Our most valuable Digital Assets are at great risk. Can this be fixed?
Our phone number is our most important digital asset, and will remain the only unique national and international method of identification well into the future. As more of our personal lives, transactions and interactions move online, the use of this single identifier will become increasingly important. Already, numerous apps equate their user accounts with personal phone numbers, and significant global initiatives such as the GSMA’s Mobile Connect solution promote the mobile number as a universal digital identity, allowing participants to access multiple online services via a single sign-on.
In addition to our reliance on the phone number as an identifier, in recent years more and more companies and services have come to depend on smartphones as a secure device on which they may authenticate their users through procedures such as two-factor authentication, where verification codes are received through SMS texts.
Therefore, the often publicly available phone number is used both as an identifier and also as a means to confirm that identity, with this digital asset essentially acting as the lock and key for accessing supposedly-secure portals. Anyone who controls the phone number may then be an authenticator, and by diverting incoming messages, scammers are easily able to complete the verification checks that protect our most sensitive accounts. Alternatively, the presumed private and secure characteristics of a phone number may be used to trick services into divulging passwords.
The most common method of “hijacking” a phone number is through SIM swapping, also known as port-out scamming or SIM splitting. At its most basic level, a SIM swap occurs when a hacker convinces a carrier to switch a subscriber’s phone number over to a SIM card owned by the fraudster, or to issue a new SIM card with the same number to the fraudster. This is generally achieved by the hacker presenting the mobile operator with fake ID documents and requesting the change, but there have been cases where the attackers use inside sources at carriers who will transfer the numbers for them. As a result of the SIM swap, the genuine customer’s mobile phone is disconnected from the mobile network, and that subscriber does not receive any services, including the all-important two-factor authentication SMS alerts. Instead, all traffic to and from the victim’s phone number is controlled by the attacker, and they have full access to calls, social media apps and, of course, security information such as one-time passwords received by SMS.
SIM-swap attacks are now widespread, and over-and-above the obvious damage done by the owner losing control over his/her data, the hacker is able to circumvent security features for accounts, such as their bank and social media accounts. In addition, it is estimated that over $50 million in cryptocurrency has been stolen from U.S. personal wallets in the last 15 months using switched SIM identities, and a number of recently reported cases have highlighted this serious vulnerability. Earlier this year, a 21-year-old Boston man was sentenced to 10 years in jail for stealing $7.5 million in Bitcoin and other cryptocurrencies after hijacking more than 40 phone numbers and then hacking his victims’ cell phones. Rob Ross, a former Apple engineer, watched helplessly as his life savings of $1 million disappeared when hackers took control of his SIM, and were able to enter his accounts, request a password change, and assume his digital identity. In 2018, Michael Terpin, an American blockchain a crypto investor, sued AT&T for $220 million after being defrauded out of $24 million of his crypto assets. Terpin claimed that the carrier’s negligence allowed the hackers to gain control over his phone number, reset his passwords and access his online accounts. Earlier this month, Terpin won $75.8 million in a civil case against 21-year-old Nicholas Truglia, who was reportedly involved in this fraud.
As we progressively become more dependent on our mobile phones to interact and transact, this SIM-swap vulnerability will become increasingly prevalent and damaging. Phone numbers were never intended to be a way of confirming a subscriber’s identity, and phone companies are not equipped to ensure the security of this critical digital asset, particularly when considering the weaknesses and limitations inherent in number porting processes.
Given the fact phone numbers will increasingly be used as an identifier, major architectural, functional and operational changes are required in order to provide subscribers with full control over this asset.
A company that plans to solve this serious issue facing the security of our digital assets and identities is FIX Network, a project that is supported by New Capital.
FIX Network is committed to providing solutions for securing our digital identities, and ensuring the safety of our daily transactions in the imminent mass transformation towards a decentralized and digital society. These solutions involve utilizing and leveraging the existing cellular infrastructure by defining and implementing a new blockchain-based security protocol, and securing transactions and private keys on SIM cards.
One of the most important digital asset to be secured by this new architecture is the phone number. Clearly, this asset should be owned and controlled by the subscriber, with user-defined FIX Network security policies in place to define which operator may provide services to the number, how that number may be used, and the personal authorization procedures required for SIM replacements.
Ideally, phone numbers should be managed in one blockchain-based decentralized ledger, which will provide standardized access and routing lookup for all operators on a global basis.
The composition of FIX Network has been carefully crafted to encompass multi-disciplinary participants, including experts from the telecom, blockchain, cybersecurity and IT industries. As such, the entity is uniquely positioned to implement this innovative security protocol within its own network, serving as a proof-of-concept for the global telecommunications industry and helping to define new standards for the ITU.
In summary, identity management experts have warned for years about our over-reliance on phone numbers, and the security vulnerabilities that are open to exploitation, especially with regard to SIM swapping. Despite these susceptibilities, the use of the phone number as a key personal identifier will not be diminished; in fact, we will become increasingly reliant on this unique digital asset.
