Cell phone number hijacking causes losses and inconvenience to mobile phone customers every year. In Brazil, the scam is closely associated with WhatsApp, where scammers use the number to ask for money, for example. But what to risk to protect this data? The independent agency that monitors communications in South Africa has a controversial answer: the collection of biometrics.
It is foreseen in the bill of the ICASA (Independent Communications Authority of South Arica) that operators that operate in the country, such as MTN and Vodacon, use biometric data of the user each time he requests a change of number – basically in every case of portability.
Number cloning is mainly used for fraudulent money transfer scams, theft and fraud, as the phone line can be used for double-checking processes to access accounts. Most operators do not have an effective method to combat this criminal practice — it is not uncommon for some employees to still take advantage of “bribes” to cancel the SIM card directly.
In this sense, ICASA believes that associating line switching with user biometrics can prevent number hijacking. However, the proposed law filed on Wednesday (23) does not specify which type of collection it would be: digital, facial or voice recognition.
ICASA says that only persons related to the Judiciary would be exempt from biometrics collection. For all other users, if passed, the law would work as follows:
- When activating a new mobile phone number on an operator’s network — numbers that already exist will also be considered “new” — the provider must collect the customer’s biometrics, which will be associated with that line;
- The user’s biometrics must be linked to the person’s phone number at all times;
- Providers must use biometric data for the sole purpose of phone line authentication;
- If the user requests a chip exchange (portability), the provider must verify that the person’s biometrics match the line. In negative cases, the transition must be blocked.
Biometrics law is in the “public interest”, says lawyer
The Director of Data Privacy and Cybercrime at Werksmans Advogados, South Africa office, told the Bleeping Computer that the ICASA law could be the end of number theft.
“Scams of this kind are unfortunately rampant in South Africa, and mobile operators are failing to prevent these crimes,” said Ahmore Burger-Smith, an executive at Weksmans. “In addition, the FADN law obliges companies to obtain a certain volume of data from the sale of a SIM card,” she added. The FADN is the legislation on interception in Communication, in force in the country since 2002.
“In a world with so many laws, the scope of legislation must serve the public interest. And it is, without a doubt, a collective desire to prevent or at least limit cybercriminals from committing fraud. Therefore, the collection of biometrics can serve the public interest.”
— Ahmore Burger-Smith
South African government monitors citizens on the internet
Defenders of the right to privacy in South Africa fear the law will be used to force government-linked intelligence agencies to use customer biometrics captured by operators.
If a person’s voice, face or even iris recognition information is always in a pooled cell phone number database, experts fear that the South African government will deploy a mass surveillance system.
The country does not have a positive privacy protection record: in addition to being a target of infections by the spy malware Pegasus, the South African government has admitted to monitoring the internet activity of South Africans since 2008.
The ICASA bill was placed under public opinion evaluation. The agency may consider the South Africans’ response to change the text, or, if it goes ahead, a South African Supreme Court judge may veto it.