Mobile operators fined for fraudulent duplication of SIM cards

All the major mobile operators in Spain have been for not protecting their customers personal information and for facilitating the duplication of SIM cards.
The fines of 5.81 million euros were issued by Data Protection who say the companies did not do enough to prevent SIM swapping, fraud where a duplicate of a SIM card associated is obtained without the consent of its owner and in order to impersonate their identity.
The duplicates are also used to access confidential information on social networks, instant messaging, email and banking apps.
Cybercriminals in possession of a duplicate SIM can receive confirmation codes that allow them to conduct transactions over the internet, and in the process defraud the owner.
The Spanish Association for Data Protection (AEPD) began the investigation approximately two years ago after receiving complaints and from the publicity such activity was receiving in the media. The investigation sought to understand where responsibility lay. That resulted in the mobile operators being fined for taking insufficient steps to avoid fraudulent duplication.
“The companies have committed a very serious infringement” according to the AEPD and according to what is included in the Organic Law on Protection of Personal Data and guarantee of digital rights and with regard to the management of the treatment of the data provided by their clients. .
The mobile operators hold a different view saying they are also victims of the fraudsters, with such practices harming their public image and customer relationships.
They told El Español that: “The sanction imposed by the AEPD is clearly disproportionate, considering the number of cases in which this type of fraud materialises, so these are exceptional incidents that cannot question the high security standards with which they are treated, the personal data of the clients.”

Mobile operator fines

Vodafone  received the highest fine of 3.94 million euros with criminals stealing more than 17,000 euros from the current account of one of the company’s clients.
In its resolution, the AEPD considers Vodafone’s security policy insufficient for the adequate protection of the fundamental rights of people whose SIM cards have been fraudulently duplicated. Furthermore it points out that the data collected shows that this policy does not fail only in isolated cases as the operator argues, accusing the company of having “reactive” and not “proactive” conduct, as required by the RGPD.
Telefónica received the next largest fine at 900,000 euros with one customer losing 28,000 euros. Orange received two fines, one of 70,000 euros and another of 700,000 euros. A Simyo client had a loan requested in their name for 43,000 and a user who lost 5,000 euros.
MásMóvil , received a fine of 200,000 euros after taking into account the ex officio investigation and two complaints from customers who report unauthorized withdrawals of money at ATMs or bank transfers.

Mobile operators claim no liability

The mobile operators claim that with the ‘SIM Swapping’, cybercriminals can access the confirmation keys for making bank transfers. For this reason, they consider that this security design is the responsibility of the banks, since the telephone operators do not intervene or have any relationship.
In addition, they add that the perpetration of this type of crime requires the prior obtaining, by deception, of the victim’s bank passwords, that is, through ”phishing”, “so holding the operators responsible for the commission of these crimes is inadmissible.
Whilst trying to lay blame elsewhere they have also gone on record to say they will continue “updating and reinforcing their protocols” to improve and optimise them in an effort to deal with the increasingly complex and diverse threats that criminals develop against information security.
The disagreement about responsibility is likely to rage on as the mobile operators say it’s not their fault despite being fined for not doing enough to prevent the fraudulent duplication of SIM cards.

Thank you for taking the time to read this article, do remember to come back and check The Euro Weekly News website for all your up-to-date local and international news stories and remember, you can also follow us on Facebook and Instagram.