The digital age has brought unparalleled connectivity and convenience, but it has also ushered in a new era of cyber threats and vulnerabilities. In Sri Lanka, persistent rumours of SIM card replication have caused serious concerns, leaving citizens in a state of anxiety and uncertainty. 

As these speculations continue to circulate, The Sunday Morning Business conducted a thorough investigation into the feasibility of such practices and to provide guidance on safeguarding one’s digital identity in an age of increasing cyber threats.

Speaking to The Sunday Morning Business, however, State Minister of Technology Kanaka Herath unequivocally dismissed the possibility of SIM card replication. He asserted that the current measures enforced by telecommunication companies required rigorous identity verification when issuing SIM cards. “Right now, when a telecommunication company issues a SIM, they get all the details of the customer. If you are going to buy a SIM card, you have to produce your identity card number or passport number for them to be able to verify it.”

Although The Sunday Morning Business also reached out to a few telecommunication company operators, none of them wished to be quoted on the matter. 

Unfounded and unlikely 

Telco insiders assert that rumours of SIM card replication are not only unfounded, but often perpetuated by sensationalist blogs and YouTube channels seeking views at the expense of factual accuracy. These experts maintain that the telecommunications infrastructure in Sri Lanka has evolved to incorporate robust security measures, making SIM card replication a highly unlikely occurrence.

Telcos employ unique serial numbers, known as Mobile Equipment (ME), to identify SIM cards. Each physical SIM card possesses its own serial number, referred to as Mobile Card (MC). This dual identification system creates significant obstacles for any attempt at SIM card replication.

Alternative theories 

However, it is worth exploring alternative theories. While replicating SIM cards may pose substantial challenges, there is a growing concern about social engineering tactics employed by cybercriminals. These tactics often involve deceiving individuals into disclosing their One-Time Passwords (OTPs) or installing third-party applications that clandestinely clone their messages. Such strategies bypass the need for SIM card replication, focusing instead on obtaining OTPs for illicit financial transactions.

In Western nations, the ease of acquiring disposable ‘burner’ SIM cards and the accessibility of SIM transfer services through call centres have exposed vulnerabilities. Conversely, Sri Lanka’s stringent telco guidelines mandate in-person SIM card requests, theoretically acting as a deterrent against cybercriminal exploitation.

Persistent complaints 

To gain deeper insights into the matter, The Sunday Morning Business reached out to Cyber Security Advisor Asela Waidyalankara, who has firsthand experience in cyber threats and digital security. 

Waidyalankara explained the presence of unique identifiers – the Mobile Equipment number and Mobile Card number – which are pivotal in distinguishing genuine SIM cards from counterfeit ones: “Just like your phone has a serial number, there is what is called the ME. Telcos have a way of identifying the physical SIM, called the MC.” 

Despite the presence of these identifiers, there have been persistent complaints, with individuals and organisations reporting cases of SIM replication. Waidyalankara shared his firsthand experience, stating: “I have received this complaint. I have people calling me and making this complaint, as well as certain organisations that have got in touch.”

He suggested that there was some form of social engineering being carried out, shedding light on a sophisticated web of tactics employed by cybercriminals. He explained: “People are actually disclosing their OTPs to a third party. The moment your OTP is disclosed per transaction, then your financial information is at risk.”

What becomes apparent is that the crux of this issue lies not merely in duplicating SIM cards but in manipulating individuals into revealing their OTPs. Waidyalankara stated: “I feel that something along these lines is happening, such as a person’s messages getting cloned through a third-party app, etc.” 

He offered a glimpse into the evolving strategies of cybercriminals, who might employ tactics such as impersonating influencers on social media platforms to extract OTPs from unsuspecting victims.

How cybercriminals operate in SL

However, Waidyalankara dispelled the notion of a straightforward SIM duplication process, emphasising that the matter was far more complex in Sri Lanka. He explained: “Unlike in Western countries where you can get burner SIMs, call the call centre, and do a SIM transfer, that is not allowed here.” 

This sheds light on the stringent regulations enforced by theTelecommunications Regulatory Commission of Sri Lanka (TRCSL), which mandate customers to physically request and collect their SIM cards.

How are cybercriminals circumventing these controls? This question looms large, hinting at the need for comprehensive cybersecurity measures and vigilant user behaviour. Waidyalankara explained: “First they capture the OTP. The moment they capture the OTP, the rest is then a matter of transferring money out of your account without your knowledge.”

For example, John, a diligent bank customer, receives a phone call from an individual posing as a bank representative. Armed with convincing social engineering tactics, the imposter convinces John that his bank account has been compromised and requests the OTP sent to his phone for verification. Concerned, John inadvertently divulges the OTP, unwittingly granting the scammer access to his account.

This alternative method could bypass the need for SIM card replication entirely. By manipulating individuals into revealing their OTPs, cybercriminals can sidestep the complexities of SIM cloning and gain direct access to financial accounts.

Importance of digital literacy and collective efforts 

While the mystery of SIM card replication looms, Waidyalankara shifted the spotlight to the pivotal role of digital literacy in safeguarding against such cybercrimes. He emphasised the significance of understanding Personally Identifiable Information (PII) and financial data when sharing them with third parties.

He raised a crucial concern about the indiscriminate sharing of mobile numbers and personal information on social media platforms, a practice that could inadvertently expose sensitive data. He advised individuals to remain attentive, drawing a parallel between physical security and digital vigilance.

“When individuals share personal information with third parties, they must exercise caution. Unfortunately, I’ve observed people casually sharing their mobile numbers on social media without much thought. A recent example that comes to mind is the sharing of A/Level results. Many students posted screenshots that inadvertently revealed their National Identity Card (NIC) numbers and addresses. This exposes one’s personal information on social media platforms where control over viewership is limited.”

Consider an example: Sarah, a university student excited about her A/Level results, eagerly shares her achievements on social media. She posts a screenshot that includes her exam results, full name, and even her NIC number. Unbeknownst to her, this seemingly innocent act exposes a treasure trove of Personally Identifiable Information to potential cybercriminals lurking online.

Waidyalankara underscored that the mere usage of social media platforms such as Facebook or WhatsApp did not equate to true digital literacy. Beyond these tools, he advocated for a profound awareness of one’s digital self, a concept that forms the next frontier in cybersecurity.

Emphasising the critical role of education in fostering digital awareness, he said: “This is not something that can be done within a day, but certainly there needs to be a concerted effort in schools.” 

He stressed that everyone, regardless of their profession, must actively participate in safeguarding their digital assets. For instance, journalists, who deal with sensitive information, bear a particular responsibility in this regard. 

Waidyalankara noted that collective efforts were essential to fortify digital defences. Governments, financial institutions, and telecommunications companies must actively engage in awareness campaigns, as it is a shared responsibility that transcends individual actions.

While the spectre of SIM card replication may remain unsubstantiated, the broader issue of cybersecurity looms large. In an era defined by ever-evolving digital threats, individuals must become vigilant guardians of their personal information. By fostering digital literacy and raising awareness, Sri Lanka can fortify its defences against the multifaceted spectre of cybercrime.

In an age where knowledge serves as the paramount armour against the shadows of cybercrime, the significance of cybersecurity education cannot be overstated.