Communications Litigation Today was a Warren News publication.
'Cannot Guarantee Security'

Plaintiff Ignored Warning About Cyberattacks, Says T-Mobile Response to Suit

April 27, 2023 by Rebecca Day|Top News

An Illinois plaintiff’s claims fail, said T-Mobile's response to a February complaint that a Metro by T-Mobile store violated the Federal Communications Act (FCA) and Stored Communications Act (SCA) in a SIM card swap. T-Mobile filed a motion to dismiss (docket 2:23-cv-00271) the lawsuit Tuesday in U.S. District Court for Western Washington in Seattle.

Plaintiff Eman Bayani alleged he lost “thousands of dollars” in a “SIM swap scam” after third-party criminals hacked into his online cryptocurrency account and stole his digital currency (see 2303010030), said the complaint. Scammers transferred out more than $24,000 in cash reserves and bitcoin from Bayani’s Coinbase account after they “convinced T-Mobile to transfer access” to his cellular phone number from his registered SIM card to the scammers’ SIM card. Bayani also claims he owes the cryptocurrency company $2,706 that was unlawfully transferred from his bank account to Coinbase, said the complaint.

T-Mobile “was neither the thief, nor the cryptocurrency service,” said the carrier’s response. It's connected to the attack and Bayani’s loss is “only because Mr. Bayani chose to configure his cryptocurrency account to allow access, in part, through text message-based authentication,” T-Mobile said. The hackers leveraged “that configuration to defraud Mr. Bayani,” it said, by using an unauthorized SIM swap to intercept authentication codes Coinbase sent to the customer’s mobile phone number. That gave hackers “one of the pieces they needed to access his cryptocurrency account.”

Bayani’s allegations that Metro by T-Mobile owes him for the loss “ignore Metro’s warning” that it strives to protect customers from cyberattacks but “cannot guarantee security -- no wireless carrier can.” Metro’s terms and conditions (T&Cs) “even called out potential risks associated with using a Metro phone line to authenticate cryptocurrency accounts,” said the response, saying Metro has “little control over how customers choose to use their wireless service.” Bayani “decided to secure online accounts using his phone line, despite Metro’s disclosures and without Metro’s knowledge,” it said.

The court should dismiss Bayani’s claims because most are barred by the T&Cs, which require customers to assert any phone claims within a year, T-Mobile said. Its FCA claim fails because plaintiff can’t allege a “viable” FCA claim based on the SIM swap, and its SCA and Computer Fraud and Abuse Act claims fail because his conclusory allegations are “insufficient,” and factual allegations “do not fit those statutes,” he said. Negligence claims fail because Bayani can’t allege a “duty” that Metro breached, and the independent duty doctrine bars his claim “given the T&Cs,” it said.

Bayani’s Washington Consumer Protect Act claim fails, too, said the response, because the customer can’t allege a “per se” violation or unfair or deceptive conduct “based on disclosed risks he could have avoided,” the response said.

In his complaint, Bayani said T-Mobile is aware of the fraudulent practices by scammers, referencing warnings from the FTC and multiple lawsuits with similar allegations. The carrier "has long been aware of the security risks presented by its weak user credential structures and procedures," it said. The company "did not use readily available security measures to prevent or limit such attacks."