From Daily Maverick 9 Sep 2023: Vodacom recycles numbers after four months of inactivity, whereas Cell C, MTN and Telkom do so after three months. These operators argue that the practice is driven by the high demand for cellphone numbers from new customers.
The recycling process has unintended consequences for both the previous and new owners of the numbers. Unsolicited calls and messages intended for the former owner often flood the new user’s device, creating a frustrating experience.
Apart from the irritation factor of losing one's long used number, and receiving birthday wishes and calls intended for someone else, there is a way more serious legal side to this. That is, that a user had to legally RICA this phone number to themselves, and that anyone else who can now access that number, can impersonate that person. It also means that any 2FA, or banking confirmations, will go to the new owner. Many banks insist on using mobile phones for 2FA as the SIM is RICA'd to the owner.
It is yet another very good reason why we should not use cellphone numbers for 2FA (or even e-mail addresses for login IDs). Neither of these two options are secure or permanent, and re-using an e-mail address for 500+ website logins, is already doubling the risk for being hacked.
Until passkeys can be widely used, users should be able to choose their login ID and password, and secure that with a synchronised 2FA app (so that if the phone is lost, there is still access to the 2FA keys).
But apart from the legal side of this, there is also the ethics side of it. A customer has to go through some cost and effort to have their SIM RICA'd, yet the network provider can just arbitrarily reassign that same number without even informing the user. I'm imagining that the network provider does formally cancel that RICA status? In fact, it is very interesting that the RICA process allows a second user to now be associated with the same number.
Actually now I'm laughing, because a month or so back, it turned out that the whole RICA process has been a complete waste of time and money, as it is in a shambles (just search for ‘pre-Rica’d’ Sim). If a RICA process is not up-to-date and well managed, it is a complete waste of time. You either do it, or you don't do it. You can't have a 60% RICA service with any legal weight at all. Anyone know how the RICA cancellation process works in SA?
On the network operators' side, I realise they have a challenge if a SIM number is just not used at all for many months. This is obviously not a problem for contract subscribers, as they are paying. But the network providers need to come up with some way of managing that ethically and legally, and I guess that will somehow make pre-paid SIM services either more expensive or more inconvenient. But so far, just turning a blind eye and hoping for the best, is starting to now bite.
It is high time anyway that we were no longer bound to e-mail addresses or mobile phone numbers. If my phone was lost or stolen, I should be able to just log in to my WhatsApp (if I still used it) or Telegram with any ID and password.