Fraud results in billions of dollars of losses globally, and telco fraud is prevalent.
In Namibia, for example, the advent of mobile wallets has resulted in Namibians being scammed out of their hard-earned money.
This is done through social engineering, identity theft and SIM swapping, a technique whereby fraudsters take control of your phone number.
I believe it is a great move by MTC to combat this through capturing biometric data as part of its SIM registration process.
I call this two-factor SIM registration – combining identity documents (something you have) and biometric data capturing (something you are).
Potential benefits far outweigh the cons in the Namibian context.
Many of us have scores of copies of our identity documents and qualifications all over the place and we don’t know how that data is processed, stored and destroyed.
That is a bigger privacy concern than a telco that ties biometric data to mobile numbers which only serves to protect us.
Also, amid all the socio-economic issues Namibia faces, I doubt MTC has the propensity and will to invest in recording and storing contents of messages and phone calls.
It is expensive and there is simply no business value.
A worst case scenario here is that MTC will know (without first investigating to find out who the subscriber is) that Selma is called Nangula.
As an information security professional, I understand the public outcry, because this data can be abused if not governed properly.
However, it is important for Namibians to understand that MTC cannot be blamed for the lack of data protection regulations in Namibia.
MTC is therefore free to innovate.
As the leading mobile services provider in Namibia, digital trust should be at the top of the agenda for those charged with governance at MTC.
Below are my suggestions of measures MTC should consider putting in place to take its customers and stakeholders into confidence and lay this matter to rest once and for all.
No government agency should have a back door and unfettered access to the Verifi solution’s database.
Any information disclosure requests from the security apparatus and national intelligence should be processed on receipt of a valid and legal warrant.
Access to the database should be restricted and management should design and implement adequate controls around access provisioning, authentication, access deprovisioning, segregation of duties, and access recertification.
In addition, a team independent of those administering the database should forward database logs to a security information and event management (Siem) solution.
The Siem should be configured to alert on login activities and data manipulation/definition/control language (DML/DDL/DCL) queries executed on the database. These activities should be periodically reviewed and exceptions should be investigated.
Data at rest should be anonymised as much as possible and should be encrypted. This ensures it cannot be tied to an individual should that database be compromised.
MTC should consider issuing a third party assurance report over the Verifi solution.
Deloitte defines third party assurance as “providing assurance over the design and/or operating effectiveness of a service organisation’s internal controls to achieve common business objectives of interest to customers/users of the services”.
An independent auditor should be appointed to express an opinion on the effectiveness of controls around Verifi.
The International Standard on Assurance Engagements 3402 (ISAE 3402) is a standard that can be utilised for this.
I believe this will create confidence among MTC’s stakeholders.
To further build trust, MTC should consider including a digital trust disclosure/statement in its annual report or issue a separate digital trust report.
McKinsey defines digital trust as “confidence in an organisation to protect consumer data, enact effective cybersecurity, offer trustworthy AI-powered products and services, and provide transparency around AI and data usage”.
All claims made in such a disclosure/statement/report should be independently verified by MTC’s auditors.
MTC can’t be blamed for the lack of data protection laws and regulations in Namibia. The outcry is misdirected and hinders innovation.
Relevant authorities should see this as a wake-up call and enact relevant regulations to level the playing field.
I strongly believe Verifi is a great innovation for Namibia and should be utilised by government agencies and relevant parties for verification (are you who you say you are).
For example, in the Netherlands they have something called DigiD.
DigiD is used to verify users when they log in to government and other sensitive sites such as pension funds and healthcare.
As a nation, we should welcome innovations that secure our digital space.
- Job Angula is a proponent of digital transformation and an information security professional.