Spending a week in jail for a crime you didn’t commit is an extreme, but real consequence of South Africa’s lax enforcement of legislative provisions on SIM card security.
Durban-based Fezile Ngubane, a car wash worker, recently made headlines after he was wrongly imprisoned in connection with the tragic murder of 30-year-old Olorato Mongale.
The actual suspect was later killed in a police shoot-out. Investigations revealed the alleged mastermind had registered multiple SIM cards linked to various crimes, under false identities. While Ngubane was cleared after an unjust prison stay, the case has exposed the deep flaws in South Africa’s SIM card registration system and the ease with which false SIM registrations occur.
Though most South Africans are unlikely to be jailed over a SIM card registered incorrectly in their name, they should still be deeply concerned about SIM card security. Criminals can clone SIM cards to bypass banking security and two-factor authentication, accessing a person’s banking app on their cellphone. This could happen while the phone user is sleeping, allowing syndicates to clear out their bank accounts.
Part of this issue is that SIM cards contain unique identifying numbers and when these numbers are exposed — often because cards are sold “naked,” without secure packaging — criminals can easily create duplicates that mirror the original user’s SIM card. They can even do so before the card is resold to an unsuspecting customer.
In effect, the SIM card becomes the weakest link in digital and financial security.
The solution is simple: tamper-proof packaging. It would hide the identifying information printed on SIM cards, making cloning more difficult.
Phones are not just communication devices, they are financial devices used in banking. SIM cards, therefore, should be treated with the same care as bank cards. Instead, as an MP recently pointed out, they can be bought en masse, unregistered, for as little as R20.
Unfortunately, there have also been multiple reports this year of criminal syndicates mass-cloning cards for use in crime. Tamper-proof packaging may not eliminate these practices entirely, but it would remove the ease of access to thousands of unpackaged, unsecured SIM cards and therefore make bulk cloning operations far more difficult.
South Africans deserve to be safe from identity theft, banking fraud and wrongful arrest. The tools to fix this problem are within reach. What’s needed now is political will
Another major concern lies in how millions of prepaid SIM cards are incorrectly registered each year. The Regulation of Interception of Communications and Provision of Communication-Related Information Act, better known as Rica, governs this process. First, Rica requires that SIM cards must be correctly registered against a customer’s ID number. But enforcement of this is weak.
One longer-term solution is biometric registration, already implemented in emerging market countries such as India and Nigeria. These countries have managed to link SIM cards to a person’s fingerprints and their home affairs database. While that may take years to implement in South Africa, it is a long-term security possibility.
In the meantime, more immediate steps are needed, such as enforcing existing Rica provisions that SIM cards must be registered to the customers who use them.
One major loophole in Rica also allows mass incorrect registration of cards.
As a result, it’s estimated that at least 60-million unregistered or fraudulently registered SIM cards, usually prepaid cards, are released in South Africa annually.
Section 40 of Rica permits SIM transfers between customers, such as a parent activating a SIM for their child. But third-party distributors of SIM cards have exploited this clause to register as “customers.” This allows them to bulk-register cards in lists of names or 13-digit mimics of ID numbers and then later resell them. Distributors who earn airtime commission off SIM cards they sell are incentivised to sell as many as possible, regardless of how they are registered.
Legally, end users — the consumers — are required to update their registration details with mobile operators. In reality, this almost never happens.
The result is millions of SIM cards that are not linked to a real customer, leaving law enforcement unable to trace users of phones suspected of use in a crime. Police and prosecutors need SIM cards to be correctly linked to suspects, rather than wasting time being led in the wrong direction or being unable to identify suspects.
To prevent the incorrect registration of SIM cards, the department of justice, working with the department of communications, must act urgently. The Rica Amendment Bill is currently before parliament to discuss the constitutionality of surveillance aspects of the bill — but this review does not go far enough. Reforms must address how SIM cards are sold, monitored and secured.
Closing the loopholes that allow fraudulent bulk registration should be a priority. So too should making tamper-proof packaging mandatory. Perhaps, as the Independent Communications Authority of South Africa suggested recently in parliament, the government could consider linking SIM cards to biometrics in the long term.
South Africans deserve to be safe from identity theft, banking fraud and wrongful arrest. The tools to fix this problem are within reach. What’s needed now is political will.
• Hassim is the chief information officer at Securi-Tech SA, a firm that provides for the encoding, personalisation and security of SIM cards.
For opinion and analysis consideration, e-mail Opinions@timeslive.co.za
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.