In December of 2019, I was the victim of an attack known as SIM-Swapping. SIM-Swapping is where an attacker steals your mobile phone number by assigning it to a new phone – specifically to a SIM card belonging to the attacker. A SIM card, also known as a subscriber identification module, is that little chip inserted into your mobile phone during activation. The attacker steals your phone number by convincing a human that works for a mobile carrier or dealer to change which phone your number is associated with. Once the attacker controls your phone number, all new incoming messages are rerouted to the attacker's phone, allowing them to gain access to any websites belonging to you that rely on SMS to reset the password. Yikes!
I knew about this attack and I took every precaution to safeguard against it. I signed up with a mobile carrier that “claimed” to have better security by requiring a PIN be used to make any changes to the account. Unfortunately, SIM-Swapping attacks are nearly impossible to prevent given the way mobile networks manage SIMs and phone numbers. The attack can be carried out by either bribing or tricking the carrier employee into believing the attacker is the real owner of the phone number.
Timeline of the Attack
A year prior to the attack, I had set up an app called Authy on my phone to evaluate it. I never ended up using Authy for any real sites, but left it installed on my phone. It turned out to be a canary in the coal mine. One evening, I got a notification on my phone that a second device had been added to my Authy account. Ironically Authy is an app that claims to be a secure second factor for authentication, and their own service allows phone-based two-factor authentication to circumvent its security. A foundation built on sand.
I immediately suspected that something nefarious was going on. Within an hour of the Authy alert, my cell phone lost cellular signal. I knew that I had been SIM-Swapped and that someone was trying to gain access to my accounts. Fortunately, I live within blocks of T-Mobile. I ran to the store and frantically got the attention of a customer service representative who issued me a new SIM and reestablished my phone number with my phone. Within an hour of my phone number being stolen, I had regained control of it.
Because of my quick actions, the damage done to me was limited to just that useless Authy account, but this event left me feeling violated and frustrated. I took every precaution to try and prevent myself from being SIM swapped, but ultimately my efforts were useless as there is no safeguard against the reliance on humans working for all the carriers who can easily be tricked or bribed into re-assigning my number to a hacker's phone. As the “owner” of this phone number, there is nothing I can do to secure it to my phone. I put “owner” in quotations, because I don’t technically own this number, I rent it. If I stop paying for phone service, I lose access to the number.
This is a major problem. With over five billion mobile subscribers, phone numbers have become ubiquitous with online identification/authentication. As we have increased our reliance on phone numbers for authentication, we have done very little to safeguard ourselves against vulnerabilities. What’s massively troubling is that we are all vulnerable to such a trivial attack. Over the next several weeks I dwelled on this one question: “is there any way to securely keep the phone number in the control of its owner?” As the saying goes, “necessity is the mother of inventions”.
A Phone Number Secured With Cryptography
For the solution to this problem, I turned to blockchain technology. Cryptocurrencies have shown that using a wallet like Metamask, users can have full control over their crypto addresses without relying on any third parties. I wanted to build a similar process for securing phone numbers. I wanted a phone number that could only be used by the person who controls the cryptographic private keys used to generate the phone number.
My first thought was to see if there is a way to use a blockchain such as Ethereum to register ownership over the phone number. That is, build a smart contract that allows the owner of the number to associate it with an Ethereum address. By doing this, control of the phone number could be based on cryptography. The challenge with this approach is that there is no secure way to ensure that the person registering the phone number actually owns it, enabling the same fatal flaw persistent in current SIM swapping attacks.
Instead, I focussed on a new way to cryptographically derive the phone number from the owner's private keys, similar to how a cryptocurrency public address is derived from a private key. This was my eureka moment! With this approach, phone numbers can be cryptographically generated in a way that remains compliant with existing phone number standards.
The format for telephone numbers is defined by an international standard called E.164. Conforming numbers are limited to a maximum of 15 digits. The E.164 format numbers must contain only digits split as follows:
- Country code (1 to 3 digits)
- Subscriber number (max 12 digits)
There are many country codes that are unused or dedicated for new uses like mine. The approach I took was to reserve a new country code for these new cryptographically generated numbers. Think of this new top level country code as the code for the metaverse.
Phone numbers are constructed by hashing a blob of data such that part of the hash is used as an E.164 compliant number. This hash is registered as an NFT on a blockchain with the E.164 number being the TokenID of the NFT. The blob of hashed data contains information on how to privately message the owner of the NFT.
A Number To Privately Message NFT Owners
The elegance of this approach is that it completely decouples ownership and control over a phone number from the networking layer. Routing messages to the phone no longer depends on a SIM, meaning you could never be SIM-swapped. Furthermore, because the phone number is based on a cryptographic public key pair, the phone number can be used to initiate end-to-end encrypted messages.
We are currently building the messaging layer to allow numbers using this new secure country code to communicate with numbers on the legacy networks.
This is truly revolutionary because it will allow us to onboard the world into Web3 using an identifier that is used by over five billion people. If you want to see the future of secure communication, follow us on Twitter to stay updated on our efforts! LFG!