Mobile networks cracking down on this devastating digital crime
South Africa’s mobile networks employ various measures to prevent their customers from falling victim to fraudulent SIM swaps, which have declined significantly in recent years.
A SIM swap occurs when a phone number is transferred to another SIM card.
It is typically required when customers lose their phone or want to port their number when switching to another service provider.
A phone number can be an important means of verifying someone’s identity or as a backup channel if they forget their login details for an online platform.
It is sometimes also used as the one-time PIN channel for banking-related confirmations.
Therefore, fraudulent SIM swaps put victims at significant financial risk.
Fortunately, the South African Banking Risk Information Centre’s latest Annual Crime Stats report showed that the role of unauthorised SIM swaps in digital crimes has decreased drastically.
Between 2021 and 2022, the number of reports of incidents during which criminals gained access to people’s Internet banking profiles via a fraudulent SIM swap declined by over 98% — from 4,508 to just 71 incidents.
However, the practice continued to be a big part of the modus operandi in mobile banking fraud, where fraudsters gain access to users’ cellular or banking apps and transact on their accounts.
Around 76% of mobile banking fraud incidents reported in 2022 involved an unauthorised SIM swap, or 7,657 incidents.
Fraudulent SIM swaps are often carried out by criminals who obtain sufficient personally identifiable information about a victim to fool unassuming mobile network staff that they are the actual customer.
However, rogue mobile network personnel have also assisted in the crime.
MyBroadband asked South Africa’s four biggest mobile networks how they facilitated SIM swaps and what measures they implemented to avoid unauthorised SIM swaps.
Vodacom
A Vodacom spokesperson told MyBroadband that all its customers could request SIM swaps through the Vodacom website, by dialling *135# on USSD, calling the Vodacom call centre, or via the My Vodacom mobile app.
Prepaid customers also have the option to use Vodacom’s WhatsApp chatbot ToBi.
To protect against SIM swap fraud, Vodacom sends notifications to customers, notifying them to contact its call centre if they did not request a SIM swap or if they suspect fraud on their line.
“Customers then have up to two hours to take action in line with our SIM swap process and company policies and procedures,” the spokesperson explained.
“In the event the customer does not contact Vodacom to stop the SIM swap, the request will be processed.”
The spokesperson also said that requests made after business hours remained “pending” until the next morning.
Customers who opt for an in-store SIM swap will need to perform “face-to-face” identity authentication and verification.
In addition, Vodacom has deployed automated controls to validate SIM swap requests in the background, which may block such a request if fraud is detected.
Vodacom recently revealed it fired 631 staff for a range of offences.
In response to a query for more details regarding the nature of the violations, Vodacom told MyBroadband that assisting or being complicit in ID and SIM swap fraud was among its dismissible offences.
The spokesperson said Vodacom “rigorously” investigated all incidents of SIM swap fraud for potential employee involvement.
“Where irregularities or wrongdoing has been established, disciplinary action is taken against any party found to have been involved,” they said.
“Where appropriate, these instances are also pursued criminally and reported to law enforcement agencies for prosecution.”
MTN
MTN South Africa told MyBroadband that its postpaid customers need to go in-store for a SIM swap, which requires biometric authentication.
Prepaid customers can process SIM swaps through a self-service USSD request, in-store assistance, or MTN’s call centre.
MTN said it applies several security controls to all SIM swaps, including:
- Knowledge-based authentication to ensure that the individual was in control/ownership of the number and could access the account through service channels.
- A request SMS sent to the current SIM card, giving a compromised individual a chance to reject the request.
- Predictive analytics allowing any identified fraudulent attempt to be blocked.
- Set time windows for when SIM swaps can be processed.
MTN said it had comprehensive access controls in place to ensure that only authorised users can perform the SIM swap transaction.
“MTN systems are designed to only allow frontline staff to access their accounts when a verified customer request is received,” the operator explained.
When it comes to investigating incidents of fraud, MTN said that its membership to the Communication Risk Information Centre requires that it assist law enforcement agencies where its services were used to compromise a customer.
“MTN will take the case through forensic investigation, and any employee found to have been negligent or complicit in the SIM swap transaction will be subject to our internal disciplinary processes,” the company said.
“Law enforcement agencies have the prerogative to institute criminal charges on the flagged employee.”
Telkom
Telkom allows customers to conduct SIM swaps at its stores or through its WhatsApp channel.
“To minimise the potential for internal fraud, we have robust security processes in place, including biometric verification, to ensure our customers are protected from fraud,” the operator said.
“The WhatsApp channel also features a verification process before a customer proceeds with the SIM swap. Where fraud is suspected, we deal with each case on its merits.”
Cell C
Cell C facilitates SIM swaps via its physical stores and its customer call centre.
The mobile network said it had various authentication and verification processes to identify and verify individuals who phoned in for SIM swaps.
For in-store requests, customer authentication processes include verifying the customer’s identification document.
Cell C said it implemented strict policies and monitoring mechanisms to detect and prevent insider involvement in fraudulent activities.
Loading ...