SINGAPORE — Telco StarHub is being investigated by the sector's regulator for failing to verify the identity of users requesting to port their Giga e-SIMs to another phone.
The Straits Times understands that for one customer, the lack of verification resulted in hackers taking control of the phone line and gaining access to information including banking SMS OTPs (one-time passwords).
Giga is the no-frills sub-brand of StarHub.
When contacted, the regulator, the Infocomm Media Development Authority (IMDA), said: "StarHub failed to fully implement this measure for the re-issuance of eSIM to customers through its app. IMDA is investigating."
She added: "For (the) issuance or re-issuance of SIM cards, mobile operators must have robust registration procedures in place for both SIM and eSIM."
Telcos are required to verify users' identities — by using Singpass or photo identification cards such as NRICs or work passes — when issuing physical SIM cards or e-SIMs, said the IMDA spokeswoman.
Verification also applies to the porting of e-SIMs to another device.
Experts said that without such verification, an e-SIM can be easily hijacked when a hacker gets hold of a victim's personal details, either via phishing or from leaked corporate databases.
e-SIMs, an alternative to physical SIM cards, are software tokens remotely loaded onto devices by telcos. e-SIMs are gaining popularity as they are convenient.
When switching plans or telcos, users need not deal with physical SIM cards which they must get from telco stores or via couriers.
In January 2023, an impersonator managed to take over a Circles.Life customer's mobile line after speaking to a service agent on the digital telco provider's live chat service.
Soon after, the scammer took over the victim's WhatsApp account and multiple e-wallets.
A Giga spokesman said: "Our customers' security and privacy are top priorities for us and we are committed to safeguarding them. Giga actively engages IMDA and is working closely with IMDA on this matter."
The IMDA spokeswoman said: "An eSIM works the same way as a normal physical SIM card, but with the convenience for users to switch to new mobile plans or to a new operator without having to visit a store or change out the SIM card.
"For telco apps like Giga, it is industry best practice for mobile operators to put in place two-factor authentication (2FA) when subscribers access their accounts via these channels. StarHub has since implemented 2FA on the Giga app."
She added: "Consumers should also play their part in securing their online accounts and personal information by adopting good cyber hygiene practices, such as not using the same password across different accounts."
ALSO READ: Singapore blocks 10 foreign-linked websites over potential hostile information threat
This article was first published in The Straits Times. Permission required for reproduction.
