Weak SIM registration processes continue to enable fraud. (Graphic: Nicola Mawson, with images from ITWeb, Pexels and Freepik)
Amid growing calls for biometric registration of SIM cards, global bodies warn that such a move could exclude vulnerable citizens and create underground markets for fraudulently registered SIM cards.
Mobile industry veteran Johan van Graan is calling on Parliament to change the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) to enforce biometric SIM card registration for all SIM cards, including prepaid cards.
Telecommunications fraud costs the country more than R5.3 billion a year, according to the Communications Risk Information Centre’s 2025 Telecommunications Sector Report, with close to 60% of mobile banking fraud linked to SIM-swap attacks, Van Graan says.
He explains that SIM-swap fraud persists “largely because SIM cards can still be registered easily, because RICA does not require biometric verification”.
ITWeb understands that around four-fifths of the approximately 165 million SIM cards issued every year end up outside of the formal system – thrown away because another vendor may offer public-facing outlets a better deal to rather sell their cards. This leaves 80% of SIMs susceptible to being pre-registered.
The prevalence of an underground market in South Africa was exposed by ITWeb just prior to South Africa being removed from the Financial Action Task Force’s grey list.
The solution is to require biometric verification when SIM cards are activated and when SIM swaps are requested, using a live photo taken by the applicant and matched to the user’s ID in the Department of Home Affairs database and their ID picture, says Van Graan. “The technology already exists and is widely used by banks for digital customer verification.”
“Biometric authentication, together with liveness detection, is a powerful weapon in the fight against identity fraud, which is on the increase and costs the South African economy at least R1 billion each year,” Gur Geva, co-founder and CEO of biometric company iiDENTIFii, has stated.
Mobile industry veteran Johan van Graan. (Image: Supplied)
In 2022, draft regulations proposed by the Independent Communications Authority of South Africa sought to tie the biometric data of phone users to their SIM cards. The proposal attracted almost 21 000 public comments, with the overwhelming majority rejecting it, and has subsequently seemingly been shelved.
Biometric SIM registration is already used in Thailand, Nigeria, Uganda, Mozambique, India, the UAE and Peru, demonstrating it is both practical and widespread, says Van Graan.
A 2020 GSMA study − “Access to mobile services and proof of identity 2020: The undisputed linkages”− notes that 155 countries require people to prove who they are to register or activate SIM cards, with 8% of those requiring mobile operators to use biometric authentication processes when registering prepaid SIM customers.
A more recent GSMA blog post indicates that, as of the end of 2020, the number of countries requiring SIM card registrations climbed to 160. This is the latest available data.
However, the GSMA notes that governments that insist on SIM registration cite “a perceived but unproven link between the introduction of such policies and the reduction of criminal and anti-social behaviour”.
It warns that onerous requirements could prove exclusionary to the socially disadvantaged and lead to a black market. “It could unintentionally exclude vulnerable and socially disadvantaged consumers or refugees who lack the required IDs.”
Status of SIM registration policies in 2020. (Source: GSMA)
The requirement for registered SIMs “might also lead to the emergence of an underground market for fraudulently registered or stolen SIM cards, driven by the desire of some mobile users, including criminals, to remain anonymous,” the GSMA says.
Globally, at least 1.5 billion people do not have an official identity document, most of whom live in Africa – where SIM registration laws are most prevalent – and Asia, with a disproportionate amount being women and children, the GSMA adds.
Privacy International also highlights privacy issues when it comes to supplying personal information to register a SIM card, noting that only 59% of countries requiring SIM registration have a data privacy law in place.
“In the absence of comprehensive data protection legislation and oversight, SIM users’ information can be shared and matched with other private and public databases, enabling the state to create comprehensive profiles of individual citizens,” the organisation cautions.
Privacy International adds that taking registration to the “next level” by requiring biometrics means data processing for a biometric subscriber database will often occur in a “legal void”, with information potentially kept indefinitely and used for different purposes as technology and governments change.
Geva says, however, that the technology behind binding biometrics to SIM cards is well-established and is safe and secure. “How biometric data is managed by mobile operators would still be subject to strict privacy laws laid out in the Protection of Personal Information Act and the General Data Protection Regulation guidelines.”
South Africa’s POPIA has strict requirements for how data can be handled, stored, accessed, and when and how it must be expunged, he adds.
Moreover, registration undermines users’ ability to communicate anonymously, says Privacy International. “This poses a threat to vulnerable groups and facilitates surveillance by making tracking and monitoring of users easier for law enforcement authorities.”
Under RICA, law enforcement must apply to a designated judge for approval to intercept communications, showing a serious offence is involved and that less intrusive methods would not suffice. The application must identify the target of the interception. In urgent cases, oral approval may be granted, with a written application submitted within 48 hours.
