friend.tech user falls victim to SIM Swap attack. Is Verizon’s SMS verification a security vulnerability?

friend.tech user falls victim to SIM Swap attack. Is Verizon's SMS verification a security vulnerability?

Source: Blockchain Rhythm

On October 3rd, @darengb posted on the social media platform X (formerly Twitter) stating, “I just had my SIM card swapped and 22 ETH was stolen from me.” It is reported that all the keys owned by the user on friend.tech as well as the user’s keys held by others’ accounts have been sold off. Currently, the remaining ETH in the user’s wallet has been depleted. “If your Twitter account is doxxed and your real name is found, your phone number can be located, and this situation may happen to you,” @darengb added.

SIM card was swapped by hackers

• Sequoia Capital The challenging moment has arrived, how should we prepare?
• What are long positions and short positions?
• Three Reasons Why Ethereum Price Cannot Break Through $2000

By searching for the real name and phone number through the Twitter account, hackers stole the friend.tech account keys. The underlying logic behind this is that the user’s SIM card, which was bound to the account, was swapped by hackers.

In his tweet, @darengb also recounted the detailed process of his friend.tech account being stolen. He said, “Earlier today, I started receiving spam emails every minute, which caused me to put my phone on silent (I think that’s the key point), so I didn’t see Verizon’s text message telling me that someone was trying to access my account. Things happened quickly, and Verizon gave me almost no time to react. I opened FriendTech, thinking there was an error because my chatroom was empty. I tried to view Octav and then saw other people’s tweets about SIM card swapping on FT, and that’s when I realized what had happened.”

This incident has also sparked intense discussions within the community. Among them, @IncomeSharks posted, “The same thing happened to me. Those people first sent me spam text messages. Because the carrier won’t wait for my approval, if I don’t reply within 10 minutes, they will approve the SIM card swap. Mobile carriers are so bad! SIM swapping shouldn’t be a problem.”

@AloshyAkasoto commented on this, saying, “This is not just a friend.tech problem, but also because their wallet provider, privy, allows users to register using their phone numbers. Unfortunately, phone numbers are the weakest link in network security. All dApps that use privy as their wallet provider may have the same vulnerability.”

Verizon SMS verification may be a security vulnerability

However, as early as September 18th, @Montana_Wong mentioned in a tweet, “I am a fan of friend.tech, but I’m afraid to hold funds there because 1. Your wallet balance is public information and 2. It uses SMS for identity verification. If you have a high enough balance, you will become a target for SIM swapping… Hackers will toss your keys and take out your dollars.”

The telecommunications industry behind friend.tech is supported by Verizon. Verizon obtained patent approval from the US Patent and Trademark Office in 2019 for a data system related to blockchain and virtual SIM cards. According to the patent document, this system will provide special user accounts for virtual SIM cards (vSIM) and can activate this SIM card on the device. After the SIM card is activated, a message will be published on the blockchain network to confirm this activation.

In January of last year, a job posting for a partner manager was posted by Verizon on LinkedIn, indicating that the company plans to enter the fields of NFTs, Web 3, and metaverse. In response to the SIM card swapping incident, @CryptoWithNick stated that Verizon has implemented a new feature called “Num Lock” to combat SIM card swapping.

However, community members still have doubts about this. @wholeisticguy expressed in a post that “the process and technology are fundamentally insecure, and no one can guarantee it. SMS, your SIM card, and your phone number are not secure and cannot be guaranteed to be secure. Never use them to protect anything, as anything that relies on them for security is insecure.”

Vitalik has also experienced a SIM swap before

The swapping of SIM cards causing losses seems to be nothing new. BlockBeats reported on September 10 that Ethereum co-founder Vitalik’s Twitter account was hacked and phishing links were posted. According to ZachXBT, the hacker stole a total of approximately $691,000. On September 12, Vitalik posted on social media that he had regained control of his T-mobile account and confirmed that the previous attack was a SIM card swapping attack.

Vitalik explained that, in his case, having possession of the phone number was enough to reset his account password. He had previously seen the advice that “phone numbers are not secure, do not use them for identity verification,” but did not realize the problem. It is currently speculated that the phone number was leaked when registering for Twitter Blue.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!