When we uncovered fraudulent applications for the Sassa SRD grant, we realised that creating an application was only one piece of the puzzle. The fraudsters needed phone numbers to apply and to receive a one-time Pin, but how were they getting these phone numbers?
We started asking questions, and we then found a relatively new network carrier – Me&You Mobile – whose processes can be abused in order to obtain a phone number in two minutes without being properly registered under South Africa’s Sim card registration law, commonly known as Rica.
Me&You Mobile launched in South Africa as a mobile virtual network operator (MVNO) in May 2015. Its eSim offering launched in late 2023.
Most cellphones still use a Sim card, but increasingly phones are offering an embedded Sim or eSim, which is much more convenient. In theory, one can have an almost unlimited number of eSims on a single phone, while there are usually only slots for one or two physical Sim cards.
The Regulation of Interception of Communications and Provision of Communication Related Information Act, better known as Rica, started coming into effect in 2005. By July 2009, all cellphone users had to register personal details with their networks for every Sim card they used.
The act states that any customer who receives a Sim card must provide the relevant electronic communication service provider with their full name, ID number and proof of address.
The purpose of this part of Rica is to prevent illegal activity with mobile phones, such as making a fraudulent application for a social grant. By having the details on record of all Sim card users, illegal activity using a cellphone can be traced back to a particular person. Law enforcement can also obtain a warrant to monitor communications from a particular mobile phone.
Pressure
There is international pressure for countries to implement laws like Rica to meet anti-money laundering requirements (see here and here). There are also important criticisms of Rica. Intel Watch argues that in its current form the law’s “lack of safeguards and outdated approach have enabled surveillance abuses, undermined public oversight and failed to protect constitutional rights”. But Intel Watch calls for more safeguards, not for the law to be thrown out.
Traditionally, getting a phone number without going through Rica means going to a dodgy cellphone store and purchasing a fake-Rica’d physical Sim card. Alternatively, you would have to know an insider at a network carrier who would be able to get you a Sim card registered to someone else. But thanks to Me&You Mobile, you can get a free fake-Rica’d eSim from the comfort of your home.
The company’s website fails to verify your first name, last name, address or ID number. You can upload irrelevant documents as your proof of address and ID; we uploaded a mathematics assignment for the address, and a picture of the company’s logo for the ID. No problem; we activated a free eSim immediately.
The entire process is astonishingly easy, and you are able to generate as many phone numbers as you want using any ID number, with any name, surname, address and documentation, all for free.
We reported this issue to Me&You Mobile via its website contact form, which is the only contact mechanism the company offers. We received no reply. We subsequently sent questions for this article but received no response. We emphasise that we have used these eSims solely for the purpose of exposing the problem described in this article.
We also notified the department of communications & digital technologies in mid-October. Many of the phone numbers on the department’s website went unanswered but eventually we got through to the minister’s office and were given an e-mail address to report the problem. We did this, but other than confirmation of receipt, there has been no response. Questions sent for this article also went unanswered.
Problems
A company search shows that the directors of Me&You Mobile are Sean and Donovan Bergsma, two brothers who between them are the directors of several dozen companies, including the online classified ads platform Gumtree.
A GroundUp journalist contacted Donovan Bergsma by phone. He was evasive when we asked him to explain the Rica verification process for Me&You Mobile, but he did get an official to call the journalist back. The journalist explained that we obtained an eSim by typing nonsense in the application fields and uploading irrelevant documents. The official told the journalist that applications are manually checked within 24 hours and if the information doesn’t stand up to scrutiny, the number is deactivated.
There are three problems with this. First, this is not what the law demands; Rica has to be properly carried out in order to get a Sim card.
Second, 24 hours is more than enough time to carry out fraud with a cell number. For example, someone wishing to make multiple fraudulent SRD grant applications could obtain a number of eSims from Me&You Mobile within a short period of time and use these to make fraudulent applications.
Third, in our experience it’s simply not true that the numbers are being deactivated within 24 hours. On 8 November we checked two eSims that had been activated using nonsense Rica information on 15 and 28 October. Both were still active. — Joel Cedras and Veer Gosai, (c) 2024 GroundUp 2024
- Cedras and Gosai are first year computer science students at Stellenbosch University
- This article was originally published by GroundUp. It is republished by TechCentral under a Creative Commons Attribution-NoDerivatives 4.0 International Licence. Read the original article
Get breaking news from TechCentral on WhatsApp. Sign up here