Law enforcement agencies like to make a hullabaloo about SIM swaps being a threat to the general public, but any serious look at the data indicates that SIM swap fraudsters mostly target rich people, especially if they have large holdings in cryptocurrency. The criminal reasoning is obvious: the victim’s wealth is being held in an online wallet and cryptocurrency can be laundered much more easily than other forms of money. Haseeb Awan (pictured) was one of the founders of Bitaccess, an Ottawa-headquartered business that supplied Bitcoin ATMs, and consequently was hit by four separate SIM swaps in the space of two years, according to an interview in Coindesk. He responded in the most rational way possible for an entrepreneur, turning this vulnerability into a business opportunity. Awan set up a new telco called Efani that targets the “top 1.9% of Americans” and offers “military grade protection” for its customers.
Previously known as DontPort, and boasting testimonials by cryptocurrency investors, the sales pitch for Efani could scarcely be more obvious. Subscribers receive USD5mn of insurance cover and 24-hour concierge support. Efani’s own marketing describes their USD99 per month basic tariff as “the most expensive plan” in the USA, further confirming that their service is aimed at high-net worth individuals who feel vulnerable because of the security failings of large US telcos.
Some of the details of Efani’s operations are sketchy, with Coindesk saying they work “a bit like a mobile virtual network operator”. Coindesk also says Efani uses the networks of Verizon, AT&T and T-Mobile but the Efani website more mysteriously talks about using “America’s #1 Carrier that covers 99% of Americans on the fastest 4G Network”. The core of the Efani pitch is that they provide “11 layers” of client-side integrity and authentication. Finding the details of these 11 layers is also tricky, but their page on security lists these 11 aspects of their operations.
#1 – We store our data in silos across multiple servers on multiple locations which are only accessible by multi-factor authentication of multiple users. This means we’ve spread our risk with no single point of failure
#2 – Our data storage centres are all ISO 270001:2005 SSAE 16 certified
#3 – Data is E2E encrypted with zero-level authentication implemented
#4 – We’re always using a private VPN using state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions
#5 – We keep our keys locked in cold storage & use multi-signature keys for any change
#6 – Every employee goes through a rigorous background check with no criminal history. It’s equivalent to top-level security clearance
#7 – Data access is limited to single IP [sic] which can’t be accessed outside USA
#8 – For any major change which include allowing a number to be port-out [sic] have to be approved by multiple parties and through a manual process
#9 – We go through a minimum of 7 layers of authentications for a user to port-out. In majority of the case up-to customer discretion, he can chose up-to 11 layer of authentications [sic]. These authentications are random to protect any malicious attempt
#10 – Minimum of 7 days cool off period before a port out is initiated
#11 – We also use PGP encryption if the customer requests it
Coindesk also states that subscribers must provide a notarized letter to make changes to their service. This condition would obviously be too onerous to impose on most phone users, and is also likely to limit churn! Awan appears to be conscious of the practical limits on how much security could be imposed on ordinary phone users, observing in his Coindesk interview that the problem of SIM swaps “affects probably 1% of the population” and that imposing Efani-grade controls on everyone would be like putting bulletproof glass into every car. Nevertheless, operators should consider if they would increase profits by creating their own VIP services, perhaps using a different brand.
You can read Efani’s Coindesk interview here.