I’ve been telling people for years that they need to implement two-factor authentication wherever possible. Now that you’ve done that, imagine the havoc that would happen if those security codes were sent to somebody else enabling them to access your email, social media accounts, and worse your bank accounts. It is called SIM swapping, porting out, and SIM jacking. Today’s guest is Haseeb Awan.
Haseeb is CEO of Efani, American’s most secure and private cell phone service. He is an expert at protecting high profile individual cell phone numbers. Haseeb was also co-founder of the first bitcoin ATM company.
Haseeb shares his many experiences with working with SIM swapping. We talk about how we are all at risk and the precautions we can take to avoid becoming a victim of SIM swapping.“If you can’t afford security, you can’t definitely afford a breach.” - Haseeb Awan Click To Tweet
- [01:26] – SIM swap, SIM port, SIM hack, and telephone takeover are all the same. SIM swapping is when a criminal takes over your telephone.
- [02:05] – The criminal takes control of your social media accounts or email accounts and then drains your bank account.
- [04:06] – If a person gets your account number, pin number, and telephone number and then the criminal can transfer your phone number.
- [05:36] – Often they go online and buy a new SIM card and trick someone to transfer the number to them.
- [06:51] – Social engineering is as simple as pretending to be someone you are not to gain information maliciously or for fun.
- [08:05] – Telephone companies have the ability to sell, monetize, and track your data.
- [10:47] – If I haven’t done anything wrong then why do I need privacy?
- [11:49] – The people that are criminals are working 24/7 to destroy you.
- [13:31] – The average customer is more at risk because they don’t take as many precautions.
- [14:41] – Make sure your cell phone carrier supports a pin code at a minimum.
- [16:30] – Whatever setting you have the criminal can override.
- [19:42] – The port lock might help keep your number from being taken to a different carrier, but if they go to your carrier’s store it doesn’t help at all.
- [19:58] – These criminals only need a few hours to have complete access to everything.
- [20:36] – Often they attack when you are most vulnerable like after 9 PM in the evening.
- [21:16] – You should always use an app-based or hardware key vs. SMS two-factor identification.
- [23:32] – Keep it simple and have a password on your phone and then use the Google authenticator app.
- [24:52] – We often get attacked because we are lazy and put security off until tomorrow.
- [26:22] – Efani focuses on pricing and security.
- [27:18] – Most of their customers are people who don’t want their information sold on the internet and want that extra layer of security.
- [28:15] – Doctors are the number one victims of SIM swapping attacks.
- [29:40] – Seniors are at a significantly higher risk.
- [31:19] – It is really easy to forge caller id, so never assume it is a real call.
- [32:25] – Within 90 days you will see a 90% reduction in spam calls with Efani.
- [33:27] – When you have a cell phone plan try not to be on a family plan.
- [33:47] – The two most important numbers in your life are your social security number and your cell phone number and you have way more linked to your cell phone number.
- [34:14] – He suggests getting two telephone numbers. Use one for all authentications and don’t give that number out to anyone.
- [34:42] – Keep your cell phone software up to date and don’t let children play on your phone.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Have I Been Pwned
- Haseeb on LinkedIn
Haseeb, thank you so much for coming on the Easy Prey podcast today to talk to us about SIM swapping. Can you give me a little background of what SIM swapping is and maybe some other names that it might be called?
Certainly. Thanks, Chris, for having me on the show. First of all, having such an amazing show I listen to. I listen to pretty much every podcast that you have and every time I listen, I learn something. Because frankly, even being in this space for some time now, we hear about intelligent ideas that hackers and criminals are deploying to victimize people. Thanks for putting this show together.
It's called SIM swap, SIM hack—it has to be linked with SIM hack, telephone takeover, but something that’s within SIM port, SIM hack. Whenever the name will come up, it will basically point you to the right thing. They are so obvious.
So, what is SIM swapping?
