Vulnerabilities in SIM Registration Processes in India

The proliferation of mobile phones continues unabated, with over 7.26 billion users worldwide as of July 2022, representing close to 91% of the global population. This is a substantial increase from 2016 when the global mobile user base was 3.67 billion, or 49% of the population.  Most of this growth occurred in Asia, notably in India, where the number of mobile users increased across urban and rural areas.  

Among current mobile users, nearly 83% use smartphones.  These smartphones not only serve as communication tools but also as gateways to various life-enhancing services, particularly in banking and finance.

However, this increased reliance on technology exposes mobile users to cyber threats. In the first half of 2021 alone, ransomware attacks in banking increased by 1318%, according to data from Trend Micro. These attacks often involve sophisticated methods such as using fraudulent SIM cards or identity theft to conceal the perpetrators' identities, posing significant challenges for law enforcement.

In India, an area that is particularly vulnerable to identity theft and fraud is the SIM registration process adopted by telecom service providers to authenticate and validate a subscriber’s identity. Weaknesses in this process have allowed fraudsters to gain access to users’ details and purchase SIM cards using stolen identities or synthetic identities which are then used to perpetrate cyber fraud.

While the Department of Technology (DoT) mandates subscriber registration for both prepaid and postpaid connections through various KYC (Know Your Customer) procedures, including e-KYC (electronic), d-KYC (digital), and p-KYC (paper), a joint study by the ISB Institute of Data Science and Telangana Cyber Security Bureau titled 'Telecom SIM Subscription Frauds’ shows that SIM card fraud is prevalent during cybercrimes. 

The study was authored by Prof. Manish Gangwar, Dr. Shruti Mantri, Stephen Raveendra IPS, Kalmeshwar Shingenavar IPS. The study reveals that fraud accounts for 35-40 per cent of all telecom frauds globally, costs the sector Rs 3,600 billion annually.

During the study, over 1,600 Customer Acquisition Forms (CAFs) were obtained from various police stations, phone numbers of criminals reported by the public across Hyderabad and State, and real-time analysis of data from the PDF-form CAFs was done using Artificial Intelligence (AI) models. Our analysis revealed that 64.5% of users in the sample preferred d-KYC, followed by 34.5% who used e-KYC.  For users who preferred d-KYC, Aadhaar was predominantly used as proof of address or proof of identity.

Nearly 91.76% of d-KYC users submitted Aadhaar at the time of registering their SIM card.  However, 89.11% of these Aadhaar numbers were not linked to the alternate telephone number provided by the subscriber during the onboarding process. 

As a result, the SMS-based OTP authentication, which could serve as an extra layer of security, was rendered ineffective. Further, during the d-KYC procedure, point-of-sale (PoS) agents employed by telecom service providers did not verify the authenticity or validity of the submitted documents (Aadhaar, Voter ID, Driving License, etc.) with the competent authority.  As a result, it was difficult to detect forged or stolen IDs submitted during the onboarding process.

Similar challenges were also observed in the e-KYC procedures.  While users submitted biometrics for authentication, the lack of real-time verification by the PoS agents could allow fraudsters to undertake identity theft or subscription fraud to procure SIM cards for illegal activities.  

Another deficiency in the validation process was the lack of real-time verification of the photograph on the proof of identity document or the live photograph captured at the time of registration.  Perhaps for these reasons, it was unsurprising that many subscribers in our sample held more than nine SIM cards, the maximum number per subscriber permitted by DoT.   An extensive analysis of SIM registration procedures in 160 countries was done to benchmark international best practices, which were said to improve local protocols.

Towards a Secure and Reliable SIM Registration Process

Addressing these challenges requires a multi-pronged approach including the adoption of adaptive rule techniques, leveraging advanced machine learning and artificial intelligence for real-time online authentication and identification. Such solutions should encompass knowledge-based validation, phone authentication, address validation, OTP usage, and the detection of common usernames across multiple telecom providers.

Additionally, subscriber applications should authenticate and validate customer details using proof-of-identity/address databases or QR codes on identity documents. Registering all PoS agents with the DoT and issuing licenses can enhance accountability and deter fraudulent actions.

Customer education on the risks of sharing personal information and the prompt reporting of lost or stolen SIM cards are vital preventive measures. Ultimately, combating SIM card subscription fraud requires technological innovation, regulatory compliance, and collaborative efforts among telecom providers, regulatory bodies, and law enforcement agencies to safeguard customers and preserve trust in the telecommunications ecosystem.

By Professor Manish Gangwar, Executive Director, ISB Institute of Data Science and Dr Shruti Mantri, Associate Director, ISB Institute of Data Science.