Our most valuable Digital Assets are at great risk. Can this be fixed?
Our phone number is our most important digital asset, and will remain the only unique national and international method of identification well into the future. As more of our personal lives, transactions and interactions move online, the use of this single identifier will become increasingly important. Already, numerous apps equate their user accounts with personal phone numbers, and significant global initiatives such as the GSMA’s Mobile Connect solution promote the mobile number as a universal digital identity, allowing participants to access multiple online services via a single sign-on.
In addition to our reliance on the phone number as an identifier, in recent years more and more companies and services have come to depend on smartphones as a secure device on which they may authenticate their users through procedures such as two-factor authentication, where verification codes are received through SMS texts.
Therefore, the often publicly available phone number is used both as an identifier and also as a means to confirm that identity, with this digital asset essentially acting as the lock and key for accessing supposedly-secure portals. Anyone who controls the phone number may then be an authenticator, and by diverting incoming messages, scammers are easily able to complete the verification checks that protect our most sensitive accounts. Alternatively, the presumed private and secure characteristics of a phone number may be used to trick services into divulging passwords.
The most common method of “hijacking” a phone number is through SIM swapping, also known as port-out scamming or SIM splitting. At its most basic level, a SIM swap occurs when a hacker convinces a carrier to switch a subscriber’s phone number over to a SIM card owned by the fraudster, or to issue a new SIM card with the same number to the fraudster. This is generally achieved by the hacker presenting the mobile operator with fake ID documents and requesting the change, but there have been cases where the attackers use inside sources at carriers who will transfer the numbers for them. As a result of the SIM swap, the genuine customer’s mobile phone is disconnected from the mobile network, and that subscriber does not receive any services, including the all-important two-factor authentication SMS alerts. Instead, all traffic to and from the victim’s phone number is controlled by the attacker, and they have full access to calls, social media apps and, of course, security information such as one-time passwords received by SMS.
SIM-swap attacks are now widespread, and over-and-above the obvious damage done by the owner losing control over his/her data, the hacker is able to circumvent security features for accounts, such as their bank and social media accounts. In addition, it is estimated that over $50 million in cryptocurrency has been stolen from U.S. personal wallets in the last 15 months using switched SIM identities, and a number of recently reported cases have highlighted this serious vulnerability. Earlier this year, a 21-year-old Boston man was sentenced to 10 years in jail for stealing $7.5 million in Bitcoin and other cryptocurrencies after hijacking more than 40 phone numbers and then hacking his victims’ cell phones. Rob Ross, a former Apple engineer, watched helplessly as his life savings of $1 million disappeared when hackers took control of his SIM, and were able to enter his accounts, request a password change, and assume his digital identity. In 2018, Michael Terpin, an American blockchain a crypto investor, sued AT&T for $220 million after being defrauded out of $24 million of his crypto assets. Terpin claimed that the carrier’s negligence allowed the hackers to gain control over his phone number, reset his passwords and access his online accounts. Earlier this month, Terpin won $75.8 million in a civil case against 21-year-old Nicholas Truglia, who was reportedly involved in this fraud.
As we progressively become more dependent on our mobile phones to interact and transact, this SIM-swap vulnerability will become increasingly prevalent and damaging. Phone numbers were never intended to be a way of confirming a subscriber’s identity, and phone companies are not equipped to ensure the security of this critical digital asset, particularly when considering the weaknesses and limitations inherent in number porting processes.
Given the fact phone numbers will increasingly be used as an identifier, major architectural, functional and operational changes are required in order to provide subscribers with full control over this asset.
A company that plans to solve this serious issue facing the security of our digital assets and identities is FIX Network, a project that is supported by New Capital.
FIX Network is committed to providing solutions for securing our digital identities, and ensuring the safety of our daily transactions in the imminent mass transformation towards a decentralized and digital society. These solutions involve utilizing and leveraging the existing cellular infrastructure by defining and implementing a new blockchain-based security protocol, and securing transactions and private keys on SIM cards.
One of the most important digital asset to be secured by this new architecture is the phone number. Clearly, this asset should be owned and controlled by the subscriber, with user-defined FIX Network security policies in place to define which operator may provide services to the number, how that number may be used, and the personal authorization procedures required for SIM replacements.
Ideally, phone numbers should be managed in one blockchain-based decentralized ledger, which will provide standardized access and routing lookup for all operators on a global basis.
The composition of FIX Network has been carefully crafted to encompass multi-disciplinary participants, including experts from the telecom, blockchain, cybersecurity and IT industries. As such, the entity is uniquely positioned to implement this innovative security protocol within its own network, serving as a proof-of-concept for the global telecommunications industry and helping to define new standards for the ITU.
In summary, identity management experts have warned for years about our over-reliance on phone numbers, and the security vulnerabilities that are open to exploitation, especially with regard to SIM swapping. Despite these susceptibilities, the use of the phone number as a key personal identifier will not be diminished; in fact, we will become increasingly reliant on this unique digital asset.
It is imperative that users must be secure in the knowledge that their phone numbers are safe, and that the identification and authentication policies that are dependent on these numbers cannot be hijacked. The security protocols implemented by FIX Network will provide the environment and procedures to fully protect not only telephone numbers, but the vast array of digital assets that we will all be using in the future.
To read more about SIM hijacking, please see the articles below: