A subscriber can choose to turn Number Locking on their telephone numbers. Number locking is intended to reduce the chance of a bad actor from getting your telephone number transferred to their own device. Number Locking is more risky than in other countries. This is because every active device must have a person tied to it. In addition, the telephone number is based off of the NIN. Therefore, if my NIN was 52022554377, then all of my telephone numbers will begin with 87222554377. This means if Joe’s NIN is 52045859862, then why would he have 520225543773? This will automatically raise a red flag, and might prompt Ka-Tel to call the consumer on another one of their lines to inquire why Joe would need one of your telephone numbers. If you never authorized that transfer, then Joe likely committed a crime, and can be prosecuted.
Unlocking a locked number will not take place internationally. I am a US citizen, and I can only initiate a number unlock if I am doing it within Kaldus, or the United States. If someone is trying to unlock my number while in Ghana, this will fail automatically. This is again to reduce the chance of fraudulent use of the number. In addition, Ka-Tel will build a database of VPN IP addresses. This will reduce the chance that a bad actor can use a VPN to fake their location.
To do a number lock in the first place, one must have 2FA turned on. This will use an authenticator app, and be required for turning off Number Lock without going into a store. Anyone using a KCI telephone/PDA will have K-Wallet which is also an authenticator tool. There are other authenticator tools that can be used. Setting up the code to work with your device will require scanning a QR code from the authenticator app. With K-Circle, all KCI devices associated with a particular person will have all of their 2FA codes on all devices with K-Wallet. This will obviously mean that the device owner locks their devices so a bad actor can not get into the device.
Unlocking your number is simple when you wish to unlock your cellular number and you go into the store. This is because you would be bringing your ID card with you, and the representative will be able to compare your ID card with the ID Network System. Assuming both are a positive match, the representative will be able to unlock your number so you can transfer it to another device. This seems simple enough, but again – you are able to prove you are who you say you are. You can not unlock your phone number by calling customer service. They will inform you to either go into a store, or go online to unlock your number. Telephone customer service will not unlock your number.
Unlocking Online
As mentioned, 2FA must be turned on when locking your number. This will mean that you would need 2FA to unlock your number. This will stop the bad actor immediately. However, the friction is designed to assume some unrealistic possibilities. This system will assume that a bad actor has a device with your 2FA authenticator added. If the bad actor does not have such a device, they will not be able to log in.
The first thing the bad actor must do is log into your account. This will mean that the bad actor must have your credentials. Assuming they can somehow bypass your 2FA lock, you would receive a RCS message stating that a new device logged into your account. If this was not you, to call customer service at 611. Since a VPN is not allowed to be used when logging into Ka-Tel’s website, the IP address will be known and make it easier to catch the bad actor. However, let’s assume that you do nothing.
The bad actor must go to your phone numbers, and choose which number they wish to unlock. When this happens, you would be required to provide a 2FA code. Again, let’s assume that the bad actor can bypass this somehow. The bad actor will unlock the number. In order for this to happen, you would receive an RCS message stating that there was a request to unlock your particular number. You must reply with ALLOW in order to unlock the number. This request will be valid for 30 minutes, and if you do nothing, the bad actor must wait until tomorrow before they can set a number unlock request again. This is a second warning that something is going wrong, and again – you must type ALLOW to allow the number to be unlocked. You would also receive an email stating that your number has been unlocked. If you didn’t do this, you must contact customer service by dialing 611 from your phone.
Now, the bad actor must change the IMEI or MAC address to the one they wish to use. As with unlocking the number, you would receive an RCS message that there was a request that you wish to change your address/IMEI. They must type ALLOW to allow the transfer. If you do nothing for 30 minutes, the authorization request will expire, and the bad actor has to wait until tomorrow to make another attempt. Assuming you typed ALLOW a second time, the number will transfer within 1 hour.
The only way I could see this working is if the bad actor actually had the phone number in question, and that phone didn’t have any security turned on. This is obviously poor security practices, and will allow the bad actor to do what he wishes to with regards to your number. If you have security on your phone, this will make it much harder for the bad actor to gain control of your phone number even if they stole your device. Keep in mind that there will be some paper trail that can lead to the bad actor when an investigation is done. K-Wallet will have a feature to require biometric to log in. This will again caused friction for the bad actor, and the actor must be really intent on your credentials.