Ukraine wants to create a database of restored numbers to reduce SIM card fraud. However, NCEC considers this "inexpedient" for a number of reasons

According to the Cyber ​​Police, in 2024, the police received 1,022 applications and reports from citizens regarding the appropriation of a financial number with subsequent blocking and reissuance of a SIM card. As of May 1, 2025, there were already 276 such applications.

Bill

People’s Deputy of Ukraine Serhiy Magera from the Opposition Bloc party proposes to amend some laws of Ukraine regarding protection against
fraudulent actions involving the appropriation of a financial number.

The People’s Deputy explains the need for changes by the fact that today one of the common types of cybercrime and fraud is the appropriation of a financial number by third parties using the option of remote replacement of SIM cards.

Reissuing customer SIM cards combined with social engineering
(calls on behalf of the bank’s «security service» or «employees» of telecommunications companies), provides criminals with the opportunity to quickly conduct
transactions on client accounts, bypassing several layers of banking protection.

The Cyber ​​Police previously reported on this fraudulent SIM card reissuance scheme and explained how to protect yourself.

Draft Law No. 13176 provides for:

• creating a database of restored numbers;
• establishing the obligation of mobile operators to restore the provision of services in the event of reissuance of SIM cards after entering information about such numbers into the relevant database;
• identification of end users using high-trust electronic identification means after they lose their SIM cards;
• to provide that repeated identification and verification of the client (his representative) by the bank is mandatory in the event of reissuance (restoration) of the client’s contact telephone number.

Comments on the draft law from the National Commission for Economic and Monetary Affairs and the National Bank of Ukraine

The Department of Electronic Communications of the National Commission for the Protection of Consumer Rights and the Environment noted that SIM cards cannot be equated to a means of high-trust electronic identification for a number of reasons:

• This requires reliable identification of the person when issuing a SIM card (initial registration of the subscriber with the service provider), reliable storage of data on the correspondence of the individual to a specific SIM card, as well as a protected authentication mechanism using the SIM card (for example, Mobile ID, BankID, etc.);
• SIM cards are quite easy to copy or replace (due to
  procedure) and without the implementation of additional measures (e.g. tokenization, cryptography, biometrics), a simple SIM card no longer provides the appropriate level of security for high-trust identification. In this case, a SIM card is usually used without individual cryptographic protection;
• A phone number is also not a reliable tool for personal identification, as it is quite easy to intercept, steal, change, or fraudulently recover, and it does not provide legal proof of identity at the time of use.

Additionally, once a phone and SIM card are lost, mobile operators have no technical or legal means to automatically confirm that the individual was the owner of the number. Accordingly, anyone can try to gain control of the lost number by pretending to be its «owner.»

The NCEC also noted that due to the growing threat of hostile drones using the infrastructure of Ukrainian operators and anonymous SIM cards, the Council is already discussing issues related to the introduction of mandatory identification of all mobile subscribers (new and existing) and is working on relevant legislative amendments.

Although the NBU did not categorically oppose the bill, the institution believes that it needs to be revised. Among the comments is that the contact/financial phone number does not belong to the identification data of a person, and therefore the bank is not obliged to take measures to track the reissue (restoration) of such a phone number of the relevant person.

According to the NBU, the draft law also does not contain a complete legal mechanism, as it does not provide for a method for the bank to obtain information about the reissue (restoration) of the client’s contact/financial phone number.

Decision

Therefore, taking into account all the comments, the NCEC believes that the changes proposed by the draft law are inappropriate, and the adoption of the draft law is inexpedient.

Cyber ​​police have exposed three fraudsters from Kryvyi Rih who were reissuing SIM cards. They managed to defraud 50 people — the amount of losses could reach UAH 1,000,000

On the topic

Cyber ​​police have exposed three fraudsters from Kryvyi Rih who were reissuing SIM cards. They managed to defraud 50 people — the amount of losses could reach UAH 1,000,000

Cyber ​​police explained the dangers of remote SIM card recovery

On the topic

Cyber ​​police explained the dangers of remote SIM card recovery

Read the country’s main IT news in our Telegram

On the topic

Read the country’s main IT news in our Telegram