In a scenario where cybercrime is becoming increasingly sophisticated, the Spanish justice system has issued a ruling, to which EL PAÍS has had access, that marks a fundamental precedent for consumer protection in the digital age. The Court of First Instance number 44 of Madrid has issued a ruling of great legal significance by condemning the operator Vodafone (through its Lowi brand) and the banking entity WiZink to jointly compensate a user who was the victim of financial fraud. The amount of the sentence amounts to more than 4,000 euros, corresponding to the money stolen from their accounts using the technique known as SIM swapping or fraudulent duplicate of the telephone card.
The relevance of this case, promoted by the Association of Financial Users (Asufin), lies in the determination of shared responsibility. Until recently, jurisprudence used to put the main focus on the responsibility of banks as custodians of their clients’ capital. However, this ruling reinforces the thesis that not only financial entities must respond to fraud, but also any technological intermediary whose negligence in security protocols facilitates the commission of the crime. In this case, the telephone operator becomes a key part of the mechanism that allowed the theft.
A security hole
The fraud suffered by the plaintiff was based on false portability. According to the proven facts, a third party other than the owner got Lowi to issue a duplicate of the user’s SIM card without their consent. With control of the telephone line in his hands, the criminal was able to intercept the text messages (SMS) that the bank sends to authorize operations, thus managing to empty the affected person’s accounts.
The judge of instance 44 of Madrid has been especially harsh in her arguments against the telephone operator. In the text of the ruling, the company is explicitly disgraced by imposing “really lax” requirements for the processing of portability and the issuance of duplicate SIM cards. The judge emphasizes that, unlike other operators with stricter protocols, in this case the demands were limited to a simple indication of a postal address. Since reliable identification was not required upon delivery, anyone could receive the new card, which the ruling describes as an “enormous lack of security.”
This oversight is critical today, since almost all modern banking operations are linked to the mobile device as a second authentication factor. Therefore, the ruling establishes an obvious causal link between the negligent conduct of the operator and the success of the bank fraud. It should be remembered that Vodafone already has a history of sanctions for this reason; the Spanish Data Protection Agency (AEPD)
For its part, WiZink is not exempt from blame either. The court indicates that the banking entity failed to comply with its obligations regarding enhanced authentication of payment services. Current regulations require that, to validate an operation, several independent security elements must be met. In this case, the bank overlooked that the “possession” element was failing, that is, that the terminal that was validating the operations was not that of the legitimate owner. By not detecting this anomaly in the verification process, the bank allowed fraudulent charges to be made for a total value of 4,047 euros, an amount that must now be returned to the client along with the corresponding interest.
This court ruling comes at a time of great political and social unrest regarding financial cybersecurity. Asufin has taken advantage of this judicial success to urge the Forum of Good Financial Practices, created by the Ministry of Economy, Commerce and Business in 2022, to place fraud as one of the most pressing problems for citizens. The magnitude of the problem has escalated to such a point that the Minister of Economy, Carlos Body, announced on December 10 the creation of a specific anti-fraud brigade. This new unit will have the direct involvement of the telecommunications sector, thus recognizing that the problem is not merely banking, but transversal.
The Madrid court’s ruling sends a clear message to large corporations: the security of data and communication lines is not a secondary aspect, but a legal obligation. The joint sentence forces both banks and operators to reinforce their security walls, under penalty of having to assume the economic cost of the crimes that their lack of rigor allows them to commit. For the user, this failure represents a ray of hope and a means of protection in the face of growing vulnerability in the digital environment.