Just pretty simple. Basically think about it: you have a telephone number and tomorrow, a criminal takes control of the telephone number. Another question is, what can he do using your telephone number to make you a victim? The way he does it is basically purely by taking control of your social media accounts. That's the first thing—or email accounts. And then literally draining your bank account, your social media, or taking control of all the data.
Within, I would say, 15-20 minutes, he has taken control of your bank. The way he does this is simple. Go through your account—a Gmail account, Hotmail, or ISP account—and do a password reset. The reset code comes to your telephone number, and now he has access to your telephone number and email account.
He goes into your email, he runs a con job, sees what accounts you have. They will do a search for Chase Bank, US Bank, and every bank. They have a list of many thousands and figure out which account you have a login on. Then use a password and embark to go into all those accounts. Do a password reset and guess what? They can authenticate you by a couple of things.
Number one, they want to know your date of birth, your name, your telephone number, your email address, and he has access to everything. Then he uses that to maliciously transfer money from your account. In some cases, he will steal your data and then into your social media account. That's why you hear about all those stories of people saying, “Hey, it wasn't me on Twitter who posted this picture,” or something. But that's what happens.
Starting from the beginning, this whole thing involves someone gaining control over your telephone number. How does this criminal gain control over someone's telephone number? If I've got my phone in my hand, how is someone gaining access to my messages and whatnot?
Here’s the thing. In 2005, Obama signed a bill, or I think putting a bill around for a long time that if you're not satisfied with the current carrier, you can go to a different carrier. Because technically, the number belongs to you. It's your property so you can take it anywhere you want.
But what happened is, although it's a very good facility, scammers are using it by using it illegally. In order to make it convenient for everyone, it was so simple that you just need your account number, your PIN number, and your telephone number. Technically, if someone has all the information, they can just transfer your number. The question becomes how easy it is to get those numbers?
First of all, if I want to search and I want to find out what your telephone number is, it may take me half an hour, but I'll find out what your telephone number is. Then I need to find out where you live, which is also very easy to find. Then I just need to find out your account number and that could be done by either bribing someone in the company or going on the dark web and paying someone to get the information.
A lot of time, it's also social engineering where you can call in a person and you can have crime on the back and say, “Hey, I'm the spouse of Chris, I'm a friend of Chris, or I'm Chris. I lost my phone. Can you just help me out?” “Can I have your number?” “Oh, I don't remember it, but I have my home address. I have my date of birth. I have other things.” They just trick the person to give them the account number. Once they have the account number, it's very easy to bypass the PIN as well.
So the SIM card is that little chip that we drop in our phone that identifies, “Hey, this is my telephone number. This is where you send SMS messages. This is how my phone identifies the wireless networks,” right?
Got you. The criminals are getting a new SIM card issued to them or what?
Yeah, that's what happens. They can either go online and buy a SIM card. Every company ships you a SIM card. They just order a blank SIM card and then trick someone to transfer that number to them. Think about it: they may be with Carrier A and they may go to Carrier B. Carrier B says, “Hey, I'm legitimately Chris. I want to transfer my number over.” They will ask you for multiple information, but actually, only two or three pieces of information are important—your telephone number, your ZIP code, and your account number.
You get a PIN too, but that's not mandatory. Literally, three pieces of information are required and they just click on it. The company just automates that someone wants to leave because thousands of people leave every day. They don't go through manual verification and boom, you're done.
Wow. That sounds scarily simple.
It's actually scarily simple and frankly, a lot of people who actually are doing this are criminals, but not just criminals. They are probably teenagers, and it doesn't require a sophisticated methodology to do it. It's just a pure act of crime and intellectual level that's required. It’s just you just have to call 100 people and see who you can trick.
Yeah. It's just a matter of social engineering. For our listeners who haven't heard of the term social engineering before, what does that mean?
