrupulous employee.”
Gurnani had a personal identification number (PIN) associated with his SIM card, and T-Mobile assured him his SIM card couldn’t be ported unless the PIN was entered, alleged the complaint. He learned later that in the first attack, T-Mobile’s customer service agents “were persuaded by the unauthorized third party into allowing his SIM card to be ported out without the PIN,” the complaint alleged.
After discovering the swap, Gurnani “immediately drove to the nearest T-Mobile store” and was able to “lock down his phone number and cut off the SIM swap attack,” alleged the complaint. He then spent several hours discussing the attack with T-Mobile customer care and fraud teams, who confirmed that his SIM information had been ported to another phone, the complaint said. T-Mobile agents “assured him that his account had been assigned a code word that, along with other security measures, would protect him from further attacks,” it said. At about the same time, Gurnani learned that his Chase bank account had been accessed and someone ordered checks without his permission, it alleged.
A similar scenario played out the next day, when customer service agents again were “persuaded to port out his number, knowingly and with gross negligence ignoring the code word and other security measures now supposedly attached” by T-Mobile to Gurnani's account, the complaint alleged. He returned to the T-Mobile store to “to try to wrest control of his phone number from the unauthorized third party” and spent “at least” 10 hours the next day communicating with T-Mobile and getting assurances that additional security notes and procedures had been added to his account, it said.
On Dec. 31, a third SIM swap attack occurred, but Gurnani wasn’t able to go to a T-Mobile store to stop the attack because of the New Year's holiday, leaving him “stuck waiting on hold, watching as the unauthorized third party gained access to his various accounts, along with his PayPal,” it said. When banks were open for business on Jan. 2, the plaintiff learned that unauthorized third parties attempted to cash a $50,000 check against his account, a $5,000 transfer was initiated by Zelle, and over $100,000 in transfers were initiated for wire transfers, plus other attempts.
When Gurnani reached T-Mobile customer service, he was told someone claiming to be his employee requested that the plaintiff’s number “be ported out to another phone regardless of any security measures placed on his account,” a request that T-Mobile “fulfilled,” alleged the complaint. The fraudster was still on the line with customer service when Gurani called and because T-Mobile had granted the individual access to his account, it “could not honor Mr. Gurnani’s unilateral request to lock down his phone number and put an end to the SIM swap attack,” alleged the complaint. Instead, T-Mobile told the plaintiff that, “prior to locking down his phone number, it would first need to check with the scammer.”
In a subsequent conversation with T-Mobile’s consumer response team, Gurnani was told the fault was with the culture the defendant “fostered, and the training it provided,” at its Philippines customer service center. “Employees there did not want to disappoint customers, and thus could be swayed with a 'sob story,’ even where the caller lacked adequate credentials,” said the complaint.
Between the first December SIM swap attack and the beginning of March, Gurnani spent at least 160 hours “taking necessary steps to try to address the vulnerabilities caused by Defendant’s failure to prevent the SIM swap attack,” including speaking with T-Mobile customer service, monitoring his credit and accounts, getting a new drivers’ license, filing a police report, setting up new bank accounts, and “generally documenting and attempting to reset his life so that any compromised information that the unauthorized third parties had gained access to would have limited value going forward,” said the complaint.
Gurnani continues to spend time dealing with the effects of T-Mobile’s “failure to protect his data, including changing over auto-payments to his new accounts, and trying to ensure that communications go to his new phone number,” the complaint said. The carrier initially refused to keep the plaintiff’s number in quarantine for a sufficient period while he could “fully secure his digital presence,” it said. It then agreed to keep the plaintiff’s number private “for the time being,” but at a cost of $120 monthly for a private line, the complaint said.
Gurnani asserts violations of the Communications, Stored Communications, and Computer Fraud and Abuse acts; the Illinois Personal Information Protection and Consumer Fraud and Deceptive Business Practices acts; negligence; and negligent hiring, retention, training and supervision. He seeks for himself and class members actual, statutory, punitive and consequential damages; pre- and post-judgment interest; injunctive relief; and attorneys’ fees and costs.