South Korea is introducing a mandatory biometric identity check for new SIM card registrations, requiring subscribers to verify their identity via facial recognition. The measure is designed to disrupt large‑scale voice phishing schemes and the use of stolen personal data, which have become a persistent cybersecurity and financial crime problem in the country.
Biometric SIM registration: how the new South Korean model works
Until now, purchasing a SIM card in South Korea generally required only a valid identity document. Criminals systematically exploited this process by using stolen or forged IDs to register new numbers, which were then used for fraud, money mule operations, and anonymized communications.
Under the new framework announced by the Ministry of Science and ICT, SIM activation will be tightly integrated with the mobile application PASS, already operated by the three major telecom providers: SK Telecom, LG Uplus, and Korea Telecom (KT). PASS functions as a digital identity wallet holding verified customer data.
PASS app as the core of biometric KYC for SIM cards
When a customer requests a new number, they will be required to perform a facial scan in the PASS app. The system compares the live facial image with the biometric template and identity data linked to the user’s existing PASS profile. Only if this match is successful will the SIM card be activated on the network.
This effectively adds a biometric factor on top of traditional ID document checks. The goal is to make it significantly harder to activate SIMs using compromised personal information and to reduce the availability of so‑called “grey” or anonymous SIM cards that are attractive to criminal groups.
Voice phishing, SIM fraud and massive data breaches as key drivers
The reform directly targets the country’s long‑standing problem with voice phishing (vishing) and telephone‑based social engineering. Fraudsters have historically relied on large volumes of SIM cards registered to unsuspecting victims, using them to:
— conduct social engineering attacks and impersonation calls;
— open financial products and microloans in someone else’s name;
— hide their real identity and hinder law‑enforcement investigations.
According to government data, in 2024 around 92% of fraudulent or fake numbers were issued via mobile virtual network operators (MVNOs), which typically have less stringent customer onboarding and Know Your Customer (KYC) practices than major carriers. This highlighted inconsistent identity verification requirements across the telecom market.
The biometric initiative also follows a series of large‑scale data breaches. In 2025 alone, South Korea recorded two incidents affecting an estimated 52 million residents, more than half the population. Online retail giant Coupang exposed data on over 30 million users, an incident that ultimately cost the CEO his position.
In a separate incident, telecom leader SK Telecom suffered a breach impacting approximately 23 million subscribers. Investigators found serious information security failures, including critical credentials stored in plain text and an internet‑exposed server without adequate protection. Regulators imposed a US$100 million fine, and the operator was ordered to compensate each affected user with 100,000 won (about US$67) in a mix of account credits and loyalty points.
The combination of widely available stolen personal data and weak SIM registration controls created a fertile environment for fraud, prompting the government to harden identity verification with biometrics.
Security benefits and privacy risks of facial recognition for SIM cards
From a cybersecurity perspective, biometric SIM registration offers several advantages for fraud prevention and digital forensics:
— reduces mass registration of numbers using stolen identities;
— makes it harder for criminals to remain anonymous on telecom networks;
— improves attribution of a phone number to a specific, verified individual;
— supports more effective investigation of phone‑enabled cybercrime.
However, biometric data is among the most sensitive categories of personal information. Unlike passwords or card numbers, a person’s face cannot simply be “changed” after a breach. This raises strict security and privacy requirements for telecom operators and identity providers.
To mitigate risks, providers must ensure at minimum:
— storage of biometric templates in strongly encrypted form, preferably as non‑reversible templates rather than raw images;
— strict access control, logging, and regular security audits;
— robust liveness detection to resist spoofing with photos, videos or deepfake content;
— use of biometrics as part of multi‑factor authentication, not as a sole control.
Without such safeguards, a breach of biometric databases could create long‑term, systemic risks, undermining the very trust the initiative aims to build.
Implications for MVNOs and the future of telecom regulation
The statistic that roughly 92% of fake numbers in 2024 were issued through MVNOs makes it likely that the next regulatory step will be to extend biometric verification requirements to virtual operators. Harmonized KYC standards across all providers would close a critical loophole exploited by fraudsters.
For telecom companies, this shift implies substantial investment in secure biometric infrastructure, upgrades to identity management systems, and regular third‑party security assessments and certifications. Non‑compliance will increasingly translate into regulatory penalties, reputational damage, and direct compensation costs after breaches.
For individuals and businesses, the South Korean case illustrates a broader global trend toward biometric, high‑assurance identity verification in telecom and financial services. To benefit from stronger protections while minimizing new risks, users should carefully manage permissions for identity apps, stay alert to suspicious calls and messages, enable multi‑factor authentication wherever possible, and monitor how their data is collected and stored.
