Efani is a cellular carrier focused on preventing SIM swap attacks. While Efani is a relatively new company, it’s becoming popular with security-minded customers, especially cryptocurrency holders.
Efani’s pricing model is simple. The carrier offers one option: an unlimited plan for about $99 per month. The service runs over AT&T’s network (some early, grandfathered customers may still have service over Verizon’s network).
In the course of my review, I trialed Efani’s services on each of the networks offered at the time. I also spoke with multiple people at the company, including Efani’s founder, Haseeb Awan.
Overall, I have a positive impression of the company. While I may probe further into Efani’s security procedures in the future, I’m largely persuaded about the effectiveness of Efani’s SIM-swap prevention strategies.
Although I expect Efani does its job well, I don’t consider the service a substitute for standard security procedures like using strong two-factor authentication or storing cryptocurrencies in hardware wallets when practical.
Efani’s status as a new and relatively small company is something of a double-edged sword. Aspects of the customer experience may come off as unpolished. E.g., when exploring Efani’s website you might see typos or fail to find details about some of the company’s policies. On the flip side, customer support is likely to be way better than what you’ll find elsewhere. With Efani, you won’t encounter automated phone trees or low-level support staff lacking experience.
SIM Swap Attacks
SIM swapping is a type of fraud where an attacker convinces a cellular carrier to switch a phone number from being associated with a customer’s SIM card to a SIM card in the attacker’s possession.
SIM swapping is commonly used by criminals trying to break SMS-based two-factor authentication. If a fraudster successfully SIM swaps a target, the fraudster can access one-time codes necessary for logging into websites or making financial transactions.
SIM swapping can also be used by attackers looking to impersonate a target or steal confidential information. Once an attacker has completed a SIM swap, the attacker receives all incoming calls and texts for the hijacked number. The attacker can also make calls or send texts originating from the hijacked number.
There are two common routes attackers use to SIM swap targets. In the first route, SIM swappers impersonate a legitimate customer, and use social engineering tactics to convince an employee at a cellular company to associate a target’s phone number with a new SIM card. In the second route, which I believe is less common, a SIM swapper relies on a compromised (usually bribed) employee with the authority to swap phone numbers between SIM cards.
Basics of SIM swap protection
Common measures for SIM swap protection can be split into two buckets. The first set of measures focus on making SIM swapping harder for potential attackers. For example, people sometimes set security PINs that must be provided before a SIM swap is allowed.
The second set of protective measures focus on making successful SIM-swap attacks less harmful. Avoiding SMS-based two-factor authentication is usually a good idea. Far more secure methods for two-factor authentication exist and don’t tie security codes to a phone number. Google’s free Authenticator app and physical security keys are population options. I’m personally a fan of Yubico’s YubiKey products. Unfortunately, support for strong forms of two-factor authentication is limited, especially outside of the technology world. Many large financial institutions still don’t support non-SMS two-factor methods.
Beyond moving away from SMS-based authentication, there’s usually more you can do to make successful SIM swaps less damaging. The appropriate actions will vary based on your vulnerabilities and security risks. For example, cryptocurrency holders may want to hold their assets off of exchanges and on hardware wallets. If online accounts are compromised, assets stored on hardware wallets remain secure.
Efani’s Prevention Strategy
Efani describes its SIM-swap prevention strategy as “11-layer” and “military-grade”. While the complete details of the process are not public, Efani keeps an eye out for common tactics used for SIM swapping, and customers looking to swap SIM cards must go through several steps. Included in those steps is a mandatory, multi-week waiting period. The process is designed not to have a single point of failure. Multiple staff members at Efani are supposed to sign off before any SIM swap can go through.
I largely believe Efani’s security works because the company has inverted the usual cost-benefit considerations around SIM swapping. The truth is, SIM swapping is easy to prevent if a carrier is willing to make the swapping process a pain in the ass. Most carriers aren’t willing to do that. Only a tiny portion of normal consumers are targeted by sophisticated criminals. Most carriers omit safeguards that would protect a small number of subscribers to make the customer experience slightly better for a large number of subscribers. Efani doesn’t follow the conventional approach. If you need to replace a SIM card with Efani, it’ll be a pain. That’s kind of the point.
Efani also inverts the usual costs and benefits around liability. If you’re SIM swapped as a customer of a major carrier and lose a bunch of money, your carrier probably won’t foot the bill or take a huge hit to its reputation. On the contrary, Efani’s whole reputation hinges on SIM swap prevention. If the company allows a subscriber to get SIM swapped, Efani will lose a ton of credibility. Further, Efani even has insurance that might mitigate damages from successful attacks.
In the event you are SIM swapped as an Efani customer, the company has an insurance policy that may cover up to five million dollars in damages.1 Some legalese with details about the policy can be found on Efani’s website. I’m unsure how helpful the insurance would end up being in practice.
More Notes On Security
- My attempts to test Efani’s security were pretty feeble. If my review attracts a large audience, I may make an update after more aggressive testing.
- As with most security-related products, I recommend thinking of Efani as a service that offers some protection rather than a service that guarantees perfect security.
