me&you mobile removes eSIMs from its website

But action from government is needed too

By Joel Cedras and Veer Gosai

5 December 2024

me&you mobile allowed one to activate eSIMs without proper validation. But the company has now withdrawn its eSIM offering. Altered me&you mobile logo by Veer Gosai

Last month we showed how easy it is to fraudulently use eSIMs on me&you mobile’s website. You could activate as many free eSIMs as you wished, uploading garbage information for your name, ID and address.

This is a violation of the Regulation of Interception of Communications and Provision of Communication Related Information Act (known as RICA). It also facilitates fraud, for example the use of untraceable cellphone numbers when fraudulently applying for the SRD social grant.

We’re pleased to see that following our article, the company has removed eSIM offerings from its website. The website contains no mention of eSIMs whatsoever, and it seems impossible to register one through the operator.

eSIMs are likely to take over from traditional physical SIM cards as a more convenient way to connect one’s phone. But RICA needs to be applied properly to prevent fraud.

After we exposed the problem, me&you contacted one of us to ask us to “manually verify” ourselves within 48 hours, or else they would deactivate our eSIM. This was weeks after we had originally “RICA’d” the eSIM. This is not adherence to the law, which requires proper RICA verification before a SIM is activated. It seems unlikely that this verification process would have happened without us going public with the problem. If an eSIM is unverified for weeks, or even a few hours, fraud can be committed.

What the law says

RICA started coming into effect in 2005. The law states that before providing a person with a SIM-card, a network carrier must obtain the person’s name, identity number, and address — and verify it.

If a network carrier fails to do this, our understanding is that the Independent Communications Authority of SA (ICASA) is supposed to impose a fine, up to R5-million. To our knowledge, this was not imposed on me&you mobile.

Passing the buck

We contacted me&you mobile, ICASA and the Department of Communications and Digital Technologies (DCDT) before exposing the problem. In fact one of us contacted ICASA three times. The first time they advised us to call the Public Service Commission. The second time they advised us to phone the national anti-corruption hotline. The third time they asked us to contact the DCDT. The Public Service Commission directed us to the anti-corruption hotline, which told us they don’t deal with these matters.

DCDT finally responded to our questions, after deadline, this week: “Yes, the department has been aware of this issue of eSIM registration. During
our regular … engagement with the [Department of Justice], this matter was brought to our attention. The information was not for the department to take
any action, it was just to inform us. The department is not responsible for the
RICA, [the justice department] is.”

We then emailed questions to the justice department but received no response.

Why is it so difficult to report a company that breaks the law? Why is there no enforcement? What is the point of having RICA if it isn’t enforced?

Grey list

In February 2023 South Africa was placed on the Financial Action Task Force grey list. Tebogo Khaas, chairperson of Public Interest South Africa, wrote on Daily Maverick:

“The effect of this decision was to make it more complex to conduct business in South Africa at a time when energy, logistics and service delivery challenges have already severely undermined the attractiveness of the country as a place to do business.”

Khaas explained: “Today, mobile phones are widely used to affect financial transactions. As such, no regulatory system can effectively combat money laundering, terrorism financing, SIM swap fraud, identity theft, phishing, and other such financial crimes without effective regulation over mobile phone transactions.

“To this end, the alignment of RICA with other related legislation aimed at securing the financial system would go a long way towards helping South Africa reverse its greylisting, boosting business and investor confidence in the country.”

Criticising the way RICA has been enacted, he wrote that law enforcement cannot trace SIM cards to criminals. Moreover, he explained, “SIM cards will implicate innocent, law-abiding citizens in crimes with which they are not associated, and compromise consumers’ identities to perpetrate fraud or engage in illegal activity.”

If the government is serious about reducing financial crime, it should implement RICA properly. At present there’s not much evidence that it cares.