Social engineering is simple. I pretend to be someone that I'm not. I can pretend to be either maliciously or just for fun. Because on the phone, I can just call in and I’d say I'm Chris. The person on the other end does not have any idea if I'm not Chris or not. He may think that you don't sound like Chris because you have a different accent. But frankly, he cannot even say that because I can probably sue him for discrimination or making fun of me.
I don't know if you've ever done it, but I've done it, maybe once or twice, that I'd call on behalf of my wife and just get the stuff done. Or she does something for me on my behalf too. The worst part of that is your telecom carrier right now is selling a lot of your information. If you read the contract that you signed up—99.9% of people don't read it—it actually says that they are allowed to sell your information.
There are companies who buy that information. I think AT&T was even fined by selling location data. They would also sell the data if you're traveling in a special jurisdiction. Imagine you are traveling to Lake Tahoe. They will show you all the apps that are linked to Tahoe and then people can market it to you.
Long story short, telecom companies have written down this agreement that they will sell, monetize, and track your data. There are companies who probably advertise that, “Hey, we buy the data directly from the telecom company.” We buy some data too. We have a system where we can put in your name. Your telephone number tells you your name and where you live and everything.
Honestly, for a lot of people, if someone owns a home, then you probably have access to easily obtain Social Security Numbers, home addresses, and all sorts of stuff. It’s probably fairly simple to gain, and with a little bit of social engineering, asking some people some questions, you could probably even get more information about the person in a matter of minutes.
Yeah, sure. Making a fake ID in the US is probably one of the easiest things to do in the entire world. Our ID is one of the most simple things and people have done it to buy cigarettes, alcohol, or something. But literally, you can order, go on the dark web, and pay someone a huge dollar, and they'll issue you a fake ID.
There are people actually employed in the store. All the store employees that work, like kiosk guys or any store owner, they have the potential to go on the internet, create an account, and there is extra income for you. They may not make money on their day job or working at a kiosk or a shop because maybe it’s only $15 an hour. But on the Internet, they can sell you information for $100 or $200. If you're a doctor, your information can be sold for $2000.
Wow, that's scary. It's fairly inexpensive if someone really wants information about you to get everything they can.
Correct, but that’s the compromise that people are making. They are okay with that, they signed up for that, and the internet has spoiled us. I make a joke that the internet is actually good for us, but at the same time, it has led us to a lot of sellers, a lot of personal information to people. I think, probably, we still have a taboo. Then if I offer taboo, people think that I'm doing something wrong. For example, what if you go to a washroom and someone installed a camera there? They are not doing anything wrong but it's a private space. It's just a private space.
Similarly, if you are living in your room and someone installed a camera—and especially without your permission—how would you feel about it? But because of the cellphone culture, it has slowly gone into our minds that it's okay, but it's not okay.
There's a really good quote about privacy that’s basically—I wish I could remember it off the top of my head. There's that theory of if I haven't done anything wrong, then why do I need privacy? The reality is that's not the way it works. You have a right to privacy, not waiting until it's compromised.
Certainly. A lot of people just say, “Hey, why would someone attack me?” Or, “It will never happen to me.”Or, “It never happened to me.” Some people who said that it never happened to me, I just tell them that, “Hey, we haven't died yet. It doesn't mean that you will never die. If you want to hear how people die, I can tell you a lot of people who are dead. Do you want to do it once you get shot?” They say, “Okay, why would something happen to me?”
I say the people who got shot today, or he got in an accident. They didn’t go out and say, “Okay, Chris. I'm going tonight. I will get into an accident.” No, they actually left and then they get either by chance or by—because good people wait, but bad people don't wait. You may say, “Hey, let me do it tomorrow. I'll get to it when I have time.” But actually, the criminals, they're actually working 24/7 to destroy you. If you can't afford security, definitely you can't afford a breach.
Yeah, that's absolutely true. There have definitely been a couple of really high-profile things that maybe we've heard in the news that we didn't really realize were SIM swapping. I know there was the CEO of Twitter, Jack Dorsey. If I remember right, something strange got posted to his Twitter account. And within an hour, it disappeared and everyone was like, “What happened? What went on there?”
