Fingerprint verification as an additional layer of authentication during transactions is likely to remain a preference among telecommunications firms and banks, analysts said, even as the Communications Authority of Kenya (CA) considers a unified system for verifying the ID linked to SIM cards.
CA plans to roll out a new system that will enable mobile subscribers to check and verify the registration status of their SIM cards on any network through SMS as it pushes for better security against SIM -swap fraud.
“The Authority intends to acquire an ID-to-SIM card checker, to be used by members of the public to check which numbers may have been registered using their National Identification documents or passports without their consent or knowledge,” the regulator said in a tender call.
“The service will entail members of the public sending their identification document number to a dedicated Short Code number, and the system searching all the Mobile Network Operators’ databases and returning the list of numbers associated with the sent identification Document number.”
The targeted system will be capable of processing 5,000 queries per minute, and shall integrate with all Mobile Network Operators and Mobile Virtual Network Operators, and will have a graphical user interface accessible to system administrators who will be able to view the statistical information.
This comes amid rising cases of SIM swap fraud that have seen subscribers lose hundreds of millions of shillings from their mobile wallets and have led to dozens of lawsuits against mobile money service providers and commercial banks.
This is the latest move by the industry regulator and sector players to install tighter safeguards against SIM-swap fraud and related cases of social engineering that have seen mobile service providers lose millions of shillings to scammers targeting their mobile wallets.
Analysts, however, said that fingerprint verification will remain a preferred extra layer of verification in the industry, despite CA’s recent effort to introduce an ID-to-SIM card checker.
“Fingerprint verification is a solid extra layer that banks and telecommunications already use. Though the regulator is attempting to weed out fraud such as SIM swaps, we must admit that the abuse of IDs remains problematic, and many will stick to fingerprints for extra verification,” Willy Oluoch, an IT consultant, said.
Commercial banks and insurance companies in Kenya already use fingerprint verification as an additional layer of authentication in certain transactions.
“Fingerprints are reliable in preventing the creation of fake accounts. You can't transfer fingerprints,” an IT official at a top bank told the Business Daily.
Telcos have also started rolling out the same concept of fingerprint verification in light of the growing importance of mobile money in daily financial transactions.
Mobile service providers are introducing new requirements for registering new SIM cards or replacing existing ones.
This includes fingerprint verification, which is meant to introduce an additional layer of security beyond passwords and personal identification numbers that users can use to safeguard their accounts.
Some of the most common cases of SIM swap fraud entail fraudsters obtaining the ID and phone numbers of their prospective victims and using rogue mobile money agents to execute a SIM swap.
This disables the victim’s phone while the fraudsters proceed to use the replaced SIM card to siphon money out of their mobile wallets and/or bank accounts, and in some cases take out mobile loans in the victim’s name.
The wide-scale adoption of mobile money and banking across the country has heightened risk among users and institutions amid pounces by criminal networks.
According to Safaricom, SIM swap fraud is one of the principal risks that the firm and its 50 million-plus mobile subscribers are exposed to.
“Due to the wide use of M-Pesa services across the country, our customers and partners are exposed to M-Pesa fraud due to social engineering, fraudulent sim swaps, digital identity theft, and Mobile Apps takeover,” the giant telco said in its latest annual report.
This, coupled with transnational fraud, cases where criminal perpetrators originate from outside Kenya, and fraud originating from third-party technology or service providers, raises the reputational risk to the firm.
The Central Bank of Kenya (CBK) recently cautioned that financial service providers face heightened risk through the exploitation of weak systems by cybercriminals who are using cutting-edge technologies to breach secure systems.
“Cyber risks have increased due to the digitalisation of payments and transfer of money from person to person,” said the CBK in its industry report published in September last year.
“The cyber threats increased from 805 million in 2022/23 to 3.5 billion in 2023/24, signalling a significant increase in cybersecurity risk.”
According to the CBK, these risks are amplified by the industry’s deployment of AI, where financial service providers often share consumers’ transaction data with third-party service providers.
This comes at a time when mobile service providers, fintechs, and commercial banks in Kenya continue to roll out new app-based solutions that offer savings and investment services to subscribers.
