The Spanish Agency for Data Protection (AEPD) has imposed millions in fines on the main mobile operators for the well-known SIM Swapping fraud. Basically, it is a process by which they ask for a duplicate of your SIM card to impersonate your identity. The real goal is to get access data to our bank accounts, something that having control of the user’s phone number is not usually complicated. The curious thing is that the operators have been fined for not protecting the data well, but not the banks. Why?
At ADSLZone we have already told you on occasion how to protect your mobile SIM from hacker attacks. In this case, we focus on SIM-swapping, the fraud or scam by which they manage to hack or duplicate your SIM card. Hackers pretend to be us with different tricks and get a duplicate of the card in a store of the operator. The data necessary to impersonate us is usually obtained with phishing, that is, with false websites or applications that pretend to be legitimate and that ask us to enter data that is later stolen. From this moment, with the data in their possession, they can use it to reset access passwords. The duplicate of the SIM will allow them to have the verification codes used by financial entities.
Fines between 70,000 euros and 3.94 million euros
The Spanish Data Protection Agency (AEPD) has imposed fines of between 70,000 euros and 3.94 million euros on the main operators in our country for failing to comply with various articles of data protection regulations. In total, 5.81 million euros for very serious infractions, among which we have 3.94 million euros to Vodafone, 770,000 euros to Orange, 900,000 euros to Telefónica or 200,000 euros to the MásMóvil Group.
From the communication of the resolution, the operators have a period of two months to present arguments. In fact, we have been able to know that they will do so since they do not consider the sanction to be fair for different reasons. Among them, blaming them for the inadequate security of the banking entities that allow these money thefts in some way.
Why haven’t banks been fined?
Among the allegations that we can read in the resolution of the AEPD we find the following:
“The responsibility of the teleoperators for assumptions of identity theft in the request for copies of SIM cards cannot cover the banking operations that can be carried out as a result of the security measures of the banking entities being inadequate. You cannot be responsible for the security of the information of third parties for the mere fact that they use telecommunications services”.
The operators admit their share of “fault” in the matter, but point out that they cannot be the only ones affected. They understand that the sanctions must be distributed among all the actors who could have done more, in one way or another, to prevent this fraud. In fact, SMS double authentication has been shown to be one of the least secure forms of authentication when compared to using security keys or code generation apps.
Beyond this, the truth is that banking entities should increase your security measures in some way to prevent these bank account robberies from being so simple. A double authentication with a security application, more precise detections of the use of different IPs to access, trusted devices… there are many ways that are available to you.