Later on, they revealed that he was actually a victim of a SIM swapping attack where someone was able to obtain his cellphone number, ported-out, and were able to authenticate into the Twitter CEO's personal Twitter account.
Yeah, certainly. I'll give an example. That's actually true. With Jack Dorsey, they have teams of maybe 100 of security people who are working on it. They can make a call to AT&T or any major carrier and say, “Hey, president, get me on the line and fix it.” For an average customer, frankly, if I or you are a victim, it will take us three hours to get in the line to get to a customer service representative.
Average customers are a lot more at risk. For Jack Dorsey, even if he lost money, he will find a way to recover it. Or his reputation, he will find a way to recover. But it's difficult for the average customer. Think about a lawyer. If you are a lawyer and your account got compromised, your entire data got breached. You will have a very, very hard time establishing that reputation again. It's almost impossible. People will not trust you.
Average customers are actually more at risk because we don't take a lot of precautions. As I said, a doctor is the number one target to be victims because the most—think about it. A criminal is paying $2000 to buy your data. What does ROI require on that? He must need to make more money than $2000. You are ultimately going to pay for it. It’s just a matter of time. The cases that we see a lot of time is that a lot of people don't talk about it because number one, it's an embarrassment.
If you are a well-known leader or someone, you don't want to talk about it because it would destroy your reputation. “Hey, I lost my data.” What they end up doing is they keep on paying money. Unfortunately, for a lot of people who are vulnerable in our society—mostly everybody—they get a victim and they have to keep on paying because some criminal tricked them into something that, “Hey, I will do something crazy with you.”
It sounds like we're all at risk. What are the things that we can do to protect ourselves from becoming a victim of SIM swapping? We usually talked about making sure that our carriers support a PIN code at minimum, and that we actually have set that PIN code. But that's one very small thing that we can do. Are there bigger things that we can do?
A hundred percent. I'll give you an example. The biggest thing is you have to understand how this cartel works. This is basically a cartel. The way they operate is not one person doing it and making a kid make a call from the basement. It's actually a very sophisticated attack.
Unfortunately, the reason I'm not taking any names on. I'm unable to be very specific about how it works because I don't have a lot of proof, and I certainly don't have the resources to find those big organizations. But the way it works is you went into a bank, ABC bank. Now you made a bank account and the ABC guy who made a bank account, he saw Chris showed up with $100. He also knows that Chris is basically a very easy target for SIM swap because he gave his telephone number to us, and his two-factor is SMS.
Now he makes a list as a job. He basically makes a list and he sells this information for about $200. “Hey, I have a customer. Just pay me $200, and I'll tell you this is the customer. This is his Social Security Number and everything.” Now, you go ahead with it. Someone will buy that information, and then they will compile a list of 20, 30 people. They will call their buddy in stores. The job of the buddy is to facilitate by being socially engineered.
When they call in or you walk into a store, they will make sure that, “Oh, I saw this person’s ID. He verified that this is a legit person.” What he does is he overwrites whatever setting you have. Whatever setting you have, he can overwrite. People say, “I have a PIN,” as you mentioned. I say, “Okay, what if you walk into a store and you tell them, I'm actually Chris. Can you do this for me? I lost my password.” What will they do?
If they are able to reset your password for you, they are able to reset a password for anyone. They don't know what Chris looks like. The only thing they have is the name with the date of birth. If someone lived in Florida, I know how the Florida ID looks like. I just have to put the name then and just go in and pretend that I'm buying a new phone. Be friendly and just trick them into doing this because those people aren't trained, and they're dealing with all the confidential information.
A lot of times, those people are also part of the cartel. And then they pretend that they were social engineered. If something comes tomorrow, they say, “Oh my god. I don't know. Something went wrong.” Worst comes to worst is they will get fired.
Yeah. And they won’t go to jail.
