Safaricom welcomes security scrutiny of SIM overlay technology
In light of the Communications Authority (CA) of Kenya’s decision to give tentative approval to the roll out of the SIM overlay technology in the Kenyan mobile telecommunications market, Safaricom Limited states the following:
We thank the Central Bank of Kenya (CBK) and the CA for the preliminary inquiry into the integrity of the SIM overlay technology, and the security concerns around its deployment. Whereas Safaricom does not necessarily agree with some critical aspects that led to the determination of CA’s decision, we will give our full cooperation to the CA as is required.
Safaricom is pleased that both the CA and CBK have appreciated that the security concerns are valid and require to be addressed in the interests of consumers and industry players.
We are particularly encouraged that CA has commenced the process of hiring an independent and reputable international firm to conduct a security audit on all SIM cards, and in particular the use of the SIM overlay technology in mobile money transfer services.
We therefore implore the CA to fast track the security review and to publish the guidelines in the interests of protecting consumers and financial institutions who will remain vulnerable to the potential risks created by the ‘man-in-the-middle attack’. This is as pointed out by The GSMA in their submissions to the CA, and which concerns in relation to the SIM Overlay’s possible effects on existing SIM Cards, are summarized as follows:
That it has the potential to observe record and divulge mobile user PIN details (including Mobile Banking PINS).
That it has the potential to intercept, manipulate and/or destroy Unstructured Supplementary Service Data (USSD) communications.
That it has the potential to cause denial of service to existing SIM’s by intercepting, manipulating and/or destroying SIM toolkit instructions.
That it has the potential to carry out actions without the explicit permission or knowledge of the mobile user for example monitor calls and SMS.
That it has the potential of obtaining unauthorised access to the SIM card and change configuration settings and thus impacting the customer experience adversely.
We are further encouraged by the CA’s commitment that in the event that any of the above vulnerabilities are discovered during the one year testing period it will take steps to suspend the use of the SIM overlay in the Kenyan market pending the final recommendations from the security consultants.
In the interim, Safaricom will review some of its legal commitments to its customers and banking partners with the view of addressing the legal exposures that could be created by the use of the SIM overlay technology, particularly in relation to mobile banking activities.
We would want to assure our customers and partners that if any adverse impact on the integrity of customer information is detected on account of the use of the overlay SIM technology, Safaricom will use all prudent and practical means to protect the confidentiality of its customers information and the sanctity of the financial transactions provided through its network.