AI search tools are being used by criminals to sort through data breaches and data dumps they’ve stolen to target as many individuals as possible. After your phone has been swapped, they’ll have the ability to access all your SMS messages and phone calls. But there are precautions you can take.
Today’s guest is Mark Kreitzman. Mark is a seasoned cybersecurity expert with over 20 years of experience in building cybersecurity companies. Mark brings insights into evolving threats facing mobile security and data privacy. His expertise in our increasingly mobile world makes him a valuable resource in discussing how to mitigate your risks as it pertains to mobile communications.
“A lot of people don’t realize that when you give a carrier your social security number to open an account, you are essentially opening a credit account.” - Mark Kreitzman Share on XShow Notes:
- [1:02] – Mark shares his background in cybersecurity and what he does now in his career.
- [2:08] – In 2017, Mark experienced a SIM swap scam.
- [5:30] – He used his anger and paranoia to help develop Efani, a cybersecurity focused mobile service.
- [8:51] – When you get SIM swapped and the carrier recognizes that you’ve been attacked, they go into liability protection mode.
- [11:16] – Mark shares some of the details of what happened in his experience and explains that he still doesn’t know if he was specifically targeted.
- [14:00] – Through fraud, scammers can actually become resellers.
- [17:27] – SIM swapping started as a way to target and harass celebrities.
- [20:52] – Once scammers have information, they can get into many different accounts because people tend to use the same passwords.
- [23:14] – Everybody’s information is floating out there. Data breaches give scammers and fraudsters access to so much.
- [24:19] – Mark describes what you will see on your phone from your end when a SIM swap scam has occurred.
- [28:42] – Efani is a mobile service provider. Mark explains how they are different.
- [31:28] – With a $5 million insurance policy, Efani does everything possible to protect it.
- [34:54] – Efani is extremely busy because there are so many cases of this problem.
- [37:07] – When you give a carrier your social security number to open an account, you are essentially opening a credit account.
- [39:58] – Unfortunately, many people don’t know about this type of scam. It is a silently growing trend.
- [42:08] – With Efani, mobile carriers are never given a customer’s information.
- [45:45] – Mark tends to live on the paranoid side after being a victim of this type of scam. He shares what he does when he travels.
- [49:05] – Using a VPN while traveling is a great idea to help protect yourself.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Efani Website
- Efani.com/EasyPrey
Transcript:
Mark, thank you so much for coming on the Easy Prey Podcast.
Thanks for having me on. I appreciate it.
You're welcome. Can you give myself and the audience a little bit of background about who you are and what you do?
My name is Mark Kreitzman, and I have been in the cybersecurity space well before it was even called cybersecurity. I did join my first security company in 2002 and worked for the founders. I had a couple of different companies; one got acquired by Microsoft, and it's Microsoft's cloud-based email security. Another one was acquired by Cisco Systems and as part of Cisco's web security solution.
I spent about the last seven or eight years dedicated to mobile security, and the last four-and-a-half years has been with Efani, which is a secure mobile service; we're in that space as well.
Got you. One of the questions I try to ask my guests who are in the cybersecurity space or in the counter-fraud space is: Have you ever been a victim of a cybersecurity incident or a scam?
Absolutely. It's one of the reasons why Efani exists. Just to give you a little bit of background on that, in 2017–2018, I had my own little startup. I was trying to do something in the crypto space. I got SIM-swapped, which means that my mobile account was stolen away. They got me right in the middle of the desert.
I happened to be driving alone in my car between Tucson and Phoenix. If you've ever been there, it's just dirt road. There are no Walmarts out there. My choice was, do I drive to the nearest Walmart and beg somebody to use their phone to call my carrier or just complete my journey and go to my father's house? That's where I was heading.
I decided to go there. I pulled up to the garage, Wi-Fi kicked in, and six password resets went up my phone. I kept trying to think to myself and hope, “God, I hope I didn't pay the bill.” Maybe that's why my mobile account stopped, but I had it on autopay.
It turned out that somebody stole my mobile account away, and they got into one of my crypto accounts, a bank account, a cloud account, an email account. They stole my mobile account for 61 minutes and then ported it back to my phone. To make this long story short, I didn't sleep for basically 90 days. I was afraid to use Wi-Fi because I thought it might mask the fact that my cellular wasn't working. I wasn't sleeping.