They will not go to jail because they were not part of it. They were fooled. They will just get a job at a different carrier, and they will keep on changing places because they have multiple employment records. They can just say, “I used to work there. I used to work there.” A lot of these comm stores, they're franchised on. They don't even share employment records. This person was employed here and they did something wrong. Now he’s part of a different group. The way employment works and everything. It's super complicated then.
But long story short, ultimately, a person will just take one SIM card, then he's done, and then you're done. He exactly knows where your bank account is. One of the easiest parts is to go to Zillow or any other website and you will find out who's selling their house in one expensive neighborhood.
If you click on a thousand expensive neighborhoods in the US, you will find maybe 50,000 houses. You can go on White Pages and buy that data for 10 cents or something. It will give you the telephone number of everyone who lives in those houses. You just run a record, you run a couple of algorithms, and you'll find everything. Now you have 50,000 people to play with. It's somewhat simple. It's a very easy attack to do.
I know some wireless carriers in the US—and I don't know what happens outside the US, but we'll just talk about the US—have what they refer to as port locking. Does that actually help? Or is that just easily overridable by a store employee also?
Ultimately, a person will override it. For major carriers that are implementing these things, there are two types. One is port out and one is SIM swap. Port out is when you left the carrier. You're with Carrier A and you move to Carrier B. That's one option. SIM swap is when you stay with carrier A but you actually change your SIM card, which means that you went into a T-Mobile store and you say, “Okay, I lost my SIM card. Can you issue me a new SIM card?” He will just say, “Okay, can I look at your ID, Chris? Here’s your new SIM card.”
For that is no lock. Yes, they do allow that you don't leave the network, but they don't allow that the SIM card has to be changed.
Got you. In some sense, the port lock might help keep your number from being taken to a different carrier. But if the person is walking into your carrier store, then the port lock doesn't help at all.
Correct, that's exactly what happened. Within one hour or two hours, you're done. They only need one or two hours. They don't need more time, because you will lose signal and you would say, “What happened?” You may not be able to get hold of it. Good luck getting to any customer service within one hour.
For most of us these days, we only have a cellphone. If we lose our cell signal, it's not like we have a second cellphone sitting right next to us. “Let me go on Account B and make a phone call. Let me find a friend. Go over to a friend's house.” Maybe I have to go into my office in order to make a phone call. And by then, the criminals have already done his damage.
A lot of time, they attack when you are most vulnerable. Think about having after 9:00 PM when all stores are closed. Now they have a 12-hour window.
Got you. You've already shut down for the evening. You're not looking at your phone anymore. They've now gone out all night until the following morning to try to get your two-factor authentication codes and whatnot. Is your suggestion that in places where you can have either a physical two-factor authentication device or use a Google Authenticator app, that you use that instead of SMS two-factor authentication?
100%. Even if you have your own account, you should always use an app-based or hardware key. The problem with all those keys is there's a lot of learning curves. We did a survey and we asked almost 100-plus people about if they use 2FA or not. Does their organization permit it? We did that.
If you look at a general sample, we're not talking about sophisticated tech. General sample, 94%, 95% of people will say that they don't use 2FA. Other 4.5% or 4.6% will lie. Technically, if you look at total accounts, only 0.01% will use 2FA. Because it’s inconvenient, right? You have to put in a password. You have to do a thing. A lot of organizations suffer because of that, too.
Yes, you should use it, but the problem with inconvenience and everything is people forget it sometimes. A lot of organizations don't even allow you to do that. I think the IRS does not allow QR code as well.
I'm not sure. We were talking about the inconvenience factor. I have family overseas where, for whatever reason, they don't do much phone number two-factor authentication. It's all hardware tokens and this person holds up their key chain and it's like, “This is from my bank. This is for this.” And they've got 14 or 15 tokens on their key chain. We were all looking for the day that we'd never have a key in our pocket. Now, there are no physical keys, but it's all 2FA keys.
