The primary time he was SIM-swapped in 2018, Haseeb Awan took it on the chin and hoped it wouldn’t occur once more. Then got here the second incident. Then the third. Then the fourth. After the final swap, Awan stopped trusting his cellular supplier to maintain his account secure and took issues into his personal fingers: He began his personal cell service firm.
It was a serious pivot from his former day job working the BitAccess Bitcoin ATM community, an organization he co-founded and which, by the way, made him a first-rate goal for SIM-swapping.
His new enterprise, Efani, is devoted to stopping an issue that’s all-too-prevalent for cryptocurrency customers – an issue which most cellular carriers, as evidenced by Awan’s personal issues, have didn’t adequately tackle.
What’s SIM swapping?
Sim swapping is a socially engineered hack whereby an attacker ports a sufferer’s telephone quantity onto a SIM card they management. To hijack a cellular account, an attacker might impersonate a sufferer to persuade a customer support consultant to swap the quantity to the brand new SIM card. In additional elaborate instances, a SIM swap might happen as an inside job or by means of bribing a customer support rep.
These socially engineered assaults have turn out to be an all-too-common problem within the Bitcoin and cryptocurrency realm, significantly for its higher-profile personalities. Usually, SIM swappers will goal cryptocurrency customers with the hope of accessing their trade accounts by means of text-message, two-factor authentication.
Maybe essentially the most well-known instance of this assault vector comes from Michael Terpin, who misplaced some $24 million from a SIM swap, prompting a $220 lawsuit against AT&T. Loads of other cryptocurrency users have fallen prey to such assaults and subsequently had their trade accounts drained of funds. The 2020 Twitter hacker was even part of a syndicate that orchestrated SIM swaps.
Efani: A cybersecurity agency that gives telecom companies
Awan is on the lengthy roster of crypto SIM swap victims, which is why he based Efani in 2019.
The corporate operates a bit like a cellular digital community operator. It makes use of the community infrastructure of Verizon, AT&T and T-Cell to service its prospects. However it solely depends on this infrastructure to supply cell protection. Every little thing else for the $99/month plan, from information administration to customer support, is managed in home based on Efani’s personal practices.
“Our focus is cyber safety. Different firms are telecom suppliers which produce other firms present safety for them. We’re a cybersecurity agency that gives telecom companies.”
In line with Awan, most cellular suppliers solely require a telephone and account quantity to make modifications to an current plan. Additionally they give customers the choice to set a PIN, however even this layer of safety will be bypassed if the hacker is savvy sufficient. Harder to manage nonetheless are bribes and inside jobs.
11 layers of protection
Efani’s answer to this drawback? Making it so rattling troublesome to make modifications to an account that an assault is just about not possible.
“You can’t make a change on your account by calling customer support,” Awan advised CoinDesk. “Even should you name in, they aren’t licensed to make any modifications. For one thing like altering a SIM card, you’ll have to undergo 11 layers of authentication.”
These 11 layers of authentication are the utmost variety of verification strategies accessible to Efani customers, whereas each account has a minimal of seven authentication steps when a consumer desires to substitute their SIM card. These verifications contain offering the final 4 digits of the bank card on file, telephone quantity, SIM card quantity, and different info.
“We now have made it so rigorous that it eliminates any likelihood of SIM swapping. Most individuals surrender after the second or third authentication step,” Awan stated.
Maybe an important function – and the final step for authorizing a change to an account – includes notarizing a letter of intent. Every consumer should go to a notary public to authorize a change to their service, and this notary is verified by Efani’s authorized workforce.
Even after this remaining step, a 7-day “cool-off” interval goes into impact earlier than the brand new SIM card will be activated. And it might’t be any outdated SIM card purchased at your native comfort retailer, both; Efani sends every account holder two encrypted SIM playing cards once they join with the service, and solely the backup is allowed to hold the consumer’s quantity if the outdated card is misplaced.
Outdated methods, new canines
On prime of those measures, Efani conducts background checks of all staff, requires multi-employee authorization to make account modifications and shops buyer info in server silos to maintain information segregated. Moreover, buyer names and telephone numbers are stored separate.
Efani’s plans are additionally insured as much as $5 million by Lloyd’s of London for any theft or information breach which will happen by means of Efani’s companies.
Awan, who bootstrapped the corporate together with his personal funds, stated that it’s worthwhile and on monitor to hit 7 figures in income this yr. A few third of its shoppers are cryptocurrency customers, he stated, including that the remaining are usually excessive profile people, together with skilled athletes for the L.A. Lakers and San Francisco Giants, different celebrities and a good variety of attorneys.
When requested what will be completed to “repair” the present state of SIM swapping (with out beginning a competing enterprise), Awan was pessimistic concerning the capability for change in legacy suppliers. Most customer support staff, who’re contractors to start with, “should not subtle sufficient to grasp the menace stage.”
Furthermore, altering one thing that impacts so few prospects anyway might be not on their radar, particularly contemplating it could require an entire overhaul of their processes.
“I don’t assume this drawback might be solved by any service. Altering the present system would require updating the system and processes for each cellular account in America and this isn’t simple to do,” Awan stated.
“The second drawback is that the carriers wish to imagine this isn’t a problem. It impacts in all probability 1% of the inhabitants. It’d be like saying, “Okay, each automotive offered within the U.S. comes with bulletproof glass.”