How weak SIM checks enable widespread banking and social media fraud
5 min readYou can also listen to this podcast on iono.fm here.
JEREMY MAGGS: South Africa is losing billions of rand to SIM swap fraud every year, raising urgent questions about whether SIM registration rules are simply too weak for a digital banking age. To discuss how this fraud works, why existing safeguards are failing, and whether biometric SIM registration could in fact help close the gap, I’m joined by Johan van Graan, who is a telecoms security expert, former chief risk officer at Vodacom.
Johan, a very warm welcome to you. Maybe just a quick primer for us. A quick background here. How does SIM swap fraud usually work in practice? What’s happening here?
JOHAN VAN GRAAN: Jeremy, thank you. SIM swap fraud is the enabler that the criminals use to intercept a one-time password (OTP) to take over a social media account. The actual fraud is by accessing the internet banking where they have previously fished this Pin (personal identification number) and password of a customer, sending WhatsApp messages to say I need money, please send money. So the SIM swap fraud is where the SIM is fraudulently swapped, but the actual fraud takes place outside the telecoms network.
Read: Who sold my phone number?
JEREMY MAGGS: Johan, why is this then such an effective crime in South Africa?
JOHAN VAN GRAAN: It’s because we are gullible. We give away our Pins and passwords. We want to invest. We enable the criminals to be able to get our personal information. And with our Rica Act (Regulation of Interception of Communications and Provision of Communication-Related Information), it’s written at the moment for telecom networks, it’s very difficult when a SIM swap is requested to validate that it’s the actual customer, user, owner of that cell phone number who’s doing the SIM swap.
ADVERTISEMENT
CONTINUE READING BELOW
That’s why I’m advocating to change the Rica Act for biometric recognition to be included at time of registration.
I propose facial recognition because that works in the banking sector for Fica (Financial Intelligence Centre Act). Then when a SIM swap does take place, the networks must use that facial recognition to validate the SIM swap.
So this will stop the fraudulent SIM swap, and it should vastly reduce internet banking fraud, social media account takeover fraud. It won’t stop it 100%, but it will reduce it.
JEREMY MAGGS: How big a weakness, and I want to get to the facial recognition in just a moment, but how big a weakness is the current Rica process then? And why are existing checks not stopping criminals? Where’s the flaw here?
JOHAN VAN GRAAN: The flaw is, maybe if one can say the Rica Act is twofold, the interception portion with the previous changes a few years back on journalists and lawyers, it’s most probably in the top five in the world. But the customer registration portion is in the bottom five in the world. What the act asks is, Mr customer, walk up to a Rica agent, the Rica agent looks at the ID presented, looks at your face. Freehand captured the name, the ID number or passport number and the address.
There’s no validation of the information. No copy of the IDs is kept. None of that information is kept.
The networks have tried for postpaid customers because they do credit vetting they can get that information, and they use it and they are covered in using facial or other biometric recognition. But the big problem is that 80% of our customers in South Africa are prepaid, so there is no effective validation for when there is a SIM swap.
ADVERTISEMENT:
CONTINUE READING BELOW
Listen/read:
Telecom fraud wave: SA losing R5.3bn annually
SA telecom fraud soars: How to protect yourself
Vat notification or scam? Beware of your pop-ups
JEREMY MAGGS: Johan, do you think biometric SIM registration would actually change the game or just make things a little bit harder?
JOHAN VAN GRAAN: I think it’s a total game changer. It’s not that it will make it harder. It will definitely change it dramatically. The so-called pre-Rica SIMs most probably will disappear to a large extent. Specifically, if one also changed the act to say a South African ID may only have ten cell phone numbers, a passport number may only have one.
The networks have the technology to enforce it, so pre-Rica SIMs will stop. Also, because the biometrics is needed at time of SIM swap, it will definitely, I would say 99% reduce SIM swap fraud.
JEREMY MAGGS: Is the technology to do this already widely available?
JOHAN VAN GRAAN: Yes, it’s already widely available. Banks use it extensively, other people use it extensively, all the network operators use it for postpaid customers. In their apps they have self-Rica or Rica-a-friend, it works, it’s there. The problem is that by law, you can’t compel a customer to give a copy for a Rica registration specifically for prepaid.
JEREMY MAGGS: Where do you think the logjam then is in implementing a system like this? Would it be with the regulator? Would it be with the networks themselves, or would there be customer pushback?
JOHAN VAN GRAAN: I think it’s with the regulator. When we were grey listed by the FATF (Financial Action Task Force), this was one of the instances that were identified. I was personally present in a meeting with the then Minister of Justice, Ronald Lamola, where he has asked the networks to come up with a solution. Through ECA (Electronic Communications Act) the networks have done it, it has proposed it to government.
ADVERTISEMENT:
CONTINUE READING BELOW
I just think the logjam is that it’s lying somewhere in the legislature change process. It’s not important enough or there aren’t people who can rewrite the act.
The networks will welcome it, because I think it will reduce the so-called washing machine effect, where 60% of the prepaid SIM cards are recycled every year. There may be pushback from customers, but I think from the genuine normal customer, there won’t be pushback.
For instance, there are about 300 000 or 400 000 people every month whose phones get stolen. They want to get their life back. For them just to do a SIM swap, they go to a network operator or on a smartphone, via an app, you take a photo of the live person, and they’ve done a SIM swap. They get their SIM back and their life back.
JEREMY MAGGS: Just a final question, and a brief answer, the telecom operators themselves, is it unfair to say that they might be partly responsible for either leaving or not identifying this loophole open for so long?
JOHAN VAN GRAAN: It’s very difficult to say. I would say yes, the first ten, 15 years, most probably of the Rica Act that was promulgated in 2002, everything worked fine. But then with the digital economy that started, fraud has taken place. SIM swaps are the enabler. But then the operators can’t change the act, can’t force someone to hand over an ID, can’t force compulsory SIM swap validation via biometrics.
JEREMY MAGGS: Thank you very much indeed. Johan van Graan, telecoms security expert, the former chief risk officer at Vodacom.
#weak #SIM #checks #enable #widespread #banking #social #media #fraud