The Independent Communications Authority of South Africa (ICASA) has submitted a sweeping proposal to tackle the problem of SIM card swapping attacks in the country, suggesting that local service providers should retain owners’ biometric data of mobile phone numbers.
In doing so, telecommunications companies like Vodacom and MTN could use the data to confirm that the person requesting a number porting action is the rightful owner.
SIM card swapping attacks are a multi-million dollar problem for all countries and service providers worldwide, allowing threat actors to transfer people’s numbers to attackers’ SIM cards, essentially hijacking accounts subscribers.
This attack aims to bypass multi-factor SMS authentication steps that protect valuable bank accounts and cryptocurrency wallets and take control of their victims’ assets.
Most vendors don’t have adequate protections to prevent this, and even when they do, it’s not uncommon for dishonest employees to manually replace them for a few hundred dollars.
ICASA believes that linking mobile numbers to subscribers’ biometric data will finally close all the gaps and end the problem of mobile number hacking.
The proposal, which has been submitted for public scrutiny until May 11, 2022, does not specify whether the biometric data will be fingerprints, face, voice, iris scans or a combination of these.
How the system will work
According to the proposal published yesterday by ICASAthe anti-SIM-swap system will work as follows:
- When activating a mobile number on a telco’s network (existing numbers will also be considered new), the licensee (service provider) must ensure that they collect and link the biometric data of the subscriber to the number.
- The license holder must ensure that he has the current biometric data of an assigned mobile phone number at all times.
- The biometric data collected by licensees must be used for the sole purpose of authenticating a user to whom a mobile number has been assigned.
- If a subscriber requests a SIM exchange (number port), the holder must ensure that the user’s biometric data matches that associated with the mobile number. Otherwise, the porting request must be refused.
The only category of persons exempted from the proposed regulation is that of legal persons, presumably for privacy and security reasons.
Ahmore Burger-Smidt, director and head of data privacy and cybercrime practice at Werksmans Attorneys in South Africa, told Bleeping Computer that ICASA’s proposal may very well be the only solution to cracking down on fraud. by exchange of SIM card.
SIM card fraud is unfortunately widespread in South Africa and mobile network operators do not know how to deal with it. In addition, the RICA legislation (Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002) imposes a positive obligation on mobile network operators to obtain certain data when selling a SIM card.
In a world of diverse laws, the broader legislative landscape should serve the public interest. It is undoubtedly in the public interest to prevent or at least aim to limit cyber fraud and therefore the collection of biometric information could very well serve the public interest. – Ahmore Burger-Smidt
The Case for Data Privacy and Security in South Africa
We’ve repeatedly covered news about telecom service providers being hacked by hackers, so a database containing sensitive biometrics that can’t be reset or changed poses a significant risk to tens of millions. mobile subscribers in South Africa.
Privacy advocates in the country are also concerned that the exclusive use for identity authentication is not strictly enforced and authorities or intelligence agencies may gain access to the database.
If the database contains facial scans and access is open to other entities, the country could essentially build a facial recognition, public identification and tracking system similar to that of China, with which the ruling party has special links.
South Africa is one of the countries where NSO’s Pegasus Spyware infections were discovered, while in 2019 it was revealed that the government was carrying out mass surveillance of internet traffic since 2008.
That said, concerns about privacy and misuse of data may be warranted and hopefully ICASA will consider the associated public comments and modify the proposal accordingly.