Forcing mobile phone networks to collect biometrics fails to solve South Africa’s massive fraud problem

The Communications Risk Information Center (Comric) says that relying solely on collecting customer biometric data to stop SIM spoofing scams will not work.

Comric is a non-profit organization created by MTN, Cell C, Telkom, Vodacom and Liquid Intelligent Technologies.

Its purpose is to identify, prevent and mitigate risks in the South African telecommunications industry.

In March 2022, the Independent Communications Authority of South Africa (Icasa) published a draft regulation that would require mobile network operators to collect biometric data from subscribers.

Icasa said these rules will reduce cases of mobile number hijacking through fraudulent SIM swapping and number porting.

South African Banking Risk Clearinghouse criminal statistics showed that fraudulent SIM-swapping incidents almost doubled in 2020 – from 11,646 in 2019 to 22,285 in 2020.

Fraudsters use these methods to gain control of victims’ mobile phone numbers and gain access to their internet banking applications.

In response to Icasa’s proposed rules, Comric met with all the country’s mobile network operators to explore the implications and feasibility of collecting biometric data.

MyBroadband asked Comric what consensus the mobile operators came to during the forum.

“Because biometric data is specified as [Icasa’s] solution [to fraudulent SIM swaps]the telecommunications industry would like to explore alternative solutions,” said Comric CEO Vernall Müller.

“Biometrics is just one of many strategies that can be used: requiring operators to implement only biometrics is to use a unified approach that is not a silver bullet.”

While Comric members agree that SIM spoofing is a problem, they said other issues need attention in the short to medium term.

“Less than one percent of SIM card swaps made annually are fraudulent,” Komrik said.

“SIM spoofing is just one problem, while identity fraud is much more problematic.”

Komrik noted that the telecommunications industry already has a specific workflow in place to reduce fraudulent SIM card spoofing and put in place mitigation measures.

In addition to being too limited, Komrik says there are several problems and limitations in collecting biometric data from subscribers.

“For operators that use direct customer contact points in South Africa in informal and rural areas, the introduction of biometrics will have huge financial implications and logistical challenges,” Comrick said.

“Operators using wholesale channels do not appoint their own agents in the distribution channels, which means that they do not control or see the implementation of biometrics,” the association added.

“If the changes proposed by Icasa are adopted, significant changes to existing systems and databases will be required.”

Thus, the participants of the forum agreed that they should provide Icasa with a timetable for the implementation of biometric data.

“Deployment must be done in a flexible manner where operators are given leeway to decide what is best for all consumers,” the association said.

“In the meantime, the telecommunications industry, Comric and ICASA should continue to work together to determine the core of the problem we want to solve, identify temporary solutions and develop a long-term plan for the implementation of biometrics.”

Now read: Vodacom and MTN may soon be forced to collect your biometric data