The first time he was SIM-swapped in 2018, Haseeb Awan took it on the chin and hoped it wouldn’t happen again. Then came the second incident. Then the third. Then the fourth. After the last swap, Awan stopped trusting his mobile provider to keep his account safe and took matters into his own hands: He started his own cell service company.
It was a major pivot from his former day job running the BitAccess Bitcoin ATM network, a company he co-founded and which, incidentally, made him a prime target for SIM-swapping.
His new venture, Efani, is dedicated to stopping a problem that is all-too-prevalent for cryptocurrency users – a problem which most mobile carriers, as evidenced by Awan’s own problems, have failed to adequately address.
What is SIM swapping?
SIM-swapping is a socially engineered hack wherein an attacker ports a victim’s phone number onto a SIM card they control. To hijack a mobile account, an attacker may impersonate a victim to convince a customer service representative to swap the number to the new SIM card. In more elaborate cases, a SIM swap may occur as an inside job or by way of bribing a customer service rep.
These socially engineered attacks have become an all-too-common problem in the Bitcoin and cryptocurrency realm, particularly for its higher-profile personalities. Typically, SIM swappers will target cryptocurrency users with the hope of accessing their exchange accounts through text-message, two-factor authentication.
Perhaps the most famous example of this attack vector comes from Michael Terpin, who lost some $24 million from a SIM swap, prompting a $220 lawsuit against AT&T. Plenty of other cryptocurrency users have fallen prey to such attacks and subsequently had their exchange accounts drained of funds. The 2020 Twitter hacker was even part of a syndicate that orchestrated SIM swaps.
Efani: A cybersecurity firm that provides telecom services
Awan is on the long roster of crypto SIM-swap victims, which is why he founded Efani in 2019.
The company operates a bit like a mobile virtual network operator. It uses the network infrastructure of Verizon, AT&T and T-Mobile to service its customers. But it only relies on this infrastructure to provide cell coverage. Everything else for the $99/month plan, from data management to customer service, is managed in house according to Efani’s own practices.
“Our focus is cyber security. Other companies are telecom providers which have other companies provide security for them. We are a cybersecurity firm that provides telecom services.”
According to Awan, most mobile providers only require a phone and account number to make changes to an existing plan. They also give users the option to set a PIN, but even this layer of protection can be bypassed if the hacker is savvy enough. More difficult to control still are bribes and inside jobs.
11 layers of defense
Efani’s solution to this problem? Making it so damn difficult to make changes to an account that an attack is virtually impossible.
“You cannot make a change for your account by calling customer service,” Awan told CoinDesk. “Even if you call in, they are not authorized to make any changes. For something like changing a SIM card, you may have to go through 11 layers of authentication.”
Those 11 layers of authentication are the maximum number of verification methods available to Efani users, while every account has a minimum of seven authentication steps when a user wants to replace their SIM card. These verifications involve providing the last four digits of the credit card on file, phone number, SIM card number, and other information.
“We have made it so rigorous that it eliminates any chance of SIM swapping. Most people give up after the second or third authentication step,” Awan said.
Perhaps the most important feature – and the last step for authorizing a change to an account – involves notarizing a letter of intent. Each user must visit a notary public to authorize a change to their service, and this notary is verified by Efani’s legal team.
Even after this final step, a seven-day “cool-off” period goes into effect before the new SIM card can be activated. And it can’t be any old SIM card bought at your local convenience store, either; Efani sends each account holder two encrypted SIM cards when they sign up with the service, and only the backup is authorized to carry the user’s number if the old card is lost.
Old tricks, new dogs
On top of these measures, Efani conducts background checks of all employees, requires multi-employee authorization to make account changes and stores customer information in server silos to keep data segregated. Additionally, customer names and phone numbers are kept separate.
Efani’s plans are also insured up to $5 million by Lloyd’s of London for any theft or data breach that may occur through Efani’s services.
Awan, who bootstrapped the company with his own finances, said that it’s profitable and on track to hit seven figures in revenue this year. About a third of its clients are cryptocurrency users, he said, adding that the rest are typically high-profile individuals, including professional athletes for the L.A. Lakers and San Francisco Giants, other celebrities and a fair number of lawyers.
When asked what can be done to “fix” the current state of SIM swapping (without starting a competing business), Awan was pessimistic about the capacity for change in legacy providers. Most customer service employees, who are contractors to begin with, “are not sophisticated enough to understand the threat level.”
Moreover, changing something that affects so few customers anyway is probably not on their radar, especially considering it would require a complete overhaul of their processes.
“I don’t think this problem will be solved by any carrier. Changing the current system would require updating the system and processes for every mobile account in America and this is not easy to do,” Awan said.
“The second problem is that the carriers want to believe this is not an issue. It affects probably 1% of the population. It’d be like saying, “Ok, every car sold in the U.S. comes with bulletproof glass.”