South African SIM swap loophole
Requiring users to actively opt out of a SIM swap request could be helping fraudsters hijack people’s numbers while they are overseas.
Several Vodacom customers recently told MyBroadband they suffered fraudulent SIM swaps while out of the country over the past few months.
One customer had their phone number taken over while overseas in July 2024, while another experienced the same in August.
Neither customer had SMS roaming activated while overseas, so they could not receive the opt-out SMS sent by the mobile network alerting them of a SIM swap.
One of the victims’ WhatsApp accounts was quickly hijacked and used to try and scam their contacts.
Fraudulent SIM swaps usually only occur when a malicious party obtains enough personal information to impersonate the subscriber who holds the phone number.
Therefore, it is essential that mobile users protect their numbers by securing their personal information and avoiding phishing attacks.
However, there have been numerous data breaches suffered by third parties including credit bureaus like Experian and TransUnion, exposing many South Africans’ personal information that could aid malicious parties in fraudulent SIM swapping.
In addition, several mobile network employees have been implicated in facilitating fraudulent SIM swaps over the past few years.
Considering these factors, there might be many more cases where people suffer fraudulent SIM swaps due to no wrongdoing on their part.
SMS usage has plunged in recent years, and many South Africans now prefer to communicate using Internet-based applications.
It is also simpler and more affordable to get a temporary data-only package on an eSIM or physical SIM to use while overseas than to use roaming.
Despite the surging popularity of online apps, South Africa’s two main networks don’t use any of these channels to inform their customers of SIM swap requests.
However, it is also a mistake to think you are fully protected against a fraudulent SIM swap if you turn on SMS roaming when travelling abroad.
The time that networks allow subscribers to decline a SIM swap request is relatively short.
Vodacom and MTN give customers up to two hours to take action. If they get no response from the customer receiving the SMS, the SIM swap proceeds.
To mitigate against potential issues, the operators put requests made after business hours in “pending” until the following morning.
The problem is that this mitigation is based on South African time.
Even if a customer has SMS roaming switched on while abroad, if they travel to a country in a different timezone, they might receive their alert during the late night or early morning hours while they are asleep.
Opt-in vs opt-out — Vodacom and MTN not to blame
One surefire way to reduce the risk of fraudulent SIM swaps occurring while a customer is overseas or away from signal for a prolonged period is for networks to use opt-in, rather than opt-out mechanisms.
With opt-in, a subscriber would have to actively confirm that they want to swap their SIM rather than ignoring the message for the swap to proceed.
Vodacom and MTN tried to change their processes for porting phone numbers from opt-out to opt-in in April 2016.
Had they been allowed to continue using this approach, it would have avoided these fraudulent SIM swaps.
However, Cell C took the two networks to the High Court and argued that their practices were unlawful under 2005 porting regulations.
Cell C alleged that the percentage of porting requests that failed due to the change surged from 1.5% to 60% for customers wanting to switch from Vodacom to Cell C while increasing from 7.5% to more than 70% for MTN subscribers wanting to port to Cell C.
A possible factor in this was the relatively short periods the operators allowed for customers to approve a request, with Vodacom requiring the customer send a “1” in response to an SMS within 40 minutes and MTN requiring the same within 30 minutes.
Vodacom settled with Cell C and switched back to the opt-out approach while MTN decided to continue the court fight.
It ended up losing and was forced to switch back to opt-out as well.
Mobile networks could mitigate against the issue by also sending their customers an opt-out notification via an online channel — like an email or a mobile app.
However, an opt-in mechanism via channels other than those that require access to the phone number — like a phone call or SMS — could create an additional avenue for compromise if fraudsters somehow gained access to those channels.