But the thing is also 2FA keys is, we think about someone. We talk about Efani. We talk about a wide spectrum of what can happen. For the average consumer, they don't understand the risks that happen to them. Imagine you're traveling somewhere, you lost your keys. It's not a difficult thing that you will lose your keys or you went into this pool and you lost—I don’t know. Keys actually could go wrong too.
But obviously we deploy a different set. But for the average person, it's very, very difficult to take care of health protocols. We say, “Hey, keep it simple.” Have a password on your phone and then use a Google Authenticator, Authy, or similar apps. Because carrying another keychain is also very risky. We’ve come across cases where people want ransom and everything. If you even do 2FA by app, you are above maybe 99% of the word now.
I guess the first step is everyone—on their phone accounts—should have the PIN code at minimum. That's barely even good enough. And then have any 2FA enabled on your accounts.
If you can do it, get the Google Authenticator app, 2FA. The unfortunate thing is not a whole lot of places support…
Google Authenticator or Authy.
Yeah, unfortunately not a lot. I'm trying to think. Not all banks, and unfortunately, not all those types of entities, where you might want that additional security, actually support authenticator apps. The tech companies seem to be very good at it.
Yeah. They do, but at the same time, we talk about people being lazy. That's the number one reason why Americans get attacked a lot because we are lazy and we just say, we'll do it tomorrow. But these are the minimum things that you do. Even we say that because even in Efani, frankly, we cannot cater to every customer.
We serve the top 1.2% , 1.9%, 1.8% of the world. Because number one, not everyone can afford us. But also the other part is that we cannot take on more customers. We have to be selective with customers we work with. We have recommended, “Hey, go to”…we have self guides for people do it. Frankly, we prefer that they use those guides and make our life easy, too, rather than coming to us and saying, “Okay, what to do?” Because 97%, 98% of people don't even need our product.
For the people who do need your product, can you tell us what your product is? And how do you differentiate yourself without disclosing the secret sauce?
Sure. I can totally get into that. […] as possible because you get a victim of this attack all the time too. Think about cellphones. Think about AT&T, Verizon, or any major company you think about. We operate similarly to them. We don't have an antenna, so we basically depend on the coverage of the biggest network in the US. It is the best network in the US.
Like an MVNO?
Yeah, we are an MVNO. But like I said, a lot of people don’t understand MVNO concept. You get the same coverage. But the only thing is we only focus on two things—privacy and security.
Your customer offering will be, “Hey, I'll give you a nice cellphone.” I say, “We will not give you a cellphone, we'll give you peace of mind.” Your cellphone may say, “Hey, bring on more customers. Do this and I will give you Netflix, Disney,” or those random stuff. We say, “We don't give any of this. We only focus on two things: privacy and security.” If you're looking for those Mickey Mouse stuff or other things, you can go to other companies.
I said we have a very small clientage. Our clientage is generally at the top in average percent. People who don't want to be sold on the Internet.
Yeah. And people who are looking for that additional level security. If you're the multibillion dollar crypto investor. If you're a crypto investor, because the currency is so untraceable in terms of transactions, you're almost a lot more targeted and a lot harder to get your money back if something happens.
Correct. But I'll tell you one thing. Actually, 90% of our customers are non-crypto. They are average accountants, lawyers. But think about it: you run an accounting firm and someone got access to your call logs. Even the call logs are accessible with employees too. They also sell those call logs.
If you say you hate someone or you say, “Okay, I'm going to listen to this call. I want to see what deal he’s up to.” You can just bribe someone for a few hundred dollars and he will give you a call log of that person. That's actually a bigger problem for a lot of accountants, lawyers too. For medical doctors, they are the number one victims of these attacks. They also come to […].
And then you see those signboards with ABC numbers got hurt, ABC number lawyer. We still have a lot of those customers because we also have a lot of vanity numbers. Those numbers are worth everything. If you take them away, they lose that number. That's their brand. That's everything they have. Work with an influencer then because your social media is linked to your telephone too.