- I spoke with Haseeb about the possibility that blackmail, threats of violence, or government action could compel Efani to permit a SIM swap. While I can’t verify, Haseeb suggested the lack of a single point of failure should mitigate attacks involving isolated threats. On the other hand, Efani may be forced to comply with government demands.
Plan & Pricing In Detail
Efani’s only consumer plan costs $99 per month. All customers get unlimited minutes and texts. Customers can use 22GB of data each month with relatively high priority. After 22GB, subscribers may be dropped to a lower priority level. There may or may not be further limitations after 50GB of data use in a month. Mobile hotspot use is permitted. Note: Legacy subscribers on Efani’s Verizon-based service will have different data restrictions.2
Efani doesn’t offer conventional family plans with aggressive discounts for customers with multiple lines. However, Efani does allow customers to combine billing between multiple lines, and customers that add a line can get a free month of service.
Businesses may be able to take advantage of premium, multiple-line products offered by Efani, but those products were outside the scope of my review.
While I haven’t seen coverage maps published by Efani, subscribers should get coverage wherever AT&T has native coverage. The map below comes from AT&T, but it may not be perfectly representative. Among other issues, I don’t how often Efani has access to service from AT&T’s domestic roaming partners.
Data prioritization policies govern how traffic is handled when cellular networks are congested. I ran a QCI test with Efani and found a QCI of 8 for regular data use. Given my understanding of AT&T’s prioritization procedures, a QCI of 8 should put Efani’s service on par with the priority level customers get on most of AT&T’s plans (including most of AT&T’s premium and postpaid plans).3
What does all that mean? Efani subscribers should experience speeds comparable to the speeds received by AT&T’s own customers.
I believe legacy subscribers using Efani’s Verizon-based service have low priority at all times.4
Efani provides free international data roaming in most of the world for customers with eSIM-compatible devices. At the moment, international roaming isn’t seamless. You’ll need to reach out to Efani to get set up for each trip.
Since only data is offered, conventional text messages and phone calls won’t work. Data-based apps like Messenger or WhatsApp can be used as workarounds to get similar functionality while traveling.
During my trial of Efani’s service, I searched around for other resources about the company. Two stuck out as particularly good:
- Haseeb Awan & Scott Melker podcast: Haseeb and Scott discuss SIM swapping and Efani on The Wolf Of All Streets podcast. It’s a good interview that gives an overview of why Haseeb started Efani in the first place.
- Exploring Efani: Richard Sanders gives an overview of Efani and details his experience testing the carrier.
Security-minded customers should check out Efani. While Efani’s service is marginally more expensive than services from major carriers, the premium may be easy to justify for high-net-worth individuals and those with significant security concerns.
Conflict of interest
I receive a $120 commission for each new customer I refer to Efani, and I may receive additional commissions and bonuses if I generate a high enough volume of referrals.
For what it’s worth, I think I’m at an unusually high risk of bias in my assessment of Efani. The company initially reached out to me, and I had conversations with multiple members of the team before I trialed the service. In the future, I may try harder to avoid detailed conversations before reviewing a service. I’m concerned early conversations may set up expectations of positive reviews or other forms of quid pro quo.
- As best as I can tell, only some forms of security vulnerabilities involve a full five million dollars of coverage. A few vulnerabilities involve smaller amounts of coverage.
- Here’s an excerpt from my original review:
“On Verizon’s network, I believe customers can use 25GB of data before being throttled to about 128kbps. At 128kbps, most internet use will be frustratingly slow if not impossible. Separately, in my testing of Efani’s Verizon-based service, I was not able to use my phone as a mobile hotspot.”
- As a notable exception, I found a QCI of 7 for the most expensive of AT&T’s standard, consumer-level plans (the Unlimited Elite plan). In practice, I don’t expect the higher priority on that plan results in many tangible benefits for most customers.
- Reproduced from my original review:
The following excerpt comes from an Efani webpage about coverage:We don’t operate our own towers but utilize infrastructure of the #1 Carrier in USA…There is absolutely no difference in quality of service.
Verizon is the network operator Efani is alluding to. I believe the blurb was written before Efani offered service over AT&T’s network. Like most MVNOs, Efani is probably prohibited from explicitly naming the networks its service runs on top of.
In my view, Efani’s assertion about quality of service is probably wrong. Verizon has prioritization policies that treat some network users differently from others. For example, Verizon’s prepaid customers have lower priority than customers on most of the company’s premium, postpaid plans. A prepaid customer may see slower speeds than many other users of the network during periods of congestion.
I ran a QCI test with Efani’s Verizon-based service and found a QCI of 9 for regular data use.
Given my understanding of Verizon’s prioritization policies, a QCI of 9 is indicative of low priority. Fortunately, congestion is rare in most areas. Most people won’t experience many downsides on low-priority plans. However, people living in areas with atypical levels of congestion may occasionally run into trouble.
In a conversation with Haseeb, I brought up the discrepancy between my impression about Efani’s priority level and the impression given by Efani’s website. Haseeb maintained that Efani should have priority on par with most Verizon subscribers. I remain unconvinced.
If I’m correct (and I’m open to the possibility that I’m not), you could see that as a strike against Efani’s credibility. That said, the state of public-facing information about prioritization policies is abysmal. This is not the first time I’ve been suspicious a carrier is incorrect about the priority of its own service.