The Independent Communications Authority of South Africa (Icasa) has proposed linking biometric data to SIM cards.
If approved, the new regulations would require all South Africans to provide their biometric data to mobile service providers to obtain a new cellphone number or approve a SIM swap.
The proposals are included alongside other draft regulations published by the regulator which close for public comment on Wednesday (11 May). Icasa’s proposal calls for biometric data such as fingerprint mapping, facial recognition, and retina scans to be bound to a consumer’s SIM card.
Gur Geva, chief executive of security company iiDENTIFii said the objective of the new proposals is to prevent serious crime and protect consumers from the trauma of identity fraud where associated phone numbers are used.
“Criminals who use a multitude of mobile numbers in illegal activities including fraud, money laundering, terrorism and kidnapping would have a harder time hiding from law enforcement should new regulations come into effect.
“And because biometric data cannot be copied, consumers would have an added layer of protection against their cell number being used in identity theft or to authenticate fraudulent payments,” he said.
Geva said the technology behind binding biometrics to SIM cards is well-established and secure.
“Biometric technology is already a common security feature offered by financial service providers like banks and insurers to protect consumers.
“As the deadline for public comment on the draft regulation approaches, iiDENTIFii has been engaging with several telcos on deploying remote digital biometric authentication in accordance with stringent local and international approved standards,” he said.
“The proposed regulations are far more sophisticated than current RICA laws in terms of protecting South Africans against fraud.”
SIM swaps and privacy
Regulator Icasa said stricter security measures are required to curb the hijacking of mobile phone numbers either through porting or via a SIM swap transaction, among other instances of fraudulent activity.
How biometric data is managed by mobile operators would still be subject to strict privacy laws laid out in the Protection of Personal Information (POPI) Act and the General Data Protection Regulation (GDPR) guidelines.
Raw biometric data also wouldn’t be stored, so citizens can rest assured their information is encrypted and non-transferable, said Geva.
However, he noted there is concern that biometric data can be used for various other means once captured by the mobile service provider.
“But in reality, there is very little difference between what is being asked of the mobile service providers and what customers have had to provide to financial institutions,” he said.