I searched out for the only person. There's only one person that claimed that they had solved this. I connected with them off of Linkedin. He's the founder and the CEO of Efani today. We hit it off because he was in the Bitcoin ATM business. I wasn't getting into crypto at that time, so we hit it off. I told him that I've been building cybersecurity companies for 19 years at that point, and I've never been so angry in my life.
All it took was an employee at a third-party retail store that was 4000 miles away. Somebody lied to the computer to say that I was standing there with my IDs. -Mark Kreitzman Share on XI had all this experience, all this knowledge. I had everything set with the carrier, requiring that I had to be in a store with my driver's license and my passport to make a change. I thought that would be the last thing I would have to worry about. All it took was an employee at a third-party retail store that was 4000 miles away. Somebody lied to the computer to say that I was standing there with my IDs.
I was so angry that I actually dropped my own project because it also got affected by this SIM swap, because they got into my hosting account and affected the website. I was so angry that I dropped that and decided to do this Efani thing. We were a two-man show at the time, and we have built it up now.
Now we've got customers that are high school teachers, people that own their own jets that fly all over the world, and a lot of privacy people, a lot of crypto people but venture capital, people in banking, doctors, attorneys. We can get into the profile later on. It's been a fun journey turning something that made me so angry for so long into something that is now worthwhile.
I could totally imagine the paranoia that that would create having the account snagged. It's interesting to me that they actually ported it back shortly afterwards. I would have suspected they would have grabbed it and kept it.
That's what freaked me out. I didn't know at the time that they even ported back. In fact, I was talking to the carrier guy. When I'm talking to him, I was in a panic. I called him on my cell phone. After we determined that somebody stole my account away, I'm like, “How am I even talking to you? I don't understand. Is there some feature that you have where I can call you?” He's like, “That's a really good question.” He looks and he's like, “Oh, they ported it back after 61 minutes.” Even he was like, “I didn't know that I could do that.” He said that that would require somebody out of store calling their back office to port it back.
I still have PTSD over it. I love to travel. The thought at that time was like, if I'm on a plane going to Bali, Jakarta, Bangkok, or Singapore, and I land in Vietnam and your mobile account isn’t working, that means they could have had up to 20 hours of access just resetting passwords. You're in a foreign country. You don't know the language. Now, how do you find a phone? How do you even call? Because they're going to think you're the hacker.
I was even paranoid just playing golf for four or five hours, but the worst part was I was paranoid going to sleep. If I woke up at three in the morning or five and seven, I was looking at my phone and I'd say, “Do I have LTE?” I'd be like, “Oh, yes, still there.” After 60 days, I looked like I should probably get into the hospital because it was that devastating to me.
The amount of money they got was very limited. It was the fact that they had taken a business website down and got into an email account. I was lucky they got into a bank account and a second crypto account I have, and those were empty. Those were very limited. I didn't really use them. It could have been worse. The idea that somebody could do that so easily, but it was definitely […].
Do you know if it was an inside job that was solely the retail employee that was doing it, or someone actually came into the store claiming to be you, and he was just doing it trying to be a good employee?
When you get SIM-swapped and the carrier recognizes, “OK, you got attacked,” they go into liability protection mode. You can get angry, you can yell at them. It doesn't matter. They just shut up and they're like, “Yeah, we can't tell you anything.”
The usual case is, if you want to find anything out, you have to call this other 800 number, and that's for criminal activity. You call that number and then they say, “Well, this is only for police.” You have to go to the police station, and then try and get somebody for them to call, but now they're confused because they're like, “Oh, are they local? What state did this happen?” It's like, I don't know. It might be China, Belarus, could be my next door neighbor.
They get confused and they don't want to handle it, so you have to force them. Then they'll call and it's like, “Yeah, this is the police line, but you have to have a subpoena.” If you go to an attorney, the attorney's like, “Well, did you lose $200,000 or more?” “No.” “OK, well, good luck with that.” What I had to do, I kept calling trying to figure out. I kept telling them, “I think you're lying to me.” They just wanted me to go away.
I happened to be traveling in South Lake Tahoe, and I saw a third-party store. I went in there, and I had to trick them. I told them that I travel a lot. On this particular day, some other store employee, I went in there in an emergency. They ported my number over to another phone, and then I ended up finding my phone in the bottom of the car. I went back in and they ported it back.
