This February I found myself in Block C of Pinmill Farm, which forms part of the Independent Communications Authority of South Africa’s (Icasa’s) Sandton head office.
The reason? The regulator was conducting public hearings as part of its Number Portability Inquiry.
MTN was represented by Jeff Blake, who maintained that there was a major problem with “unauthorised” and “illegal” porting.
Blake argued for the introduction of an SMS notification that is sent to a consumer, asking them to confirm the port request as an extra safeguard.
“There is nothing worse than a frustrated customer or consumer who finds out he has been ported without his consent,” Blake told the hearing.
“Your SIM card is tied to your life. How can it be taken away from you?”
Blake’s comment underscored something that I had been concerned about for a while. As we use our phones in more and more aspects of our lives, were they not becoming a giant security risk?
Once someone has control of your phone or SIM card, to what extent can they control your life?
News reports from the past two years make it clear that the SIM card has become a vital tool for online banking fraud syndicates.
In May this year the news site MyBroadband.co.za reported that there was a big security flaw in cellular networks and that this flaw was being exploited for online banking fraud.
The tech site identified the flaw as being in international telecoms standard Signalling System No. 7 (SS7) and said this issue had initially been flagged as early as 2007.
It reported that hackers could use this weakness to read consumers’ SMS messages, which made one-time-pins sent via SMS less secure.
In 2016 the banking ombud received 138 complaints about internet banking fraud involving SIM swaps. By the end of the first half of 2017, it had received 160 such complaints; this is clearly a form of fraud that is rapidly on the rise.
But this is not just a local problem.
According to The New York Times, the US Federal Trade Commission, whose chief technical officer was himself a target of such a scam, reports that such incidents have increased from 1 038 cases in January 2013 to 2 658 cases in January 2016.
The newspaper reported that most often those targeted are individuals with valuable online banking accounts, most often involving holdings in virtual currencies like Bitcoin.
Bitcoin entrepreneur Joby Weeks is quoted in the article as saying: “Everybody I know in the cryptocurrency space has gotten their phone number stolen.”
Getting back to South Africa, last October Rapport stated that the Hawks were investigating the possibility that a syndicate had gained access to Absa clients’ online banking details, and were busy stealing millions from these accounts.
The newspaper said that there were 36 similar cases in which Absa customers’ money was transferred to a Capitec account, after SIM-swap fraud took place.
That month it was also reported that a crime syndicate had infiltrated Vodacom in order to perform SIM-swap and internet banking fraud.
It was reported that Vodacom call centre agents had been recruited to help with illegal SIM swaps. The telecoms operator had launched an investigation.
In April attorney Johan Victor publicly stated that crime syndicates had infiltrated banks and mobile operators in SA, and were assisting in SIM swaps and online banking fraud.
Victor was representing a group of people who had lost millions due to internet banking fraud.
In July it was reported that a foiled attempt to steal R100 000 from the Absa account of a customer, which involved a SIM swap of a Vodacom number, resulted in a R26 000 settlement.
Vodacom called the payment a “goodwill gesture”.
A week later Rapport detailed an internal Vodacom investigation that had found that some of its agents worked with a crime syndicate, operating from a Johannesburg prison, to perform SIM swaps and commit internet banking fraud.
The investigation found that the login details of a Vodacom agent had been stolen by another agent, who had used it to log into the system and perform SIM swaps.
While this news of ongoing online banking fraud in SA made headlines in July, Icasa released the report from its public hearings into number portability from February.
The report states that the current system to validate port requests from prepaid subscribers may not be secure enough.
It also says that international experience suggests that it would be beneficial to add another security step to the existing process that would confirm authorisation of the port by the subscriber.
But Icasa said mobile operators disagreed on the best way to ensure the port requests are authentic and come from the subscriber.
Some suggestions have included an extra confirmation SMS and a one-time pin. But considering what has been reported in the cases of online banking scams that rely on SIM swaps, will these measures really protect the public against fraud?