UK-based GSMA has waded into the embedded SIM card row between mobile network operator Safaricom and Equity bank which wants to roll out mobile banking and money transfer services in Kenya.
The Business Daily reports that GSMA wrote to the Communications Authority of Kenya warning that embedding the SIM card between a normal SIM card and the device could potentially allow for the harvesting and revealing sensitive data passing the system.
The association added that the thin SIM is capable of bypassing any security technologies, such as cryptographic keys to record sensitive data and make it available to third parties
“The overlay SIM has the potential to facilitate a man-in-the-middle attack by observing, collecting and revealing sensitive data such as PINs, ciphering and integrity keys,” the GSMA says in the advisory note to the Communications Authority of Kenya (CA).
From the letter is it was established that the overlay SIM card could potentially facilitate a man-in-the-middle attack by observing, collecting and revealing sensitive data such as PINs, ciphering and integrity keys,” the GSMA says in the advisory note to the Communications Authority of Kenya (CA).
Another danger is unauthorised access to the primary SIM card, change of configuration settings and execution of actions without the explicit permission or knowledge of the mobile user.
The association now recommends that the CA should use the services of an independent consultant to establish that any planned deployment of the thin SIM technology is free from the above risks before authorising its use
The GSMA is among mobile telecoms authorities from whom the CA had sought expert opinion as it prepares to make a decision on Safaricom’s petition challenging Equity bank use of ultra-thin SIM cards to rollout the mobile banking services through its subsidiary Finserve’s.
Last week the two parties were called into a meeting over the same but Francis Wangusi, the CA director-general is yet to rule on the matter or reply to GSMA saying that doing so will be preemptive.