RICA thwarted

Johannesburg, 02 Jun 2010

The SIM registration law, which was put in place to stop criminals using cellphones to commit crimes, has failed.

The Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) came into effect last July. The law requires people to register their SIM cards and provide proof of residence and an identity document.

While South Africans have until the end of the year to comply by registering their current SIMs, new SIMs cannot be used on the network without registration.

However, as a Pietermaritzburg-based data capturer can attest, the law does not always work to protect people from crime. He was recently the victim of identity theft, after an unknown person took out an MTN contract in his name, and provided his banking details as a means of payment.

The victim tells ITWeb that he found out about the MTN contract while in the bank querying his statements for another issue.

So far, just more than R1 200 has been debited off his account and, because the contract reflects as an additional expense at the credit bureaus, he has been unable to get financing for a house. “What is the purpose of RICA?”

There are several suspicious facts about the matter, including that the alleged contract has since gone missing, and the person who opened up the account provided details that do not exist, the victim claims.

Realistic fakes

Eddie Moyce, GM of customer services at MTN SA, explains that the company is cancelling the account, and the line has been frozen. “We are currently preparing a refund for the money, which was erroneously debited.”

Moyce says the original contract is in MTN's possession, and the operator can give it to the victim if required.

The contract was activated because the perpetrator had falsified the victim's ID book as well as proof of residence, the two documents required for RICA verification, says Moyce. “The forgeries were done with expert detail not easily noticeable unless they were verified by a subject matter expert. These documents were supplied on delivery of the handset, and [since] they didn't raise suspicion, the client was RICA'ed.”

However, Moyce suspects the perpetrator was not working alone, as he had access to the correct banking details of the victim, which were supplied to MTN. “The ID book was forged containing the name and ID number of the victim; it is likely that the forgery was done in line with the bank details to suit the requirements of the crime.”

What to do to prevent identity theft:

1. Reduce the amount of information that can be stolen by keeping limited confidential information in your purse or wallet.
2. Keep a watchful eye on your mail to prevent interception by an identity thief.
3. Never give out excessive personal information through the telephone, e-mail or Internet.
4. Destroy personal information before disposing of it.
5. Use different passwords for different accounts, and avoid writing these passwords down. Rather try to memorise them.
6. Obtain a regular report of your credit profile to check for irregularities, such as judgments against your name that you are unaware of.
7. Install firewalls and anti-virus software protection to prevent a computer virus from obtaining and sending out personal information from your personal computer. Ensure the software is updated on a regular basis.
8. Conduct reconciliations on all your accounts on a regular basis to detect unauthorised transactions.
9. Store all documentation containing personal data in a safe place, as an unassuming document like a cancelled cheque is a useful source of information to a perpetrator wanting to commit identity theft.
10. Report any identity theft to the South African Police Services.
11. If you do not receive account statements on time, make enquiries at the relevant company or financial institution to ensure statements are not being sent to another address.

(From Nedbank.co.za)

He explains that the contact details supplied for delivery of the phone were given by the fraudster and taken off the proof of residence, which was stamped and signed by a councillor of the eThekwini Municipality.

“Employment confirmation was done on the details supplied by the customer and there was no reason to suspect fraud. On delivery of the handsets, the ID book was verified as fine,” says Moyce.

He adds that MTN handles an average of 22 such cases a month, which he considers to be “relatively low”.

Limited access

Vodacom's executive head for corporate communications, Richard Boorman, says the information collected through the RICA process is stored in a secure database and can only be accessed by law enforcement agencies with a subpoena. Vodacom is not able to use the information.

“ID theft is a global challenge and we are as reliant as any other business on identity documents when signing up new customers,” Boorman says.

He explains that if someone thinks their identity has been fraudulently used to open an account, this person should contact customer services as soon as possible. The investigations department will look into the issue and take appropriate action, including cancelling any charges found to be fraudulent.

Unenforceable

Steven Ambrose, MD of WWW Strategy, says, although no one system failed, the fact that someone could use another person's identity to open an account shows RICA has been thwarted.

Ambrose says RICA was put in place to prevent the exact type of abuse that has happened. “RICA has failed; theoretically, someone should have checked the documents.”

He suspects the contract was successfully activated because of a series of collusive events that allowed someone to bypass all the checks and balances. “Those who have something to hide will have no problem circumventing the system.”

However, says Ambrose, there should be an audit trail that will allow MTN to discover who it was that allowed the documentation to pass through the process.

Ambrose says RICA is a good idea, but is almost impossible to implement in SA. This, he says, is because of the vast amounts of people who operate in the informal economy and do not have a fixed address. “No law can be a good law if it is ultimately unenforceable.”

In addition, as technology becomes more pervasive, it will become easier for identity theft to happen. Ambrose says, however, that the online environment also makes it easier for people to keep an eye on their accounts.

Related story:
'Major' RICA threat identified