UCC: What we know about SIM card hacking
In October of 2018, Myriad Connect released a study indicating that SIM card hacking was becoming a global threat, affecting even developed nations that have the most sophisticated technologies.
“SIM swap fraud is not limited to Africa. It is a growing global issue affecting even some of the most sophisticated technologies in the world,” Willie Kanyeki, Myriad Connect Director Business Development – Africa, said.
Sim card scams involve fraudsters replacing the SIM for a mobile number that does not belong to them, allowing them illegitimate access to personal information and accounts of the original user.
The scammers use SIM swap frauds to cancel and re-activate new SIM cards to their names to target bank accounts or any other money transfer services.
They can also access your call logs, text messages, online accounts, including email and all social media accounts.
Now, recently there has a disturbing statement circulating on social media, indicating that someone can hack your sim card through a mere phone call.
#Hacking your SIM #SIMSwapFraud #SIMCardReplacement #FactCheck. There is a social media article making the rounds; see details in the image attached on #SIMSwapFraud. The article is hugely exaggerated. Hacking your SIM card takes having access to either: https://t.co/QVO8hc59RK pic.twitter.com/sMzoWWJjcA
— UCC (@UCC_Official) January 11, 2019
To calm the nerves of Ugandans, the Uganda Communications Commission issued a statement, explaining how sim card hacking occurs.
We reproduce it below:
There is a social media article making the rounds on SIM Swap fraud.
The article is hugely exaggerated. Hacking your SIM card takes having access to either:
1. The SIM card itself, for someone with the right technology to make a clone. S/he would need to be that sophisticated with the right equipment (e.g. manufacturers of SIM cards) to succeed, OR
2. Gain access through your network provider (telecom company) since SIM card encryptions are loaded on the network through the service provider.
Whichever way, you need that high level of sophistication.
Also, note that a SIM Swap has to be done manually.
An agent within the operator has to gain access to the operator’s system manually, and in doing so, access credentials are required.
Remember, there is an industry directive for your safety on new SIM Card sales, SIM upgrades, SIM swaps, and SIM replacements which requires all telecom operators to comply with the following;
– A customer seeking to acquire, upgrade or replace a SIM Card must physically appear and present his or her original National Identification Card to an operator’s designated customer care agent at a designated customer care centre or registration point.
– The Operator must verify the authenticity of the National Identification Card using an Electronic Biometric Card Reader, match the applicant’s live biometrics with the biometrics on the card, and obtain real-time verification with the NIRA database through the API.
1. For the avoidance of doubt, where, for whatever reason, the operator is unable to conduct online real-time verification of the customer’s information with NIRA’s national ID database, the operator should not proceed with the issuance, upgrade or replacement of the SIM Card.
2. The Operator must obtain a fresh Photograph of the applicant.
3. The Operator must register the applicant for the SIM Card, and ensure that the applicant expressly gives authority to the Telecom Operator to access and match his or her details with the National identification database maintained by NIRA.
This, therefore, transfers liability to the operator if your SIM Card is Swapped or replaced without your authorization. However, this is not to say that you should drop your guard.
If you are a victim of fraud, please report this to your telecommunication provider and if you feel the redress provided in inappropriate, contact the Uganda Communications Commission.
Now, while UCC is right that for someone to hack into your sim card they have to first access it, it is not entirely true that you need “sophisticated” tools to swap someone’s sim card.
That aside, while there are no data indicating that someone can remotely hack your sim card before physically accessing it, technology is always evolving and anything can be possible.
It is also important to note that a recent survey in Kenya revealed that over 90 percent of Kenyan banking leaders see SIM swap fraud as an issue for their organizations and over 25 percent of respondents had been victims of SIM swap fraud.
In 2016, the National Institute of Standards and Technology in the US identified that SMS is a risk and that OTP via SMS is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM swap.
In South Africa, the South African Banking Risk Information Centre (SABRIC) reported that the incidence of SIM swap fraud has more than doubled in 2017.