It is imperative that users must be secure in the knowledge that their phone numbers are safe, and that the identification and authentication policies that are dependent on these numbers cannot be hijacked. The security protocols implemented by FIX Network will provide the environment and procedures to fully protect not only telephone numbers, but the vast array of digital assets that we will all be using in the future.
To read more about SIM hijacking, please see the articles below:
California Man Sues AT&T Over Loss of $1.8M and Crypto Accounts
California resident files a lawsuit against AT&T alleging that its employees helped to perpetrate a SIM-swap resulting…
Victim of $24 Million SIM Swap Case Writes Open Letter to FCC Chairman
SIM swapping victim Michael Terpin wrote an open letter to FCC Chairman Ajit Pai to take action against this type of…
The Most Expensive Lesson Of My Life: Details of SIM port hack
I lost north of $100,000 last Wednesday. It evaporated over a 24 hour timespan in a “SIM port attack” that drained my…
Flashpoint - SIM Swap Fraud Offers Account Takeover Opportunities for Cybercriminals
The term SIM swapping has historically referred to phone number takeover using a variety of different methods. These…
StopSIMCrime | Let's make mobile carriers stop!
Report Cyber Crime to REACT in Silicon Valley Based in the heart of Silicon Valley, REACT is a cyber crime law…
The SIM Hijackers
Image: Lia Kantrowitz/Motherboard SIM hijacking is a little-known but growing threat. To learn how to keep hackers from…
SIM Hijackers Steal Over $5 Million in Bitcoin in First Reported Crime of its Kind
Forget cryptojacking, SIM hijacking now seems set to become even more lucrative for criminals looking to cash in with…
Hackers Are Taking Over Your SIM Card and Personal Phone Number
Your SIM card identifies your device when connecting to your cell network, but it also reveals your identity to various…
How to Protect Yourself Against a SIM Swap Attack
A spate of hacked Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring. They all…
What happens when hackers steal your SIM? You learn to keep your crypto offline
A year ago I felt a panic that still reverberates in me today. Hackers swapped my T-Mobile SIM card without my approval…
What is SIM Hijacking - SIM Swap Attack Explained
A growing threat is upon us, and anyone who owns valuable accounts is subject to being hacked. The worst part, your…
SIM Card Hijacking: How It Works and What You Can Do About It - Make Tech Easier
Having two-factor authentication (2FA) in place is a good way to keep your accounts safe, but if it's over text, it's…
Former Apple Engineer Is The Victim Of A Million Dollar SIM Card Hack
Mobile phone was the key to his cryptocurrency account - Steven T. Kroll Northport, N.Y. - Mar. 18, 2019 Rob Ross…
Millions in Crypto Stolen in SIM Card Bitcoin Hijacking Scheme, Consensus Conference Targeted
California authorities arrested a 20 year-old college student who is accused of hijacking more than 40 phone numbers…
Hackers Steal More Than $50 Million in Cryptocurrency in 15 Months
More than $50 million in cryptocurrency has been stolen from U.S. personal wallets in the last 15 months, partly helped…
California Jails Student to 10 Years for $7.5 Million SIM-Swap Bitcoin Hack
By CCN.com: A 21-year-old Boston man has been sentenced to 10 years in jail for stealing $7.5 million in bitcoin and…
Smartphone Crypto Hack: The $24 Million AT&T 'Sim Swapping' Mistake
How to protect your crypto if you're a smartphone user? Don't rely on your own devices (figuratively and literally)…
SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet
A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal…
AT&T Crypto SIM Hijacking Victims Fight Back to Heap Pressure on Telecom Giants
After losing cryptocurrencies worth millions of dollars to SIM hijackers, a tech entrepreneur and other victims have…
Man's $1M Life Savings Stolen as Cell Number Is Hijacked
Rob Ross freaked out. One minute, the San Francisco man's investment accounts added up to a million dollars; the next…
Breaking: Binance Hot Wallets Lose 7,000 Bitcoin (BTC) In "Large Scale" Security Breach | NewsBTC
Breaking news: Binance, a Malta-registered Bitcoin & crypto asset exchange that is one of the most well-respected in…
SIM Swapping: How Hackers Stole Millions Worth of Crypto Via Victim's Telecoms Operator
American investor Michael Terpin has filed a $224 million lawsuit against AT&T.
'Totally inadequate' EE slammed over security
Sim-swap fraudsters hijack customer's phone and try to access his bank account
Sim-swap fraud claims another mobile banking victim
Chris Sims' account emptied and loan for £8,000 taken out as fraudsters continue to exploit way banks use customers'…
Mobile banking in the spotlight as fraudsters pull £6,000 sting
John Ellard found himself caught up in a deception involving both O2 and Nationwide