Friend.tech rolls out 2FA feature amid surge in SIM-swap attacks
Decentralized social media platform Friend.tech has launched a new 2FA feature to counter rising SIM-swap attacks targeting its users.
The team behind the decentralized app announced in an Oct. 9 X post that users can now set up a 2FA password on their Friend.tech accounts for extra security in case their mobile carrier or email provider is compromised.
Users will be prompted to set up this extra password when they sign in on new devices.
Importantly, neither Friend.tech nor its security partner, Privy, can reset these passwords, so users are advised to exercise caution when setting them up.
Friend.tech users targeted by SIM-Swap attacks
The move to enhance security protocols follows a series of SIM-swap attacks affecting Friend.tech users since September.
These attacks have led to the theft of an estimated 109 Ether (ETH), equivalent to nearly $500,000. One hacker alone was responsible for stealing close to $400,000 from various accounts on the platform.
Yu Xian, the founder of cybersecurity firm Slow Mist, tested the new 2FA feature and shared his experience on social media. His findings indicate that the feature is functional and adds a needed layer of security.
Friend.tech had previously rolled out security updates on Oct. 4, which allowed users to add or remove different login methods.
However, some argue that the 2FA feature should have been introduced sooner, given the severity and frequency of the attacks.
On Oct. 9, Jason Yanowitz, founder of Blockworks, provided insights into how the SIM-swap attacks are carried out.
Attackers send text messages to users, ask them to change their numbers, and require a “YES” or “NO” response.
If the user responds with “NO,” they receive a legitimate verification code from Friend.tech, which the scammer then prompts them to forward.
Failure to respond within two hours results in the change being made, putting the account at risk.
Earlier today, the head of Defiant News reported that his Friend.tech wallet was emptied due to a sophisticated phishing scam, adding another layer of urgency to the platform’s need for robust security measures.