I told him I was going to send him a thank you card. “Could you please look it up and tell me because I can't even remember what store it was.” They were like, “Oh, sure, yeah.” They went to the computer and they gave me the employee ID. Through that employee ID, I was able to determine who I thought it was. I looked at that city. I looked at who worked at that store, and I found social media of somebody that matched. I actually know who did it.
I called the carrier back and I'm like, “Look, I have the employee ID. I'm pretty sure I know all the details.” That's when they finally admitted that, “Oh, yeah. What happened was that it was their last day at the job, so they ended up doing this to three people.”
They were out of Memphis, Tennessee. They ended up doing this to three people. They knew at the end of the day they were quitting their job anyway, and you were just one of the unfortunate people. They most likely had seen me doing an interview in a video or on a website that had to do with crypto and probably thought that, “Hey, you might be a good target.” I still don't know if they worked with an outsider.
Really, the only reason I was really angry at the carrier for not giving me info is because I wanted to know, was it a professional or not? Because if it's a pro, then they could have linked up an email app and downloaded one, two, three, four, five years of emails. If they were a professional, and they were able to download this information, if somebody gets into your email, they might even be able to create a CC every time you send an email, and it's CCs on. They just made it really difficult.
In the end, I pretty much determined that I think it was just an amateur employee working at a third-party retail store that either did it themselves or had somebody that was out working with. Maybe they gave him access, they're out in the parking lot, trying to do what they did for 61 minutes, and then ported it back. I don't know the details of it, but the employee I would say definitely was in on it.
It's interesting to me that a third-party was able to override the carriers and must be present in person with multiple forms of ID rule.
That's the crazy part about this industry. That's one of the things that at Efani, we do our best at trying to close that down. The way the industry is greater is if you can get approved and certified as a reseller, you're given access to these portals.
Through those portals, if you have somebody's account number, their mobile number, and a temporary transfer PIN, for example, then you don't need to really know much about that person. You can pull somebody over from Mint Mobile, Crosstalk, US Cellular, T-Mobile, AT&T, and all these resellers can do that.
The scary part about it is they've all got so much automation, because if you're going to leave one of the carriers, like if you're going to leave T-Mobile, they want to make that super cheap. They make it so that no humans have to talk to each other. That's the scary part of the industry.
Imagine you're somebody where you could actually, through fraud, become a reseller. Carriers have been trying to cut down and prevent that from happening. But if somebody can fraudulently become a reseller, and this has happened, then they could send out a promo to 100,000 people saying, “Get wireless service for $19.95 for the next six months by switching over to us,” but they're actually a SIM-swap scam. You voluntarily call them up and say, “Oh, I'd love to take this deal on,” not knowing that it's a fraudulent carrier that only plans on being open for 24 hours.
That's interesting to me because I remember early days of cell phone plans as you couldn't port to another carrier. If you decide, “I don't like AT&T; I want to use Verizon,” AT&T was like, “Fine, you can cancel your plan, but you can't take your number with you.”
Yeah. You reminded me. When I came out of grad school, I actually worked for AT&T. The project that I was on was called the portability project. That's how long I've been in this industry. I was fresh out of college. I could program a bunch of different languages.
I was one of the main coders that actually helped automate this process that allowed portability. If you had an 800 number, you're stuck, and carriers could charge outrageous amounts of money for that.
That was called the portability project, and that's what allowed it. That's based on this SS7 protocol, which is actually another attack vector for hackers to try and get people to get access into their mobile accounts and do things. That would be a whole ‘nother video, the SS7 attacks and how that applies to what's happened.
The protocol that does call routing handles 800 number routing and text messaging is all based on the protocol that was released in 1985, I believe, or 1975. Imagine how many holes there are in this protocol.
Back in the day when people weren't thinking about security.
Yeah. You're just lucky that the thing worked. The SS7 protocol has been around. That's what they used for landlines at the time. When mobile phones came along, they started using it for mobile phones. SS7 definitely predates me. I'm not that old. If people knew how open mobile was, they would definitely use their phones a little bit differently.
In the beginning when SIM-swapping happened, was it particular people—I think I have anecdotal hearings of this—or is it often used targeting people in the crypto space initially?
It started out of celebrities. If you were to go back to when you remember, some celebrity got her photos stolen off of her phone or cloud service, then that was most likely a SIM swap. It started out to be a harassment-type thing or a blackmail. When the bank started linking up phone numbers, then they were going after high-profile people, and they would try and go after them financially.
