friend.tech user falls victim to SIM Swap attack. Is Verizon’s SMS verification a security vulnerability?

friend.tech user falls victim to SIM Swap attack. Is Verizon's SMS verification a security vulnerability?

Source: Blockchain Rhythm

On October 3rd, @darengb posted on the social media platform X (formerly Twitter) stating, “I just had my SIM card swapped and 22 ETH was stolen from me.” It is reported that all the keys owned by the user on friend.tech as well as the user’s keys held by others’ accounts have been sold off. Currently, the remaining ETH in the user’s wallet has been depleted. “If your Twitter account is doxxed and your real name is found, your phone number can be located, and this situation may happen to you,” @darengb added.

SIM card was swapped by hackers

By searching for the real name and phone number through the Twitter account, hackers stole the friend.tech account keys. The underlying logic behind this is that the user’s SIM card, which was bound to the account, was swapped by hackers.

In his tweet, @darengb also recounted the detailed process of his friend.tech account being stolen. He said, “Earlier today, I started receiving spam emails every minute, which caused me to put my phone on silent (I think that’s the key point), so I didn’t see Verizon’s text message telling me that someone was trying to access my account. Things happened quickly, and Verizon gave me almost no time to react. I opened FriendTech, thinking there was an error because my chatroom was empty. I tried to view Octav and then saw other people’s tweets about SIM card swapping on FT, and that’s when I realized what had happened.”

This incident has also sparked intense discussions within the community. Among them, @IncomeSharks posted, “The same thing happened to me. Those people first sent me spam text messages. Because the carrier won’t wait for my approval, if I don’t reply within 10 minutes, they will approve the SIM card swap. Mobile carriers are so bad! SIM swapping shouldn’t be a problem.”

@AloshyAkasoto commented on this, saying, “This is not just a friend.tech problem, but also because their wallet provider, privy, allows users to register using their phone numbers. Unfortunately, phone numbers are the weakest link in network security. All dApps that use privy as their wallet provider may have the same vulnerability.”

Verizon SMS verification may be a security vulnerability

However, as early as September 18th, @Montana_Wong mentioned in a tweet, “I am a fan of friend.tech, but I’m afraid to hold funds there because 1. Your wallet balance is public information and 2. It uses SMS for identity verification. If you have a high enough balance, you will become a target for SIM swapping… Hackers will toss your keys and take out your dollars.”

The telecommunications industry behind friend.tech is supported by Verizon. Verizon obtained patent approval from the US Patent and Trademark Office in 2019 for a data system related to blockchain and virtual SIM cards. According to the patent document, this system will provide special user accounts for virtual SIM cards (vSIM) and can activate this SIM card on the device. After the SIM card is activated, a message will be published on the blockchain network to confirm this activation.

In January of last year, a job posting for a partner manager was posted by Verizon on LinkedIn, indicating that the company plans to enter the fields of NFTs, Web 3, and metaverse. In response to the SIM card swapping incident, @CryptoWithNick stated that Verizon has implemented a new feature called “Num Lock” to combat SIM card swapping.

However, community members still have doubts about this. @wholeisticguy expressed in a post that “the process and technology are fundamentally insecure, and no one can guarantee it. SMS, your SIM card, and your phone number are not secure and cannot be guaranteed to be secure. Never use them to protect anything, as anything that relies on them for security is insecure.”

Vitalik has also experienced a SIM swap before

The swapping of SIM cards causing losses seems to be nothing new. BlockBeats reported on September 10 that Ethereum co-founder Vitalik’s Twitter account was hacked and phishing links were posted. According to ZachXBT, the hacker stole a total of approximately $691,000. On September 12, Vitalik posted on social media that he had regained control of his T-mobile account and confirmed that the previous attack was a SIM card swapping attack.

Vitalik explained that, in his case, having possession of the phone number was enough to reset his account password. He had previously seen the advice that “phone numbers are not secure, do not use them for identity verification,” but did not realize the problem. It is currently speculated that the phone number was leaked when registering for Twitter Blue.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Opinion

Wall Street Journal Binance Empire on the Verge of Collapse

After the collapse of FTX, the largest cryptocurrency exchange in the world seems to be Binance. However, less than a...

Blockchain

The Stock Exchange technology drives the AAX Exchange to be officially launched, and the four dimensions define the new industry standards.

Lead: As a next-generation digital currency trading platform, AAX leverages LSEG's Millennium ExchangeTM engine ...

Market

Which exchanges and currencies are in the process of brushing? New report decrypts the real trading situation of the encryption market

BTI's algorithm connects to the exchange through its public API and websocket. The transaction is analyzed and t...

Blockchain

The head exchange spoiled, but who did not solve the Staking pain point?

It will seize more than 14% of the market share of the currency market, and the choice of the top 100 currencies of t...

Policy

BlockFi Emerges from Bankruptcy, Ready to Pay Back Creditors and Recover Assets

In November, popular crypto lending platform BlockFi made headlines for their bankruptcy filing caused by the FTX con...

Blockchain

Can the combination of decentralized derivative exchanges and account abstraction open up the next incremental entry point?

How much will the target audience expand if decentralized contract exchanges can be logged in using Google accounts?