[00:00:00] You’re listening to InTechnology, your source for trends about security, sustainability, and technology.
Haseeb Awan: I believe my telephone number is my identity. If I give someone my telephone number, he can find out everything about me.
[00:00:21] Tom Garrison: Hi, and welcome to the InTechnology podcast. I’m your host, Tom Garrison. With me is my co-host, Camille Morhardt. Today our guest is Haseeb Awan. He is CEO of EFANI Secure Mobile, where they work with executives and public figures to protect them against SIM swap, eavesdropping, and location tracking.
We’re gonna focus on the first of these–SIM swaps–and learn how your phone number is used to hack into your bank accounts, social media and emails. And Haseeb is going to share what you can do to protect yourself. So Haseeb, welcome to the podcast.
[00:00:56] Haseeb Awan: Thank you, Tom for having me on. Looking forward to talking to you and Camille.
[00:01:02] Tom Garrison: Haseeb, can you just spend a minute here and describe what is a SIM swap attack? How does it work?
[00:01:08] Haseeb Awan: What happens is someone walks into a store and pretends to be you and try to convince the operator or the guy or agent that you lost your phone. So they say, “oh, you know, I’ll give you a new SIM. Now I have your SIM card.
When I have your SIM card, I can go into Gmail, Yahoo, Hotmail and do a password reset. And the first thing they will ask you is “what’s your telephone number for recovery?” Now I’ll do password reset. I got your telephone number, I got your email address. Once I have that, I run a software that will go through all your emails and figure out which financial institution you bank with accounts you have like Chase. And I’ll go to Chase Bank and say, “I lost my password,” and now you email your telephone number and based on that, I can get into your accounts–into your Facebook and Twitter and all those things. So within like maybe half an hour, an hour, all your money’s gone.
Then they’ll start attacking your Facebook, download all the history, and take over your accounts and pretend to be you and asking people for money. And worst come, what happens is they’ll download all your history and may blackmail you, cuz now they have access to your email address too, and they might find someone.
[00:02:24] Tom Garrison: First of all, that’s really scary. Because it seems so simple and, you know, we sort of protect ourself with the two-step verification and those, and it’s really your phone. So if they take your phone, then you’re not protected.
But the weak link in that chain seemed to be–and let’s see if I got this right–it’s not really related to you as the user; it’s more like we are all dependent on the person that’s working at the AT&T store or the Verizon store or whoever we use, that they are protecting us by not being fooled by a bad actor coming in, pretending to be us. Is that a correct statement?
[00:03:10] Haseeb Awan: That’s accurate, but also there are gangs working in those stores who do this for money. You pay them a hundred, $200 and they will assign your number to anyone that pays them money. So I know I’ll make $10 per hour working on a store, but I can make $500 per SIM swap.
So a lot of those stores are third party, so they don’t share employment record as well. So if you get fired in Montana in a store, you can just fly to Dallas and get hired in a different store and start doing it again.
[00:03:47] Camille Morhardt: Wait, you mean, so there’s like a network of people who work in these stores and do this proactively?
[00:03:53] Haseeb Awan: That’s right, Camille. There’s people—
[00:03:56] Camille Morhardt: … swapping SIM cards out.
[00:03:57] Haseeb Awan: Yeah. That’s their business. That’s their business model. They do this for a living.
[00:04:02] Camille Morhardt: Wow.
[00:04:04] Tom Garrison: And so how, as a user, how would any of us know that we are being attacked like this?
[00:04:11] Haseeb Awan: So, first of all, your phone will, uh, lose signals. That’s the most obvious indication. So you’ll not be able to text message and call and it’ll show SOS like, similar to when you have no signal; your phone will lose bars. That’s the easiest way to find out.
[00:04:27] Camille Morhardt: And that’s because the phone number has been transferred to somebody else, so you no longer have it.
[00:04:32] Haseeb Awan: That’s correct. Yes.
[00:04:34] Tom Garrison: So what is, I guess, the obligation for, let, let’s just use a, a, a big name, you know, AT&T Verizon, whatever, the big T-Mobile, what is their responsibility if I get a bunch of money stolen from me, and this gets tracked back to the fact that this SIM swapping thing happened, can I hold them accountable?
[00:04:56] Haseeb Awan: Yes. And they’ll send you a letter of apology. “I’m so sorry Tom. We lost your money. We’ll give you $2 and 30 cents for losing all your money.” That’s the most.
So I actually thought about this a lot of times cuz I got hacked four times and I was always talking about why this is a hole, so I looked in regulations, FCC requirements are that you have to transfer a member within four hours. So I think in every number transfer takes like five minutes or something.
So legitimately, if you walk into a store and you want to switch from Verizon to AT&T or T-Mobile, you won’t be standing there for an entire day for them to do verification. Or you legitimately lost your phone and you walk into a store and you say, “I am here on a vacation. I lost my phone. I don’t have an ID do something for me.” And they have to do that. And by FCC law, they have to entertain such requests within four hours. If they don’t do within four hours, they will get fined from FCC.