Before the crypto, they started doing SIM swaps to go out to people's social media. That could be anybody. Let's say you built up 20,000 followers on YouTube and it took you years to do it. They would SIM swap you, steal your YouTube account away, and then want a ransom back.
But then crypto came along, and then that was the target because people that were invested in crypto, most people don't have any idea about security, they don't even know that their mobile account can be stolen away. It was just easy prey. SIM-swapping just skyrocketed at that point.
It kept skyrocketing, but there are now a couple of things that have changed it. That is when the eSIM came along. Before the eSIM came along, if I'm a hacker, then I have to have a SIM, but I can port people's number too. I can only do one at a time, and I would have to have multiple SIMs, and those SIMs could actually be blocked at some point.
But now with an eSIM, if I'm a SIM-swap hacker, and I go out and get an iPhone 15 that's got two eSIMs on it, and an eSIM can handle eight eSIMs, and you can only have two active at the same time, but I could have 16 eSIMs on my phone.
On this phone, for example, this is an older iPhone, I've got eight eSIMs on it. What that means is I could SIM swap eight people on it, then delete those eSIMs, and SIM swap eight people, eight people, and keep doing that. Now I have no limit as a hacker as long as that phone is not in my name. I could steal it from somebody, pay cash, and now nothing's ever in my name.
The other thing that's changed for the SIM-swapping in terms of who's a target is these big data breaches. These data breaches of a travel bureau, the government, a hospital system, or the carriers themselves, when they steal 10,000 people's names, or a recent case, AT&T announced just a couple of weeks ago, you can Google it that they have 71 million records that got debased.
In fact, we got notified two weeks ago about a website, where if you go in and you put the AT&T number in there, it shows you their info. It doesn't have to be that, it can be anybody, any data breach. Now they have your name, your phone number, and email ID. A lot of people use the same email on different accounts, and they'll use the same mobile number on different accounts. A lot of people might even use the same passcode.
To give you an idea of where AI search tools are at this point is there are actually sales tools on LinkedIn where I could go on LinkedIn and say, “I want a list of all the people that have crypto on their profile.” The C-level executive, they're located in the US, maybe one other thing, and try and get that down to 1000 people.
I can use this sales tool to then provide me some basic contact information for them. I can now run an AI search tool on just those few elements, and it's going to go much deeper. It's going to find all the elements related to each of those elements.
I had a guy run this on me. It found four different email IDs, and two of them I forgot I even had them from years and years ago. It found three landlines from my past. It found mobile numbers that I had given up years ago, but it found a few mobile numbers that I have.
One of the emails it found was one I thought like, “How could this be on this list?” I got chills. I couldn't wait to get off the call, because it happened to be an email that I was using for one of my crypto accounts, where I hadn't thought that I had kept it really secure. I immediately got off that call, created three different email accounts, three different crypto accounts, and spread those out. That's where the AI search tools are at.
Anytime these companies have a data breach and they're like, “Oh, don't worry about it, we got it under control,” what they want is you to sit back because nine months from now, when you get SIM-swapped or there's a loan taken out in your name, you won't be able to link it back to that. You won't be able to then sue them.
These carriers—not to pick on AT&T because T-Mobile had several hacks—I think they've had three major hacks in five or six years. They had one where it was 50 million people, 31 million, 37 million. Everybody's information's floating out there, and that includes your Social Security number in many cases. It's scary. We know whenever these data breaches hit, there are going to be victims that end up calling us.
Got you. We've talked a little bit about how people get the information that they can do a SIM swap with. You talked about losing your LTE connection while you're driving. It happened while you're out in the middle of the desert. What are the signs that if you have cellular connectivity, you might notice that a SIM swap has happened?
Typically, when you get a SIM swap, it means that you'll get no network detected. It will be an error that you’ve just never seen before. What it means is your phone doesn't even recognize that it has a carrier SIM in it anymore.… Share on XIf you have one bar showing then you're not SIM-swapped. You might be in a bad area, or you might just have gone out of coverage. Typically, when you get a SIM swap, it means that you'll get no network detected. It will be an error that you’ve just never seen before.
What it means is your phone doesn't even recognize that it has a carrier SIM in it anymore. It may be physically in there. You may have an eSIM in there, but once that mobile account's taken off, then your phone's no longer even trying to ping a network. It will either say no network detected or something very similar to them.
