eSIM dangers in South Africa
While eSIMs offer smartphone users a convenient way to connect to and switch between mobile networks, like any technology, they are a double-edged sword that extends that same convenience to criminals who could abuse them.
The most recent example of this involves the recent South African Social Services Agency (Sassa) Social Relief of Distress (SRD) grant fraud that two Stellenbosch University students discovered in October.
After Joel Cedras and Veer Gosai discovered that their identities were being stolen to apply for grants, they investigated further and found a bank account registered in Cedras’ name that had been receiving the grant every month.
They weren’t the only ones. Their investigation found that fraudsters had applied for the SRD grants on behalf of thousands of unsuspecting South Africans, routing the funds to bank accounts under their control.
In addition to the multiple failures within South Africa’s financial system that enabled the attack, the fraudsters exploited their access to thousands of RICAed eSIMs to receive one-time pins (OTP) to verify the applications.
Having a SIM card RICAed means that the customer must be authenticated and vetted before they can purchase one.
This aligns with the Regulation of Interception of Communications and Provisions of Communication-Related Information (RICA) and requires an ID and proof of address.
Fraudsters can acquire illegally RICAed physical SIMs through vendors willing to break the law. However, eSIMs are far easier to manage as multiple can be loaded on a single device at once.
While investigating the Sassa grant fraud, GroundUp journalists discovered that Me&you Mobile failed to properly register the eSIMs it was distributing on its website.
An eSIM or embedded SIM is a digital SIM card that can be digitally loaded on a smartphone instead of inserting a physical one.
GroundUp found that the application process for Me&You Mobile’s eSIM was flawed. When signing up, they provided a fake name, ID number, and proof of address.
While the operator said it would take 24 hours to verify, they could still gain access to an eSIM immediately by uploading fake documents. The eSIM was never verified.
About a month after the article was published, Me&You Mobile contacted the journalists to verify their identities manually.
Me&you Mobile has also since removed its eSIM offering from its website.
Even if the verification worked as intended, the criminals only needed to receive one OTP for the SRD grant fraud.
Even if the new eSIMs were vetted after 24 hours, the scam would have already been committed.
Of interest is that the network operators offering online eSIMs are mobile virtual network operators (MVNOs).
MVNOs are cellular service providers that don’t own network infrastructure and instead buy wholesale access from a mobile network operator to provide connectivity to their subscribers.
Cell C is South Africa’s largest enabler of MVNOs, but it is facing heightened competition from MTN and Vodacom.
The popularity of MVNOs amongst South Africans is gaining momentum, with subscribers almost doubling from just over 2.5 million to under 5 million since 2022.
Banks have also started offering telecommunications services and, in many cases, competing aggressively against Vodacom and MTN.
By June 2024, FNB Connect reported that it had 958,000 subscribers and generated R18.6 billion in revenue in the bank’s 2024 financial year.
As of August 2024, Capitec Connect had 1.2 million active subscribers, up from 900,000 a year earlier.
Capitec has also reported that its MVNO generated R69 million net income in the six months ended 31 August 2024.