Pakistani Operators Start Using Multi-Finger Biometric Verification When Issuing SIMs

Pakistani Operators Start Using Multi-Finger Biometric Verification When Issuing SIMs

Pakistani telecom operators have started issuing SIMs through an enhanced version of the Biometric Verification System (BVS) called Multi Finger Biometric Verification System (MBVS), the Pakistan Telecommunications Authority announced.

The new system requires impressions of multiple fingers for authentication while issuing new or duplicate SIMs. Moreover, the control for choice of fingers for verification purposes has been shifted from the seller representative to the system, which asks for two different finger impressions at random.

The new system, which aims to make the illegal use of fake fingerprints impossible, is designed to combat fake SIM issuance, ID fraud, and protect privacy in Pakistan.

Tarifica’s Take

Improving data security is an ever-increasing business necessity for telcos. The smartphone is the gateway to a digital ecosystem which houses all sort of personal, healthcare and financial information. This valuable trove of data has incentivized criminals to constantly develop new hacking methods and search out weak targets.

Along with two-factor authentication, biometrics have long been one of the primary measures for mobile device security. With this latest initiative, Pakistani operators are addressing one of the greatest vulnerabilities of the system: specifically, that if a scammer were to have access to an individual’s single fingerprint data (likely from a hack of another source which had these records stored as part of its security), they would then be able to use this to steal or swap the individual’s mobile number, which they can then use to bypass two-factor authentication required for logging in to banking and social media apps. Requiring two randomly selected fingers to register all new and duplicate SIMs reduces this risk substantially, since it would essentially require the hacker to have all ten fingerprints for the individual (instead of just one).

As with any additional security measure, there is always some risk involved that making the system increasingly onerous will lead to users setting up shortcuts to avoid the security (i.e., setting one’s phone passcode to “000000”). The more steps required of the user, the more likely users will develop some work-around to make their lives easier, which ultimately has the effect of making the network less secure.

However, there doesn’t seem to be any meaningful risk of that for Pakistan’s MBVS strategy. Because it relies on the system itself to randomly select which fingers users must present for verification purposes, the system appears simple to use, yet difficult to bypass, making it a good option for use in other markets. In a time when announcements of major companies being hacked have become commonplace, this kind of computer-randomized approach could make operators’ networks less vulnerable without imposing undue burdens on their customers.