South Africa has proposed collecting biometric information from people when they purchase SIM cards in order to thwart SIM swap attacks. In these attacks, scammers request replacement SIM cards they use to intercept legitimate one-time passwords (OTPs) and authorize transactions. According to the FBI, these fraudulent transactions totaled over $68 million in 2021. However, the privacy implications of South Africa’s proposal don’t sit well with experts. “I sympathize with the providers looking for a way to stop the very real problem of SIM swapping,” Tim Helming, security evangelist with DomainTools, told Lifewire via email. “But I’m not convinced [collecting biometric information] is the right answer.”

Wrong Approach

Explaining the dangers of SIM swap attacks, Stephanie Benoit-Kurtz, Cybersecurity Expert at the University of Phoenix, said a hijacked SIM could enable bad actors to break into virtually all your digital accounts, from emails to online banking.    Armed with a hijacked SIM, the hackers can send ‘Forgot Password’ or ‘Account Recovery’ requests to any of your online accounts associated with your mobile number, and reset the passwords, essentially hijacking your accounts. The Independent Communications Authority of South Africa (ICASA) now hopes to use biometrics to make it more difficult for hackers to get their hands on a duplicate SIM by requiring biometrics data to verify the identity of the person requesting the duplicate SIM. “While SIM swapping is undeniably a major problem, this could be a case of the cure being worse than the disease,” stressed Helming.  He explained that once the biometric data is in the hands of the service providers, there’s a real risk that a breach could put the biometric data in the hands of attackers, who could then abuse it in various highly problematic ways.  “The challenge around collecting biometric data is not only in the collection process but securing that information once it has been collected,” agreed Benoit-Kurtz.  She believes that biometrics alone doesn’t help solve the issue in the first place. That’s because bad actors use a variety of methods to obtain duplicate SIM cards, and having them issued directly from the service provider isn’t the only option at their disposal. In fact, according to Benoit-Kurtz, there’s a vibrant black market for obtaining duplicates of active SIMs.

Barking up the Wrong Tree

Benoit-Kurtz believes carriers and phone manufacturers need to take a more active role in securing the mobile ecosystem. “There are significant challenges associated with the security of phones and SIM cards that could be resolved by the carriers implementing stronger controls surrounding when and where a SIM can be changed,” suggested Benoit-Kurtz. She says that the industry needs to work together to introduce mechanisms to prevent transactions without relying on multiple steps to validate the user and the phone that the new SIM is being registered to.  For instance, she says some carriers like Verizon have started using six-digit Transfer PINs, which are required before a SIM can be moved. But that’s just one more data point in the transaction, and scammers can extend their social engineering tricks to gather this additional information as well. Until the industry steps up, it’s up to the people to be savvy and protect themselves against SIM swap attacks. One trick she suggests is to enable multi-factor authentication for your online accounts while ensuring that one of the authentication mechanisms sends the verification code to an email account that isn’t connected to your phone.  She also suggests using a SIM PIN—a multi-digit code you enter every time your phone restarts. “Make sure that you use the built-in security features on your phone to lock it down so that you can reduce your risk and proactively protect your SIM.”