Telecoms operator Safaricom has received critical backing in its bid to stop Equity Bank from using embedded SIM cards for the mobile banking and money transfer service the lender plans to introduce in the Kenyan market.
London-based GSMA, the global association of telecoms operators using the GSM technology, has written a hard-hitting letter to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.
The GSMA says in the letter dated August 7 that the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.
“The overlay SIM has the potential to facilitate a man-in-the-middle attack by observing, collecting and revealing sensitive data such as PINs, ciphering and integrity keys,” the GSMA says in the advisory note to the Communications Authority of Kenya (CA).
The GSMA says thin SIM is capable of bypassing any security technologies, such as cryptographic keys to record sensitive data and make it available to third parties.
The slim SIM can also facilitate unauthorised access to the primary SIM card, change of configuration settings and execution of actions without the explicit permission or knowledge of the mobile user, the GSMA says, adding that the technology can allow recording and divulging of mobile user PIN details without the phone user’s knowledge.
The technical opinion risks further delaying Equity’s use of the thin SIM to enter the lucrative mobile money market.
The GSMA says that the CA should use the services of an independent consultant to ascertain that any planned deployment of the thin SIM technology is free from the above risks before authorising its use.
“If the use of the overlay SIM is permitted, the GSMA recommends that only overlay SIM solutions that have been analysed and certified by an independent consultant, as being free from any functionality designed to undermine security levels for users of those SIMs should be deployed,” the GSMA says.
The GSMA is among mobile telecoms authorities from whom the CA had sought expert opinion as it prepares to make a decision on Safaricom’s petition challenging Finserve’s use of the ultra-thin SIM cards to rollout the mobile banking services. Finserve is a subsidiary of Equity Bank.
The industry regulator also sought the opinion of thin SIM card manufacturer Taisys, and has announced plans to conduct its own research before making the final decision.
Francis Wangusi, the CA director-general, did not respond to questions on the matter, insisting that doing so would be preemptive. He promised to issue a comprehensive statement later this week.
The battle for control of Kenya’s mobile money market between Safaricom, the country’s largest telecoms operator, and Equity, the leading bank by customer base, began in earnest on June 26 when Safaricom wrote to the telecoms market regulator claiming that Equity’s thin SIM technology poses a security threat to mobile subscribers.
Finseve has responded to Safaricom’s letter, saying that it intends to source the thin SIMs from a reputable technology company, Taisys of Taiwan, which has reputable clients such as the International Finance Corporation — the investment arm of the World Bank.
“It is inconceivable that such an entity would manufacture and distribute a product that is capable of exposing the country to the kind of risks mentioned by Safaricom,” Finserve says.
Finserve further argues that the thin SIM technology is already in use in respectable markets such as the United Kingdom, USA and Denmark though the Business Daily could not determine the licensing conditions under which the technology is used.
The GSMA, however, argues that while Finserve and Taisys may take all the necessary security precautions there is still danger of a malicious third party accessing sensitive data using malware.
“A risk also exists that, even if the overlay SIM supplier and issuer behave responsibly, a malicious third party could potentially down load a ‘Trojan’ application to the overlay SIM to access sensitive data,” the GSMA says.
The GSMA refused to respond to questions on the advisory opinion it offered the CA.
Chinese operators have used the thin SIM technology in the provision of mobile banking services while in the US ‘KnowRoaming’ — a private service — uses the thin SIM to automatically connect subscribers to local wireless networks whenever they travel.
“In our opinion, the responsibility of licensing mobile phone operators lies with the authority alone. A licensee like Safaricom should never be allowed to determine or dictate the technology that its potential competitors should or should not use,” Finserve said in the letter to the CA.
The operator, which plans to enter the telecoms market under a a Mobile Virtual Network Operator (MVNO) licence it was awarded earlier this year, says the thin SIM it intends to use does not have the capacity to hack or crack the service and connections of the primary SIM or any meaningful encryption or security mechanisms by itself.
“It cannot remotely connect to outside source for additional resource without the user noticing (connecting can only be through mobile network, either SMS or data, which the user will notice through unrecogonised usage or traffic),” Finserve added.
Finserve says that Airtel Kenya, the telecoms operator on whose network it will ride, has tested the thin SIM and confirmed that it can neither interfere nor intercept communication between the mobile handset and the primary SIM.
Finserve was in April granted the MVNO licence alongside Mobile Pay Ltd and Zioncell.