No carrier. I think I saw one of my phones said no carrier or something like that.
“No network detected,” “no carrier detected,” or “no carrier available.” Those are signs where you need to immediately call and make sure. Absolutely.
Would that be the same true? Let's say if I have a US carrier and I'm traveling in a foreign country, would I expect that no network available to still happen if I was swapped, or could there be other reasons?
No, it'd be different. You just wouldn't be able to make a phone call, nothing would work. You wouldn't have a “no network detected.”
You wouldn't be able to make calls, but it would still have a network somewhere. I'm curious, have you guys seen in the last couple of years a lot more customers coming to you because they have been SIM-swapped or because they're concerned about it?
I would say that more and more people are coming to us because they have been SIM-swapped. Sometimes it's like, “I got SIM-swapped last week, and I don't trust the carrier anymore.” A lot of times it's, “I got SIM-swapped last year; I didn't even know you guys existed. I want to make sure that it never happens again.”
We're still building our brand. There are a lot of people that don't even know that a solution exists. It's just a matter of getting the word out. Also, there are enough people where anytime a high-profile person gets SIM-swapped, they go on Twitter. They'll go, “I just got SIM-swapped; what a horrible experience.”
Efani is at a point now where there'll be a number of people that will post like, “Oh, you got to use Efani; I use Efani.” We're lucky in a sense that we're in this position where, when it happens, our own customers will end up promoting us. We don't have to have this big marketing budget, which is fortunate because we can put more money into actually securing resources.
It's always great when your customers are raving fans of your product.
Definitely, a good percentage. At one point, 85% of our growth was referrals. It was just people telling other people. Again, I think the same thing happened in those cases where they knew somebody at work that said, “Oh, I got SIM-swapped,” or a family member, so they tell them about us.
That percentage is probably now down below about 40% just because the number of people that are VIPs getting attacked has taken over a good portion of the awareness that we exist. Certainly, doing podcasts and interviews has definitely been a good way to get the word out.
Are you able to talk about what you were doing differently that prevents people from being SIM-swapped away from you? If some employee at a kiosk halfway across the country on his last day can swap my phone out to a different carrier for 61 minutes, why can't they do that to you guys?
In a SIM swap, it requires an insider. That insider can be part of it knowingly or they could be part of it unknowingly, because they've been tricked. It requires somebody to be on the side of the carrier, even if it's a… Share on XIn a SIM swap, it requires an insider. That insider can be part of it knowingly or they could be part of it unknowingly, because they've been tricked. It requires somebody to be on the side of the carrier, even if it's a third-party retail store.
What Efani is doing differently is we're set up to resell AT&T and Verizon. You can obviously buy AT&T or Verizon directly. Let's say you want to buy AT&T through Efani, the differences are this: Once we port your number over to Efani, we do become your mobile service provider. Once you port over your number to Efani, we lock you down. From that point on, everything we do is manual.
Like I was talking about before of having these portals of being able to access and pull people over, once you're locked down, then another carrier is not going to be able to pull you out. Somebody has to talk to us. We have to have human intervention with our customer to go through this verification process.
A couple of other things that are different is that we would lock out all of the employees from AT&T from having access. We lock out the stores. We lock out all third-party stores, independent retailers that are selling the AT&T and Verizon brands, and we lock out their call center people.
What I mean by this is that if I have both AT&T and Verizon, since I'm in the business, I have multiple phones, if I go into an AT&T store and I hand them my phone here, and I give them my driver's license and my passport, and I ask them a question like, “How much data have I used?” they're going to try and help me. They’re going to go on their computer, and after a minute or two, they're going to say, “I can't access your account. There must be somebody else you can call.” That's all by design; that's what we want.
What we're doing is we are eliminating the people that can be tracked through social engineering, that people can be bribed. They could be the hacker themselves. They could be working with an outsider or an organized crime group that's trying to do this en masse.
There's been discoveries where there are actually groups inside of a carrier. One of the big influencers—I can't tell the details about it because he's part of an investigation—got attacked. He was telling me about how it went up to a VP level at one of the smaller carriers where there were five or six people they suspected were working together to hit a number of people. We're eliminating all of that access. All the security now is just mainly making sure that we secure ourselves. We also back this up with a $5 million insurance policy.