So now think about these companies dealing with 20,000 requests per day, 50,000 requests per day, I don’t know, maybe a 100,000 requests per day. They don’t have the resources to verify each and every request because impossible for them to do that.
[00:06:12] Camille Morhardt: I have never felt like I needed to be protective of my phone number. If you are giving out your phone number, like at networking events or conferences or just casually because you never thought of it as a security, as your multifactor authentication, how protective should we be of our phone numbers?
[00:06:31] Haseeb Awan: If you look at telephone number, like if I meet you Tom at a networking event, right? “Tom, can I have his social security number? You’ll say, this guy is like fool, right? Like what are, he is talking about.” But if I tell you, if you gimme a telephone number by telephone number, I can find your social security number. I can probably pull up which credit card do you have for long and how much you spent last month. Where do you live? Which school did you go to? What’s your social media profile?
And the way it works is that whenever there’s a data breach is goes into a data dump. So think about this, a big bucket of data dump. Marriot got hacked, they threw all your information. Now Equifax got hacked and the information start linking. Cause on Marriott you may have how many people were with you on this trip. So now you can find out who is the spouse, who are the family members. Which car did you have? And then which license did you have? Some second database may have your email address or your passwords. So there’s a big data breach being built for every person.
And with AI you can actually scrub people’s information and find out if you wanna say who should I hack? You can literally go to uh, zillow.com, find out which houses were sold in the last 60 days for over a million dollars, pull up all the information, see who is above 55 and which bank they have and boom, you got everyone person who can be attacked.
[00:08:03] Camille Morhardt: So to protect against this, I’ll just at least say in the future, are we migrating toward very specific identity based multifactor authentication–like the sound of my voice or my image, you know, my heart rate, something that is unique to me, or can those things be spoofed now that we have generative AI and deep fake technology?
[00:08:25] Haseeb Awan: Right now, telecom is like more like a commodity. You go to a plan which is cheapest one. You have your uncle on it, you have like, you know, okay my friend come in, I’m getting extra line. “Hey, can you join my plan?” cause you’re getting a discounted trade.
I think there’ll be need for specialized companies who only focus on these threats and it’ll be like a multi-factor, like, you know, similar to like you have premium class. My feeling is what will happen and then you’ll have like a first class, an economy class because identity is something if I lost once, I can’t get it back.
Like, you know, like you have my social security number, now I’m afraid of it being misused all the time. And then, um, I don’t even know the risk to be honest, but telephone number is something that I took as a mission is because I believe my telephone number is my identity. If I give someone my telephone number, he can find out everything about me.
[00:09:24] Tom Garrison: I think we’ve done a good job of talking about the threat. The threat is people can–with little pieces of information about an individual–they can go to dark web sources and stitch together a much more comprehensive picture of who you are. And then based on that, they can trick other people to, you know, bank account information or whatever. So that’s the threat. So can you talk to us about what do we do about it?
[00:09:53] Haseeb Awan: So first of all, I encourage everyone, don’t put everyone in your cell phone plan. Your threat factor is different from your wife or daughter or your colleague. They will attack the person who is the weakest link in your family. I’m against corporate plan and family plan. I believe everyone should have their own plan, but just link to that.
So I just think that people should remove their telephone number from as many places as possible. So I’ll give you example. You can go to Facebook and say, “I don’t want to use my telephone number, what’s another authentication method? Uh, you can have application based like Microsoft, Google, RT, everyone have built app first authentication that you used. Get a hardware key that you can use to authenticate.
And one other thing is call your bank and tell them, “I will never, ever do a transaction above this amount” and put it in notes. Because we are used to like FDIC insurance; FDIC insurance does not cover, like secured card is covered, but a lot of time these things are not covered.
So to summarize, make sure that you’re not on a family plan; but even if you, for some reason, you decide that it’s okay, then make sure telephone number does not exist anywhere in systems that you’re dealing with. And other option I normally suggest to people is that maybe have a second number, just so people don’t know about that number and don’t give it to anyone. So it could be like a wiped number or something. But the challenge, the wipe number is a lot of banks do not accept it. So that’s becoming a challenge. But that may be a good practice, as well. Because if you have to get into someone account, there’s only couple of things required. Number one is your account number. Account number is easy to find. You can literally walk up to a store and ask the guy, “I want to change my phone. Can you look into my account number?” And they will give it to you. Other option is you call in and you say, “I’m gonna pay my bill. I forgot my account number.” And they say, “oh, here is the account number to do it.” So account number is number one thing that’s required to make any changes.
Number two is PIN. PIN, again, we can bypass that. But the, the other critical part is your zip code. So if you put a random address, but the zip code is the same, someone will be able to get into account ‘cuz they don’t require any information, zip code, account number and PIN.
So these are three things you have to protect your telephone number. So if you have a, I would say not fake, but a random zip code on your account that is not related to your real world, you may reduce your chance. And then some companies offer, um, these protections too. They don’t work. But still it’s better just to have something rather than nothing.
