The independent communications authority of South Africa (ICASA) has submitted a radical proposal to tackle the problem of SIM swapping attacks in the country, suggesting that local service providers should keep biometric data of cellphone number owners.
By doing so, telecommunication firms like Vodacom and MTN would be able to use the data to confirm the person asking for a number porting action is the legitimate owner.
SIM swapping attacks are a multi-million problem for all countries and service providers globally, allowing threat actors to port people’s numbers to attackers’ SIM cards, essentially hijacking the subscriber accounts.
This attack aims to bypass SMS-based multi-factor authentication steps that protect valuable banking accounts and cryptocurrency wallets and take control of their victims’ assets.
Most providers don’t have adequate protections to prevent this, and even when they do, it’s not uncommon for rogue employees to manually override them in exchange for a few hundred USD.
ICASA believes that associating mobile numbers with subscriber biometric data will finally close all loopholes and end the cellphone numbers hijacking problem.
The proposal, which has been placed under review of the public opinion until May 11, 2022, does not clarify if the biometric data will be fingerprints, facial scans, voice, iris, or a combination of those.
How the system will work
According to the proposal published yesterday by ICASA, the anti-SIM-swap system will work as follows:
- On activation of a mobile number on a telco’s network (existing numbers will also be considered new), the licensee (service provider) must ensure that it collects and links the biometric data of the subscriber to the number.
- The licensee must ensure that they hold the current biometric data of an assigned mobile number at all times.
- The biometric data collected by the licensees must be used for the sole purpose of authentication of a user assigned a mobile number.
- If a subscriber requests a SIM swap (number port), the licensee must ensure that the user’s biometric data match those associated with the mobile number. If not, the porting request must be declined.
The only category of people exempted from the proposed regulation is juristic persons, probably for privacy and safety reasons.
Ahmore Burger-Smidt, the Director and Head of Data Privacy and Cybercrime Practice at Werksmans Attorneys in South Africa, told Bleeping Computer that ICASA’s proposal might very well be the only solution to crack down on SIM swap fraud.
SIM card fraud is unfortunately rife in South Africa and mobile network operators are at a loss on how to deal with this. In addition, the RICA legislation (Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002) places a positive obligation on mobile network operators to obtain certain data when a SIM card is sold.
In a world with various pieces of legislation, the broader legislative landscape should serve the public interest. It is undoubtedly in the public interest to prevent or at least aim to limit cyber-fraud and therefore collecting biometric information could very well serve the public interest. – Ahmore Burger-Smidt
The case of data privacy and security in SA
We have repeatedly covered news about telecommunication service providers being breached by hackers, so a database containing sensitive biometric data that can’t be reset or changed poses a significant risk for tens of millions of mobile subscribers in South Africa.
Privacy advocates in the country also fear that exclusive use for identity authentication won’t be strictly enforced and that authorities or intelligence agencies could be given access to the database.
If the database holds facial scans and access is opened to other entities, the country could essentially build a facial recognition, public identification, and tracking system similar to that in China, with whom the governing party has special ties.
South Africa has been among the countries where NSO’s Pegasus spyware infections were found, while in 2019, it was revealed that the government has been performing mass surveillance on the internet traffic since 2008.
Also, the government had previously attempted to pass an all-powerful communications interception law (RICA), something that was scrapped only when a high court in the country ruled it was unconstitutional.
All that said, concerns about privacy and data misuse may be justified, and hopefully, ICASA will consider the associated public feedback and amend the proposal accordingly.
Source: https://www.bleepingcomputer.com/news/security/south-africa-wants-to-fight-sim-swapping-with-biometric-checks/