In one sense, you can describe our business as our main goal is to protect that insurance policy from never being utilized. We have a $5 million insurance policy to protect, and we have all the incentive in the world because that's our business. As opposed to a carrier, the carriers have done the math, and they've determined if you get SIM-swapped and you want to sue them, what you're going to find is they've slipped in arbitration clauses.
If you lost $100,000, you're going to have to sue, and you're going to have to settle. Even if you win, you're going to have to settle on 30%–40% of that. You're going to have to pay your arbitration attorney out of that, spend time to do this process. The carriers have done the math. It's cheaper for them to pay out in all these arbitration cases than it would be to hire thousands of people to do what it is that we're doing.
I know the details of how this works, because I've been asked to be an expert witness multiple times. I've never actually done it, but I've been asked at least three times in the last eight months. An attorney will get on my calendar. The last person to do it, the attorney was like, “I'm not looking to buy your service; I actually want to hire you. I've got eight cases, and all eight cases were under the same judge.”
He said, “The judge doesn't know what a SIM swap is.” I said, “Well, the reason I've turned these down is because we resell to the main carriers, and I don't want to be on a record going against them. I also know the guy that represents one of the carriers who used to be a CISO of the carrier. He's actually now one of our biggest fans. I wouldn't want to go into court for a carrier that we're reselling.” He said, “Well, you're in luck because it's not one of those two.” I'm like, “Oh, well, it's interesting.” I'm like, “Is it normally just one carrier?” He said, “No, it's normally split between all the carriers. In this particular case, I have eight of them with the same carrier, same judge.”
He said the defense of the carrier is that every carrier is getting SIM-swapped, and therefore it has been normalized. Because it's been normalized, the carrier should not be held responsible for it because now it's a normal part of that group.
That's why the guy wanted me to come and be part of this and to be part of the judge. He's like, “You've never been SIM-swapped, right?” I'm like, “Yeah.” He's like, “And those are because of these reasons, right?” I'm like, “Yeah, exactly. We don't have to worry about the carriers attempting to duplicate what we do. For one, they have independent retailers. Call centers have too many holes. They would have to hire thousands of people to do what it is that we do, so we don't have to worry about them trying to compete with us.” He was disappointed. He called me back a couple of times and like, “I'll pay you big money.” It's like, yeah.
Unfortunately, Efani is so busy that I'm not in the business of trying to make money by the hour. It's sad because I was a victim myself, and I talked to victims. Usually, I'm the techie nerd here. If somebody calls up and they've been a victim, 90% of the time they're going to talk to me, because I want to find out what's the new method. What did they use?
To give you two creative things that have happened, one of them, I had multiple people in a 60-day span call in. What they would get on their phone is the text message saying, “Your number’s being ported. If it's incorrect, reply to this text if you want to stop it.” As soon as they got that, a thousand texts would roll in. Their phone literally ding, ding, ding, ding, and they're sitting there trying to scroll.
One guy was telling me, he's like, “I'm yelling at my wife downstairs, ‘I'm under attack. Call the carrier,’” because he couldn't get back to the original text to try and respond to it. Literally, another guy calls me. A week later, he tells me the exact same story. They ended up getting into a business account that he had. They took $27,000 from him. The same thing happened to him. He was at the office trying to tell somebody from the office. Can you call my carrier?
Another thing that's become a popular method is that a lot of people don't realize, when you open up that carrier account, and you give them your Social Security number, in a sense, you're opening up a credit account. Somebody can go in and impersonate you, or they could have a buddy that works at a third-party store who's going to fake verify you. That person will come in the store and then buy a phone and a number off your account. Now they have a phone in your name and a line on your account.
They go home, and maybe they wait a day or maybe that evening, then they call from that phone and that phone number that is on your account. You don't even know it's on your account until you get your bill. They call them up and say, “Oh, I want to switch my old line to my new phone.” Of course, it's like, “OK, well, what's the device ID of your phone?”
They have the phone in your hand. They're calling on your number. Through that process of buying that phone off your account in a line, they may have actually said something like, “Oh, can I add an email ID, please?” When they call them to verify, they actually don't need to trick them anymore.
Because they're already in the account, so to speak.
Yeah. You can google, there's this guy named Bart Stevens who's the CEO of Blockchain Ventures. That's how he got hit. You can read the articles about it. Somebody bought a phone in a line off of his account. They got him for $6.3 million.
