SIM swap fraud is inflicting significant financial damage on South Africa’s telecoms sector, accounting for nearly 60% of the country's $320.5 million (R5.3 billion) yearly loss. This alarming figure was highlighted by Johan Van Graan, former Chief Risk Officer at Vodacom, who explained that SIM swap serves as a critical enabler for fraudsters. It allows them to intercept one-time passwords (OTPs) and subsequently gain control over various personal accounts, including social media and banking platforms.

The phenomenon of SIM swap is a leading form of identity theft, primarily orchestrated by criminals to gain possession of individuals' phone numbers. This form of digital financial crime is rampant across Africa, where identity theft broadly accounts for 63% of all such crimes, costing an estimated $4 billion annually. Africa's relatively weak cybersecurity infrastructure unfortunately simplifies the process for fraudsters to hijack phone numbers, access financial accounts, and assume victims' identities.

Van Graan clarified that the actual fraudulent activity typically occurs outside the immediate telecoms network. Once fraudsters have obtained control of a phone number, they proceed to log into banking applications and social media platforms. They might use previously phished PINs and passwords for internet banking, or send deceptive messages, such as WhatsApp requests for money, to further exploit their victims.

Several critical loopholes contribute to the prevalence of SIM swap fraud. Firstly, Van Graan pointed out that many South Africans exhibit carelessness, frequently exposing their personal identification numbers (PINs) and passwords. This lax security practice inadvertently assists malicious actors in accessing sensitive personal information or hijacking social media accounts.

Secondly, the existing RICA Act (Regulation of Interception of Communications and Provision of Communication-Related Information), which governs the telecom industry in South Africa, lacks adequate provisions for verifying phone ownership during a SIM swap request. Van Graan critically noted that South Africa's customer registration process ranks among the bottom five globally. This systemic weakness is not unique to South Africa but is a continental issue, leaving a significant vulnerability open to exploitation.

As detailed in a Technext report, identity theft can be as straightforward as registering a replacement SIM card for a supposedly lost one. A fraudster can easily acquire an individual's personal information, including their name, ID number, and phone number. They then visit a mobile network operator's store, often using a fake ID or even bribing an employee, to claim a lost SIM and request a replacement. Once the phone number is transferred to the new SIM card, the fraudster gains the victim's financial identity, enabling them to receive password reset links and two-factor authentication codes.

To combat this pervasive issue, Van Graan strongly advocates for the implementation of facial recognition technology in the SIM registration process. He suggests that whenever a SIM swap is requested, telecommunication networks should utilize facial recognition to validate both the SIM swap and the identity of the person making the request. He urged African regulators to embrace this technological advancement to close the gaps that fraudsters have been extensively exploiting.