We just say something like, “Imagine if your telephone number and email account have been taken away; what is it worth to you? How much are you willing to spend on it?” And if the answer is, “Yes, I'm willing to spend more than $10 per month to protect your data.” We say, “Okay, come in.” But if you say, “No, it doesn't matter. My privacy doesn't matter.” Then we say, “Okay, you're not the right fit for us.” Our average customer makes over $80,000 and lives in the US.
That makes sense. Grandma, she doesn't even have an online bank account. She's just used to going down to talk to the teller at the store. Grandma is much less likely to be a victim and even if they could get a hold of grandma's phone, she's not…
Actually, that's not correct. We are just getting in contact with an old-age facility. And the problem with the old-age facility is seniors are at a lot of risk because they don't get to talk to anyone. Someone can sweet talk to them. They can call them up and just say, “Hey, how are you?” Build a relationship and then one day ask them information. “Hey, can you do this for me? Can you do this for me? Can you do this for me?”
Those poor ladies or men have done it because they are very receptive. That's unfortunate. That's why a lot of senior homes do not allow cellphones because people call, not to SIM hacking, but other ways that they can hack them.
Definitely, the elderly are significantly at higher risk for other types of scams. I figured it'd be less likely for SIM swap hacks.
Yeah. Less likely for SIM swap, but also the problem is something goes wrong, they can also take your telephone number and call a call center. Think about it, if you get a call from your business partner or any other partner—and because of the fake AI and other stuff—they can replicate exactly your voice. Or someone can replicate their voice and call you. “Chris, can you transfer me a $1000?” “Oh, yeah. What's up, man?” “I'm just bored. I run out of my credit cards. Can you send me a Bitcoin? Can you do this for me? Can you do this for me?”
Maybe you can do it because you know their voice and you can replicate it. You can see their cellphone number is popping up.
Was it earlier today? I got a phone call from Wells Fargo Antifraud Department. I don't have a Wells Fargo account so I immediately know it's fraudulent, but I still wouldn't trust it anyway. But it's so easy to forge caller ID these days. You can never assume that it's a real call.
Yeah, spoof calling. One other feature that we have on our SIM card is whenever someone calls, we can actually verify if it's actually a spoof call or not.
Oh, that's awesome. Do you block them or just notify your clients when those calls come in?
We notify the clients. We are testing all the features, but we notify our clients about this. The thing is we do not get false positives, but we do get false negatives, which means that it may be legit, but we are unable to verify identity then that case will say this person is fake. It doesn't mean that you're fake, but it may be fake. For the information that we say, this is legit, that actually legit.
Okay. I'd rather have those falses than the other way around. You'd rather have…
Correct. We can just say, “Hey, be extra cautious.” Just to give you an example. Because we cannot verify their identity. Similar to Gmail, if you open an account or something. This email may not have originated from the actual address. That's the same technology that we are able to […]. […] more, but it works pretty well.
Another thing is we also reduce spam calls by 90%. Within 90 days, you will see 90% of the reduction of spam calls. We deploy a couple of ways, but the easiest way is we don't sell, monitor, or buy your data. There has been a lot of time that you will make an account at Wells Fargo and within two days you will receive an offer. “Hey, we’re an accounting firm. I see that you just opened a business. Can I just sell you…” What they do is they sell your information.
You make an account anywhere and you start listing to different—they buy your leads too. They’re in the business of selling data.
Got you. One final thought for our listeners. The best thing that they can do to prevent SIM swapping, what can they do?
It depends. The best thing to do is obviously—I’ll be biased—they should switch to Efani. As I said, we only take a few customers. There’s a likelihood that they will not qualify. For the other 98%, I would say simple things.
Whenever you have a cellphone plan, try not to be on a family plan. It actually exposes you to a lot. Not only expose you but other people in your family too. Try to avoid them. I know they are cheap, but frankly, man, there’s nothing more than your life and everything.