That's devastating.
He had a tech guy, so then they were going after his business. His tech guy caught somebody snooping around trying to get through back doors. They're going after tens of millions of bitcoin for that one. That could have been devastating. That one is public, so I can talk about that one.
Another one that was interesting was I talked to a co-founder of a company where they SIM-swapped them. They use the SIM swap to get ahold of their x.com account for their business. They happened to be in the crypto space as well. They tweeted that they were dropping a new token, so all the tens of thousands of followers started buying this new token. Of course, when the hackers got it out, they shut it down. In that case, it wasn't stealing their particular funds. They use the x.com account to trick people.
There are plenty of non-crypto examples of how this stuff can happen. I don't know if you follow Bitcoin ETF, for example. If you remember, the SEC tweeted early. That was a number swap. Somebody stole somebody's number at the SEC, took over the x.com account, and then tweeted out approval of the Bitcoin ETF. Imagine the millions of dollars that were made and lost off of that in that first 24 hours, and that's all over a SIM swap.
Plenty of victims call us up, and they've lost $3000, $6000. Some people call up and they're like, “Yeah, I didn't know what a SIM swap was. My mobile account just stopped working. I didn't even bother with it, so the next day I went to the store and found out that somebody ordered a new iPhone off my account. Then I got it back. When I got home, I discovered, ‘Oh, yeah, they got into a couple of accounts.’”
Somehow this has silently grown. If you go on YouTube and try to look for a major anchor talking about the issues with the carriers, you won't find any. But if you look at local news like Chicago news, Dallas, San Francisco, Orlando, you'll see it all over the place. It'll be warning people like elderly, “You're getting SIM-swapped,” or crypto people are getting SIM-swapped. You'll see all kinds of local news.
The last person to talk about the carriers doing something nefarious was where Lou Dobbs was on Fox Business. He had done a segment on the fact that the US government had purchased all the location data for everybody in the US without a warrant. Mysteriously, a couple of days later, he no longer was on Fox Business.
I don't know if it was related to that, but as an anchor of a major news channel, the biggest mistake you could probably make would be to go after the carriers and the pharmaceutical industry. It's 95% of their advertising revenue. It might explain why Lou had a sudden problem there. They're not going to make a big deal about this issue.
Talking about carriers selling location data. Does that apply to people that are MVNOs? Are they able to sell location data from people that are just rebranding the major carriers?
One of the good things about Efani is that the carriers are never given our customers’ information. In the case of the 71 million people's information being released, if they don't have the information, it can't be released. It can't be stolen. It can't be taken from an insider and sold on the black market. I can only speak about what it is in the case of Efani.
In the case of Efani, nobody's information can be stolen and sold because it doesn't exist with the carrier. It's our customer. We're protecting all of our customers' data. We also don't collect data. The only data that we keep is how to pay your bill and then how to verify you.
I would say that whether it's an MVNO or whether it's a carrier, if they're not specialized in security and privacy, and if they don't have an insurance policy to protect, your data is most likely being sold to marketing affiliates, regardless. It's not sold like Mark's looking to go to New Zealand. It's something like New Zealand Air going to the carrier and MVNO is saying, “I want to advertise to people that have searched about going to New Zealand.” It's done in an anonymous way. I don't even want that for me personally.
We don't do any freebies. You don't buy Efani and get free Netflix, free Hulu, or Disney+, or whatever exists these days. That's data-stealing. You're selling their data. Third parties getting involved that can collect data on you. The data collection on people, if you're worried about data being collected, it's way beyond what anybody realized.
I sat down one day, and I was going to do a video on all the data collection points and how many vendors it requires to make a text happen, make a phone call happen, because there are so many different components. People think AT&T and T-Mobile own all their cell towers, for example, but they don't. There are actually 107 different cell tower providers. There are really maybe seven, eight, or nine that are the majority of them. It could be a separate business, and then all the carriers are paying for space on that tower.
For the phones to be made, you've got chips and apps, the operating system, the phone itself. I thought this video would be three hours long. Nobody would ever watch this. I would end up […]. The best thing to do is make sure you have an antivirus, make sure you're using a VPN. Be careful about how you use your phone, what links you click on, and what you open, because that can definitely have a devastating effect. Be careful of these data breaches if your name's part of it.
When you travel, do you turn off Wi-Fi on your phone? That way you always know whether you're actually connected through the cell data?
