11 November 2024
When we uncovered fraudulent applications for the SASSA SRD grant, we realised that creating an application was only one piece of the puzzle. The fraudsters needed phone numbers to apply and to receive a One Time Password (OTP), but how were they getting these phone numbers?
We started asking questions, and we then found a relatively new network carrier - me&you mobile - whose processes can be abused in order to obtain a phone number in two minutes without being properly RICA’d.
me&you mobile launched in South Africa as a mobile virtual network operator (MVNO) in May 2015. Their eSIM offering launched in late 2023.
Most cell phones still use a SIM card, but increasingly, phones are offering an electronic SIM or eSIM, which is much more convenient. In theory one can have an almost unlimited number of eSIMs on a single phone while there are usually only slots for one or two physical sim cards.
The Regulation of Interception of Communications and Provision of Communication Related Information Act 70 of 2002, better known as RICA, started coming into effect in 2005. By July 2009 all cell phone users had to register personal details with their networks for every SIM card they used.
The Act states that any customer who receives a SIM-card must provide the relevant electronic communication service provider with their full name, identity number, and proof of address.
The purpose of this part of RICA is to prevent illegal activity with mobile phones, such as making a fraudulent application for a social grant. By having the details on record of all SIM card users, illegal activity using a cell phone can be traced back to a particular person. Law enforcement can also obtain a warrant to monitor communications from a particular mobile phone.
There is international pressure for countries to implement laws like RICA to meet anti-money laundering requirements (see here and here). There are also important criticisms of RICA. Intel Watch argues that in its current form the law’s “lack of safeguards and outdated approach have enabled surveillance abuses, undermined public oversight, and failed to protect constitutional rights”. But Intel Watch calls for more safeguards, not for the law to be thrown out.
Traditionally, getting a phone number without going through RICA means going to a dodgy cell phone store and purchasing a fake-RICA’d physical SIM card. Alternatively, you would have to know an insider at a network carrier who would be able to get you a SIM card registered to someone else. But thanks to me&you mobile, you can get a free fake-RICA’d eSIM from the comfort of your home.
The company’s website fails to verify your first name, last name, address, or ID number. You can upload irrelevant documents as your proof of address and ID; we uploaded a mathematics assignment for the address, and a picture of the company’s logo for the ID. No problem; we activated a free eSIM immediately.
The entire process is astonishingly easy, and you are able to generate as many phone numbers as you want using any ID number, with any name, surname, address, and documentation, all for free. We recorded the entire process as this video shows:
We reported this issue to me&you mobile via their website contact form, which is the only contact mechanism the company offers. We received no reply. We subsequently sent them questions for this article but received no response. We emphasise that we have used these eSIMs solely for the purpose of exposing the problem described in this article.
We also notified the Department of Communications & Digital Technologies (DCDT) in mid-October. Many of the phone numbers on their website went unanswered but eventually we got through to the Minister’s Office and were given an email address to report the problem. We did this, but other than confirmation of receipt there has been no response. Questions sent for this article also went unanswered.
A company search shows that the directors of me&you mobile are Sean and Donovan Bergsma, two brothers who between them are the directors of several dozen companies, including the online classified ads platform Gumtree.
A GroundUp journalist contacted Donovan by phone. He was evasive when we asked him to explain the RICA verification process for me&you mobile, but he did get an official to call the journalist back. The journalist explained that we obtained an eSIM by typing nonsense in the application fields and uploading irrelevant documents. The official told the journalist that applications are manually checked within 24 hours and if the information doesn’t stand up to scrutiny, the number is deactivated.
There are three problems with this. First, this is not what the law demands; RICA has to be properly carried out in order to get a SIM card.
Second, 24 hours is more than enough time to carry out fraud with a cell number. For example, someone wishing to make multiple fraudulent SRD grant applications could obtain a number of eSIMs from me&you mobile within a short period of time and use these to make fraudulent applications.
Third, in our experience it’s simply not true that the numbers are being deactivated within 24 hours. On 8 November we checked two eSIMs that had been activated using nonsense RICA information on 15 and 28 October. Both were still active.