Cutting down on fraud: Why Rica reform is essential for telecom security
Telecommunications fraud amounts to over R5.3bn a year, and it is estimated that 60% of mobile banking fraud is related to SIM swap fraud, according to the Communications Risk Information Centre (Comric) 2025 Telecommunications Sector Report.
Surely, if SIM swaps were more secure, theft of hundreds of millions of rand, if not billions, could be prevented.
The technology to stop such widespread theft exists.
The answer is simple: when individuals register a SIM card for a phone or data, they are required to undergo biometric registration using a photo, with the same requirements for a SIM swap if their phone is stolen. Linking photo IDs to the owner of a SIM would make it very difficult for criminal syndicates to conduct fraudulent SIM swaps, which are often used to access two-factor authentication codes needed to break into bank apps. Biometric registration is common and is used in Thailand, Nigeria, Uganda, Mozambique, India, the UAE, Peru and numerous other countries.
A SIM card and a phone today are the gateway to banking apps, one-time passwords, WhatsApp and financial transactions. Yet SIM cards are still too easily bought from small shops, often registered to fake identities, without tamper-proof packaging and remain insecure, with SIM swaps too easy to conduct.
For more than two decades, the Regulation of Interception of Communications and Provision of Communication-Related Information Act, better known as Rica, has required SIM cards to be registered to the individual who uses them. Yet criminal syndicates, kidnappers, extortionists, online fraudsters and small-time chancers continue to operate behind a rotating carousel of anonymously registered numbers.
There are hundreds of millions of SIM cards linked to fictitious individuals and effectively anonymous, with over 60 million distributed each year.
Rica should be properly enforced to require the correct registration of SIM cards and to stop the mass fraudulent registration of SIM cards, but it should also be amended to enforce biometric registration.
Because SIMs are not properly registered to a real individual, or are registered without biometrics, when a criminal syndicate attempts a SIM swap it can succeed with alarming ease, sometimes needing little more than an ID number or address, which can be easy to obtain.
The mechanics are frighteningly simple. Using data stolen from the dark web, data leaks and inside sources at banks or retail firms, criminals assemble a detailed profile of a target, including addresses, an ID number and name. They then impersonate the victim to convince a mobile carrier to switch the phone number to a new SIM card under their control. Once the swap succeeds, the victim's phone goes dead and all incoming calls and texts, including one-time passwords for two-factor authentication, route to the criminal.
If this happens while a person is busy and doesn’t see the SIM swap warning, a criminal can easily access a bank account by accessing two-factor authentication codes while the victim is locked out of their phone.
SIM swaps don’t guarantee immediate access to a bank account, as the criminal needs the person’s username and the bank account password. They usually get this through tricking an individual by pretending to be the bank, calling or by sending them a phishing email that looks like it is a bank email when in fact it is capturing their login details.
Next they do a SIM swap
Biometric verification would change that equation. Requiring facial recognition at the point of SIM activation would create a far stronger link between a person’s identity and device.
A person could purchase a SIM and register it at home on an app using a live photo matched, through secure software, to their ID image on the Department of Home Affairs database and their ID photo. The technology already exists and is used by banks to onboard or verify customers without a branch visit. Mobile apps already allow users to take and record their selfies to verify their identity, although it is not mandatory. Stores could help customers who do not own smartphones by assisting them in registering in-store.
Rica should be amended, and the requirement for proof of address removed. No documents other than photos should need to change hands when buying a SIM card, protecting consumers from handing over too much personal information. If a SIM swap is needed, the same person will need to take a photo of themselves.
Additionally, there should be a reasonable cap on the number of SIM cards registered per person. At present, an individual can acquire hundreds or even thousands of SIMs each year. The average person does not need to register more than five or ten SIM cards annually, including data SIMs and SIMs for multiple phones.
Stopping the mass fraudulent registration of SIM cards would remove a key tool used by criminal syndicates and reduce the millions of anonymous SIM cards already in circulation. If SIM cards are packaged in tamperproof packaging, this would also hide their identifying information and make mass bulk illegal registration of SIMs impossible without damaging and repackaging them.
South Africa has already embraced biometrics in banking and border control and is considering its expanded use in social grant distribution. Amending Rica to require it should be a simple win against banking fraud and crime.
Mandating biometric SIM registration would not eliminate crime. No single reform can. But it would close one of the most exploited vulnerabilities in our digital ecosystem and send a clear signal that anonymity cannot be weaponised against citizens with impunity, while potentially saving up to R2bn a year lost to SIM swap related banking fraud.