I live on the paranoid side, being a victim. I tell most people, don't follow me because I have multiple phones. I have an Efani phone, I have my own private phone, I have a fun phone. I keep them all separately.
When I travel, I just make sure that settings like airdropper are turned off. If I'm taking an iPhone, Bluetooth is off. A hundred percent of the time, I have Wi-Fi setting to be always asked. The auto Wi-Fi join, you’ve got to be really careful about that. I could set up a Wi-Fi router right next to a coffee shop. I could even name it after that coffee shop or whatever I want to do, and then put no password on it. If you have auto join turned on, your phone could auto join that, then I could get a couple of bits of info off that phone off your device, and then use that to hack.
Actually on the opposite, when I travel internationally, I am on Wi-Fi almost 100% of the time. I used a little portable Wi-Fi dongle, and I do a lot of Wi-Fi calling and a lot of Wi-Fi texting. A lot of carriers don't allow that globally.
With the Efani plan, Wi-Fi is enabled globally for the Wi-Fi calling and texting, which means that if I'm behind a Wi-Fi connection anywhere in the world, I could be on an island off of Indonesia or anywhere in the world, if I'm behind Wi-Fi and somebody calls my US mobile number, it rings. And it's free.
If somebody texts me, I'll receive it for free. I can text them back, and I can call them back if they're in the US. I can call back to the US for free. Wi-Fi calling and texting is encrypted on my end. My calling and texting when I'm international is encrypted probably 100% of the time. I'm pretty religious about it. I'm the opposite. You don't have to be that way.
The security is the opposite of knowing whether you're going to be SIM-swapped or not, though, in a sense.
Yeah, it is. Definitely, if I were to go to Vietnam, for example, if I didn't have Efani, I would just be worried about the whole flight being a past victim. I know when I show up, my mobile account’s going to be there. When you have this Wi-Fi dongle, I don't have to pay $10 per day. Efani also offers the $10 a day experience when you're international as well. But for me, I like having Wi-Fi access anywhere I go in the world.
Definitely, VPN wherever I go. There are these devices that are do-it-yourself. The official device name's called the Stingray, and that's what the FBI uses, CIA, and that's what SWAT teams use. The police used to use it a lot. A number of them got caught using it on their boyfriend or husband, wife, and so on. Now they have to get a warrant to use it.
Years ago, somebody put do-it-yourself plans on how to build an IMSI-catcher. An IMSI-catcher’s a do-it-yourself Stingray. One of these videos of when crock pot bombs were popular for a year. “It is illegal to build it. Here’s how to do it, so don't do it, but here's how to do it.”
This is for educational purposes only.
[…] because it's educating. They did that about building these IMSI-catchers. If you go to the popular street in a tourist destination, somebody could have an apartment above and have an IMSI-catcher, use that to try and gather information on people. You have to be really conscious about what's going on around you.
Absolutely. As we wrap up here, how can people find you if they're looking for you? Not that you want them to find you personally, but if they want to find you online, where do you want to be found?
The Efani website, efani.com, is certainly a good place to start. I'm trying to put videos out on our Efani YouTube channel as well. It's a good place to get some information on the different types of hacks and also additional information on Efani, what we do, and how we do it. That's probably a good place to start.
Awesome. If anyone wants to support the podcast and they're interested in Efani, they can use our link, efani.com/easyprey. We'll make sure to throw that in the show notes as well. For those that want to move their services to be more secure, you can help us pay our bills a little bit.
Absolutely. Actually, you definitely want to use that URL because what we're doing is we're looking for people that we like their style, that they're trusting communities and offering a promo code. As part of that URL that you just talked about, there's a promo code that we're offering now on that landing page, and it's a $99 discount.
If you choose the monthly option, you're going to get your second month free from that. If you choose the annual option, that promo code will be taken off of the annual bill. If you were to back out and go to the Efani page, there is no discount. We're doing this because we want to know where people learned about us. We would really appreciate it that you actually take advantage of this discount. Please do so we know that you came from this.
Like I say, you won't get that discount if you come directly to us. We want to show appreciation to the communities that are out there trying to protect themselves and educate themselves, because you know, you're going to be the type of person that when you're happy, you'll recommend this as well.
Awesome. Mark, thank you so much for coming on the podcast today.
Absolutely. I appreciate it. Enjoyed it.
Leave a Reply