Despite repeated efforts by regulators and telecom operators to standardise subscriber information, spam SIM cards and fraudulent calls continue to affect millions of users daily. Experts say the root cause lies in gaps in the current verification framework, which relies largely on one-off authentication at the time of SIM activation.

One-time verification leaves critical loopholes

In recent years, unregistered or improperly registered SIM cards have been widely exploited for online fraud, identity theft and financial scams. Under existing regulations, biometric verification is typically conducted only once, when a SIM card is first activated. After that, the SIM can circulate freely in the market without any further checks on the actual user.

According to Vu Ngoc Son, Head of Research, Consulting and International Cooperation at the National Cybersecurity Association (NCA), the system lacks safeguards in high-risk scenarios.

“There is virtually no requirement for re-verification when users change their end devices, such as switching phones or tablets. This allows individuals to legally register SIM cards and then resell them to criminal groups,” Son says.

The absence of a uniform technical standard has also resulted in inconsistent verification quality across telecom operators, weakening the overall effectiveness of subscriber management.

Biometrics as a new technical barrier

The draft circular is expected to fundamentally reshape the regulatory approach. Its core provision requires facial biometric verification to be directly linked to Vietnam’s National Population Database and applied throughout the entire lifecycle of a mobile subscription, rather than only at activation.

Under the proposed rules, users would be required to re-authenticate their facial biometrics when conducting major changes, including switching devices. This mechanism is designed to prevent the resale of pre-activated SIM cards and block attempts to hijack SIMs for intercepting banking one-time passwords (OTPs) or carrying out online scams.

Notably, the draft introduces stringent requirements for Presentation Attack Detection (PAD) technology, which is used to identify spoofing attempts involving deepfakes, photos or 3D masks.

“PAD standards will serve as a critical shield against increasingly sophisticated attacks. Low tolerance for false acceptance and high accuracy thresholds ensure that biometric data truly represents the real person behind each subscription,” Son explains.

By applying a control model similar to that used in the banking sector, regulators hope to eliminate “ghost accounts,” disrupt fraud supply chains and significantly reduce telecom-based cybercrime.

Security and implementation challenges for telecom operators

However, rolling out lifecycle biometric verification nationwide also presents major technological and cybersecurity challenges for telecom companies. As biometric data becomes a key to service access, telecom databases will become high-value targets for cyberattacks.

Experts recommend that operators invest in multi-layer security architectures, including strong encryption, strict access controls and continuous monitoring. Biometric data should be stored as encrypted, non-reversible templates, rather than raw images, to minimise breach risks.

User experience is another concern. Verification systems must perform reliably across diverse real-world conditions, such as varying lighting or camera quality, while avoiding false rejections that could inconvenience legitimate users.

Cybersecurity specialists caution that as SIM card fraud becomes harder, criminals may shift their operations to over-the-top (OTT) platforms and social media. As a result, technical safeguards alone will not be sufficient.

“Regulatory tightening must go hand in hand with user awareness,” Son says. “Only by combining robust technology with public vigilance can the digital ecosystem be secured in a sustainable way.”

Tougher cybercrime laws needed to combat rising high-tech crime

VOV.VN - Lawmakers have called for urgent improvements to cybercrime legislation and tougher oversight of digital platforms, warning that high-tech fraud has become increasingly dangerous and complex despite recent progress in crime prevention.