SIM swap (SIM card multiplexing / cloning) attack; It begins with the perpetrator convincing the GSM operator's call center or dealer through social engineering to transfer the victim's line ownership to a new SIM card. The attacker now receives the victim's SMS; The bank captures the 2FA OTP codes, logs into online banking and empties the account.
This article discusses the legal liability of the GSM operator and the bank in SIM swap victimization within the framework of general legislation. The result is file specific; Joint liability may not be established in all cases.
Legal Framework
- Electronic Communications Law No. 5809 and BTK regulations — operator's KYC and line transfer procedure obligation
- Debit Cards and Credit Cards Law No. 5464 and general banking regulations — the bank's security duty of care
- Consumer Law No. 6502 — consumer court action, defective service
- TBK No. 6098 Art.49 et seq. — Tort liability
GSM Operator's Responsibility
The operator must carry out the identity verification procedure without any errors during the line transfer process. The following situations may be evaluated against the operator:
- Transfer with fake identity or fictitious power of attorney
- Sending a new SIM when authentication questions are insufficient at the call center
- Transactions made at the dealer without a photocopy of ID or a wet signature
- Ignoring victim "suspicious transaction" alarms
Bank's Liability
There is also an expectation of multiple security layers from the bank's perspective. Headings evaluated within the framework of the jurisprudence of the 11th Civil Chamber of the Supreme Court of Appeals:
- Weak 2FA architecture based on SMS-OTP only
- No device fingerprint tracking
- Behavioral analytics and geolocation inconsistency warning not working
- No additional verification (out-of-band) in high amount one-time EFTs
- The process cannot be stopped quickly in the flow of "new device identification → password change → high amount transfer"
Joint Liability Setup
Practical strategy in SIM swap files; It is the filing of a parallel lawsuit against two institutions. Court; It can determine the fault of both institutions and distribute the compensation according to their fault rates. Typical case structure:
Victim's Liability
The victim must also have taken reasonable care. In cases such as "I gave my password to someone else" or "I clicked on the phishing link and shared my information", bank/operator liability is reduced. The following behaviors are evaluated in your favor:
- Enable transaction notifications in the bank application
- No password sharing
- Calling the operator and the bank as soon as the phone becomes disconnected
- Recording suspicious SMS and calls
Collection Expectations
Possibility of collection in SIM swap files; It depends on the timely detection of the attack, the ability to freeze the money without circulating in chain accounts, and the fault rate of the two institutions. No definite promises can be made for repayment. When joint liability is established, fault rates are generally determined based on the trial's evaluation of concrete evidence.
Preventive Steps
Conclusion
SIM swap victimization; It is a multi-pronged legal process that must be carried out not against a single institution, but against the trio of bank + operator + perpetrator. Early detection and parallel application increases the probability of collection; The result is different in each file.