The team behind the decentralized social media platform Friend.tech has added a new security feature amid attempts to stem a flood of SIM-swap attacks targeting its users.
“You can now add a 2FA password to your Friend.tech account for additional protection if your cell carrier or email service becomes compromised,” the team explained in an Oct. 9 post on X (formerly Twitter).
Friend.tech users will be prompted to add another password in when signing onto new devices.
“Neither the friendtech nor Privy teams can reset these passwords, so please use care when using this feature,” Friend.tech added.
You can now add a 2FA password to your https://t.co/YOHabcBL3H account for additional protection if your cell carrier or email service becomes compromised.
Neither the friendtech nor Privy teams can reset these passwords, so please use care when using this feature pic.twitter.com/g0m2E4att2
— friend.tech (@friendtech) October 9, 2023
The latest change follows several SIM-swap attacks targeting Friend.tech users since September.
On Sept. 30, froggie.eth was among the first in a string of Friend.tech users to be compromised by a SIM-swap attack, urging others to stay vigilant.
got swim swapped for 20+ ETH (they drained my https://t.co/xb5o31p3Yy)… stay vigilant out there bros
set a PIN on your sim even if you don’t think you need to
— froggie.eth (@brypto_) September 30, 2023
More Friend.tech users came forward with similar stories in the following days with an estimated 109 Ether (ETH), worth around $172,000, stolen from four users within a week. Another four users were targeted over a 24-hour period just days later, with another $385,000 worth of Ether stolen.
Friend.tech had already updated its security once on Oct. 4 to allow users to add or remove various login methods in an attempt to mitigate the risk of SIM-swap exploits.
Several observers criticized Friend.tech for not implementing the solution sooner.
“Finally,” one user said, while another said: “took you long enough.”
However, a prominent creator on Friend.tech, 0xCaptainLevi, was more optimistic, stressing that 2FA is a “big deal” and can help push the social media platform to unseen heights:
2FA is a big deal. Road to $100M TVL never seemed brighter❤️ https://t.co/bxd3V3M3mx
— Levi ⚡️ (@0xCaptainLevi) October 10, 2023
In an Oct. 8 X thread, Blockworks founder Jason Yanowitz revealed one of the ways the SIM-swap attacks are being orchestrated. The process involves a text message that asks the user for a number change request, where users can reply with “YES” to approve the change or “NO” to decline it.
If the user responds with “NO” — the user is then sent a real verification code from Friend.tech and is prompted to send the code to the scammer’s number.
“If we do not hear a response within 2 hours, the change will proceed as requested,” a follow-up message shows.
“In reality, if I sent the code, my account would get wiped,” he said.
Someone is trying to hack my @friendtech
1) Text sent saying they’re changing my number
2) I respond no
3) They say to confirm no, send the verification code
4) Receive actual verification code from friend tech
5) After no response, they text again saying they’ll auto… pic.twitter.com/j76vI969jP
— Yano (@JasonYanowitz) October 8, 2023
Related: Friend.tech copycat Stars Arena patches exploit after some funds drained
The total value locked on Friend.tech currently sits at $43.9 million, down 15.5% from its all-time high of $52 million on Oct. 2, according to DefiLlama.
Cointelegraph reached out to Friend.tech for comment but did not receive an immediate response.
Magazine: Blockchain detectives — Mt. Gox collapse saw birth of Chainalysis