The fundamental time he was SIM-swapped in 2018, Haseeb Awan took it on the chin and hoped it wouldn’t happen again. Then knew the second incident. Then the third. Then the fourth. After the last swap, Awan stopped trusting his mechanical provider to keep his account safe and took matters into his own hands: He started his own cell service company.
It was a notable pivot from his former day job running the BitAccess Bitcoin ATM network, a company he co-founded and which, incidentally, made him a prime object for SIM-swapping.
His new venture, Efani, is dedicated to stopping a problem that is all-too-prevalent for cryptocurrency users – a problem which most travelling carriers, as evidenced by Awan’s own problems, have failed to adequately address.
What is SIM swapping?
Sim swapping is a socially engineered moth-eaten wherein an attacker ports a victim’s phone number onto a SIM card they control. To hijack a mobile account, an attacker may impersonate a sufferer to convince a customer service representative to swap the number to the new SIM card. In more elaborate cases, a SIM swap may occur as an advantageous job or by way of bribing a customer service rep.
These socially engineered attacks have become an all-too-common problem in the Bitcoin and cryptocurrency jurisdiction, particularly for its higher-profile personalities. Typically, SIM swappers will target cryptocurrency users with the hope of accessing their trade accounts through text-message, two-factor authentication.
Perhaps the most famous example of this attack vector be broaches from Michael Terpin, who lost some $24 million from a SIM swap, prompting a $220 lawsuit against AT&T. Loads of other cryptocurrency users have fallen prey to such attacks and subsequently had their exchange accounts drained of resources. The 2020 Twitter hacker was even part of a syndicate that orchestrated SIM swaps.
Read more: Judge Dismisses $200M Damages Be entitled to in AT&T Crypto Hack Lawsuit
Efani: A cybersecurity firm that provides telecom services
Awan is on the long roster of crypto SIM swap sacrificial lambs, which is why he founded Efani in 2019.
The company operates a bit like a mobile virtual network operator. It uses the network infrastructure of Verizon, AT&T and T-Mobile to use its customers. But it only relies on this infrastructure to provide cell coverage. Everything else for the $99/month envision, from data management to customer service, is managed in house according to Efani’s own practices.
“Our focus is cyber safe keeping. Other companies are telecom providers which have other companies provide security for them. We are a cybersecurity plc that provides telecom services.”
According to Awan, most mobile providers only require a phone and account copy to make changes to an existing plan. They also give users the option to set a PIN, but even this layer of haven can be bypassed if the hacker is savvy enough. More difficult to control still are bribes and inside jobs.
11 layers of defense
Efani’s colloidal suspension to this problem? Making it so damn difficult to make changes to an account that an attack is virtually impossible.
“You cannot lift a change for your account by calling customer service,” Awan told CoinDesk. “Even if you call in, they are not sanctioned to make any changes. For something like changing a SIM card, you may have to go through 11 layers of authentication.”
Those 11 layers of authentication are the most number of verification methods available to Efani users, while every account has a minimum of 7 authentication steps when a purchaser wants to replace their SIM card. These verifications involve providing the last four digits of the credit business card on file, phone number, SIM card number, and other information.
“We have made it so rigorous that it eliminates any probability of SIM swapping. Most people give up after the second or third authentication step,” Awan said.
Read various: Social Engineering: A Plague on Crypto and Twitter, Unlikely to Stop
Perhaps the most important feature – and the last become involved hurry up for authorizing a change to an account – involves notarizing a letter of intent. Each user must visit a notary popular to authorize a change to their service, and this notary is verified by Efani’s legal team.
Even after this certain step, a 7-day “cool-off” period goes into effect before the new SIM card can be activated. And it can’t be any old SIM card bought at your townsman convenience store, either; Efani sends each account holder two encrypted SIM cards when they colophon up with the service, and only the backup is authorized to carry the user’s number if the old card is lost.
Old tricks, new dogs
On top of these rhythms, Efani conducts background checks of all employees, requires multi-employee authorization to make account changes and stores fellow information in server silos to keep data segregated. Additionally, customer names and phone numbers are kept other.
Efani’s plans are also insured up to $5 million by Lloyd’s of London for any theft or data breach that may appear through Efani’s services.
Awan, who bootstrapped the company with his own finances, said that it’s profitable and on track to hit 7 figures in returns this year. About a third of its clients are cryptocurrency users, he said, adding that the rest are typically serious profile individuals, including professional athletes for the L.A. Lakers and San Francisco Giants, other celebrities and a fair number of counselors-at-law.
When asked what can be done to “fix” the current state of SIM swapping (without starting a competing business), Awan was glum about the capacity for change in legacy providers. Most customer service employees, who are contractors to begin with, “are not multifaceted enough to understand the threat level.”
Moreover, changing something that affects so few customers anyway is probably not on their radar, signally considering it would require a complete overhaul of their processes.
“I don’t think this problem will be solved by any carter. Changing the current system would require updating the system and processes for every mobile account in America and this is not tranquil to do,” Awan said.
“The second problem is that the carriers want to believe this is not an issue. It affects probably 1% of the people. It’d be like saying, “Ok, every car sold in the U.S. comes with bulletproof glass.”