Our SIM card poses no risk, insists Finserve

Telecom firm Finserve, a subsidiary of Equity Bank, has refuted claims that its SIM card technology will  pose a risk to the privacy of mobile subscribers.

Two weeks ago, Safaricom wrote to the Communications Authority of Kenya, asking it to prohibit Finserve from using thin SIM technology once it launches its mobile cash services later this month.

Last week, Finserve responded by writing to the regulator saying Safaricom’s allegations were “little more than attempts to quash competition”.

“We urge the regulator to disregard such allegations as being purely alarmist and speculative,” said Finserve executive director, Mr John Waweru.

BOTH NETWORKS

The device in contention in an ultra-slim SIM card that is overlaid on an existing SIM card. Once in use, the thin SIM essentially converts any handset into a dual-SIM phone. Users can then access services on both networks.

Finserve says that the thin SIM, which will be supplied by Taiwanese company, Taisys, meets international standards set by the European Telecommunication Standards Institute and the 3rd Generation Partnership Project.

Further, the company says the thin SIM will operate independently and will not interfere with the primary SIM. The thin SIM, Finserve says, does not have the processing power to intercept or modify communication in the primary SIM card.

“The thin SIM is not intended to purposely or maliciously attack, crack, hack, intercept, or distort information and transmission between the thin SIM and the primary SIM,” said Mr Waweru.

LIES WITH SAFARICOM

Finserve also refuted concerns that the thin SIM could expose the M-Pesa system to vulnerabilities, saying that the task of ensuring the security of the mobile money system is a responsibility that “firmly lies with Safaricom”.

Mr Waweru said Airtel, the firm on whose infrastructure Finserve will roll out telecom services, has “rigorously tested” the thin SIM and has ascertained that it does not interfere with the primary SIM.

Safaricom has also carried out tests of its own. The firm’s principal shareholder and M-Pesa intellectual property holder, Vodafone, commissioned security firm, Recurity Labs, to assess the threat posed to its systems by usage of thin SIMs.

TAMPERED WITH

Using products offered by Bibitel as a sample, Recurity came to the conclusion that the technology poses “serious threats” to the M-Pesa and mobile wallet systems.

Bibitel is a thin SIM product by Digitech Communications that provides reduced roaming rates to travellers.

According to a report seen by Smart Company, Recurity found that messages sent from the primary SIM’s toolkit to Vodafone’s backend could be tampered with.

Further, the company says the thin SIM can “eavesdrop” on PINs used by phone subscribers on the primary network.

“The thin SIM product may allow a bypass of any protection mechanism currently in place. Therefore, at least the products related to M-Pesa and mobile wallet are at risk,” writes Recurity.

It is on the basis of this research that Safaricom wrote to the CCK, asking for Finserve to be banned from using the technology pending a study on the risk posed by the thin SIM.

THIN SIM TECHNOLOGY

Last week, the authority said it would consult SIM card manufacturers and look into industry best practices before ruling on the matter.

Taisys, the firm that will provide the thin SIMs, has deployed similar technology across the globe, including the UK, the US, China, Singapore, Denmark, and Malaysia.

The company is also a shareholder in F-Road, a firm that provides financial services to rural China using thin SIM technology.

The International Finance Corporation in 2012 invested in F-Road. Some of Taisys’s partner companies are mobile virtual network operators (MVNOs) providing cheap roaming services to travellers.

Finserve partly fits this mould. The company was granted an MVNO licence earlier this year alongside Mobile Pay Ltd and Zioncell.