[00:12:36] Camille Morhardt: Do you think that most of the people at risk, I mean your, certainly your clients and customers are, you know, senior executives. People who, there’s pretty much always somebody trying to figure out where they are at any given time–whether they’re trying to piece that together for identity theft or IP reasons, or you know, the IP theft.
I wanna know, do I have to worry? Is this something, is it limited to, you know, people who are like extremely public figures?
[00:13:03] Haseeb Awan: So I thought the same thing too. I said I’m an ordinary person. Like I was tech founder, but at the same time it wasn’t. I was like some special guy, right? There’re like billions of people like me.
So location tracking is obviously very critical attack. Uh, and we don’t offer it to average consumer. Like we specifically asked that “why do you need it?” And some people say, “you know, my ex-boyfriend is spying on me.” We say, “You don’t need it.” Some people say it’s too expensive, and I say, “you know, you don’t need it because you know, that requires hundreds and thousands of investment.” Like location tracking and eavesdropping is complicated part, so you don’t need it.”
But SIM swap is certainly, I believe someone can get you into account, right? Like not just your personal account, but your corporate accounts. So that is a challenge that you have and a lot of attacks happen in evening. So like Friday evening, you cannot even go anywhere. So yes, you do have to worry about SIM swap. And I say that all the time, that prevention is better than cure. Right. If you have a choice between giving someone your phone access or your home access, what would you prefer to give? if you have to pick between these two things?
[00:14:10] Camille Morhardt: Well, before this call, I would’ve said phone (all laugh).
[00:14:16] Tom Garrison: So let me, let me ask you this, Haseeb, you, you mentioned before that even if you knew that you were being attacked and you were on, you’re trying to figure out what to do, you’re on the computer, what DO you do? I mean, in this scenario, let’s just say you’re lucky enough to figure out that something bad is happening and you’re now on the gun cuz you have minutes until, yeah, really bad things happen. What can you do to stop this?
[00:14:46] Haseeb Awan: So first of all, you have to understand that they will come after your money. So obviously that will be the first one will be the bank account. So how do I get in touch with my bank as soon as possible? Second thing, they will go after your email and the third thing they will go after is your social media.
If hypothetically it happened, I’ll call my bank and try to get in touch with my bank as soon as possible and tell them that put a freeze on every account I have. Second would be email, and then third would be social media and try to do password reset. Take out my telephone number from there, then just run to your closest store. And the challenge is they don’t know what’s going to happen, so they’ll say, “oh, you know, we look into the morning.” And you say “no, if need to be very critical. This is not a regular attack and I need the answer right now.
[00:15:40] Tom Garrison: All right. Well, so I feel like I was living in a world that was much happier before we started this conversation, but I do appreciate the input. I think our listeners probably are some level of freaked out, as well. But you gave some good advice, so thank you for that. But before we let you, we do like to do this segment on our podcast called Fun Facts, and I was hoping that you have, uh, some fun facts to share with us.
[00:16:11] Haseeb Awan: Hundred percent. And before I share, like I just think cybersecurity is nothing to be afraid of. And we have such easy tools to take care of all the security, keep your hygiene clean and you should be fine. So now coming back to the fun fact, so I live in San Juan, Puerto Rico, and Wakanda movies were shot here. And I didn’t realize that, okay, you know Wakanda was short hair and I’m watching it and I said, “this looks familiar,” you know? And I realized that’s like half an hour from me.
And second thing a lot of people do not probably know is that in Puerto Rico, there are over a hundred islands, small islands or islets, you call it them, but they’re a hundred islands and only three are uninhabitable.
[00:16:57] Camille Morhardt: Nice. I didn’t know that.
[00:16:58] Haseeb Awan: Yes, you can go to any island and you can pretty much spend a night and by yourself and probably no one will bother you.
[00:17:05] Tom Garrison: Wow. Yeah, I had no idea. I had no idea. Those are both interesting, fun facts.
[00:17:10] Camille Morhardt: You didn’t know that Wakanda was being filmed there when it was being filmed there? That seems like it would be massive crew and stuff.
[00:17:16] Haseeb Awan: I’m sure. Like I didn’t know. Right. Obviously, like, I don’t know when it was shot, like I just saw the movie. And the most interesting part, like a lot of people don’t know that in Puerto Rico, that’s the only place in the world where Americans do not have to pay federal tax.
[00:17:31] Tom Garrison: Oh. Well, now we’re getting interesting.
[00:17:32] Camille Morhardt: Now we’re good information. (all laugh)
[00:17:38] Tom Garrison: All right. Well, hey Hasseb, I do want to thank you for spending time with us today and educating us on some of these threats.
[00:17:45] Haseeb Awan: Thank you, Tom, and thank you Camille for having me on the show.
Stay tuned for the next episode of In Technology and follow @TommGarrison and Camille @Morhardt on Twitter to continue the conversation. Thanks for listening. The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.