If you think about it, there are two numbers that are important in your life. One is your Social Security Number, the other is your cellphone number. You have more things linked to your telephone number than anything else. Now, if I meet you, “Hey, Chris. What is your Social Security Number?” You would be, “What the hell? Are you…”
But if I ask you, “Chris, can I give you a call?” You say, “Yeah, this is my telephone number.” And the moment you give me your telephone number, this is the same number that you give to your banker too.
If you connect those dots, how vulnerable does it make you? One thing is Efani. For the average consumer who does not qualify, they should just get two telephone numbers. One would be a white number. They use one for all the syndications. Use three or four numbers for different stuff, and then don't give out that number to anyone. That's one thing.
Have 2FA for every possible thing—Gmail, email, Facebook, any social media, or bank account. Any possible thing. Keep your software up-to-date. Don't give your phone to kids who can play around and download new apps and everything. It happens. My kid wants it too. Even though we don't allow him screen time, sometimes you give it for half an hour and say, “Do you want to play games or something?” We got a new phone for him so he can play on it. Never give your phone to anyone. People may get offended, but I don't give out my phone at all.
Other than that, be vigilant and have multiple numbers on your cellphone. And we wrote a couple of guides on our website too—how an average consumer protects themself. Just having 2FA and having multiple numbers will protect you from 99% of the attacks.
That is absolutely great advice. Haseeb, thank you so much for coming on the Easy Prey podcast today.
Thank you, Chris.
Very useful information in times of crisis. You should know that since the coronavirus Sim swapping attacks are rampant in Greece. These are not the 12-year-olds doing it for fun this time!
Since I heard the news that these attacks came back here too, I have been scrambling to revamp my security protocols: Using only e-mail providers that offer TOTP, switch to TOTP 2FA in all accounts that support this functionality and disabling all other recovery options. Planning to get an additional Google Voice number only used for 2FA. Authy with that new Google Number (that I do not share with anyone) on a dedicated encrypted & password-protected phone that stays at home at all times.
Feel free to share your feedback and any vulnerabilities you see with my plan.
Sadly only one Greek bank has the hardware token option for 2FA (they offer this option to non-Greek residents). There was one other local bank and said we are no longer issuing new hardware tokens to clients because we are going digital. Classic: technology guys that don’t work with the security guys How ironic!
I would use my Google Voice number (which is secured by TOTP) to secure my Greek bank accounts, but sadly they don’t send texts to VOIP only numbers!
On second thought I would be interested to know about possible attacks and attack vectors against a google voice number that is secured by the account’s 2FA TOTP option.
Do you know any US banks that support TOTP? I have only found one in the US that does. Do you happen to know if there are more? I would really love to know
sai sai says
How can I get a new SIM for my phoinex 4it was hacked
Tarina mason says
I’m so relieved to see this article I am a victim of complete Identity theft with stalking and harassment … I had a young couple come to my home I allowed her to use my phone to call her kids . on Oct 27 the she placed a monitoring mirror ing app on my phone rerouted every call txt and email Stole 27 thousand dollars from me vandalized and torched the only thing I had invested $ in My 57 Chevy chased me too Colorado and back 3 bank accounts the detective has been a joke .. And now she’s trying to get my freedom with a class A felony for text she sent her self threw this App she has .. they also put a jumper modem and spliced into my internet at my residence she insisted a gentleman renting a room in my basement apartment who helped her and as a bonus for to view me spy and monitor.. I have all my devices the modem used my 2 phones that are rooted my laptop and chromebook Plus all the wiring from my home they used and one of the camaras from my shower 😰.. This Girl is trying to ruin my life .. I also do know that several other people she has done the same thing listing her self as Admin and placing us in a nest to monitor.. I need Help I’m outta MONEY , they’ve ran me out of my home and vandalized torched my vehicle s .. I need help with a cyber team to pull my google takeout before she deleted the rest of my Life …. Any help would greatly be appreciated.🙏😥