TruTag raises $7.5 million Series C for tiny, edible barcodes that can be placed on pills, food and vaping systems

TruTag Technologies, a company that creates microscopic, edible barcodes to authenticate medications, food, vaping pods and other products, has raised a $7.5 million Series C. The funding, led by Pangaea Ventures and Happiness Capital, will be used to further commercialize its technology and develop new solutions.

Along with earlier rounds, this brings TruTag’s total funding to $25 million. Its clients include PwC, which uses the company’s technology in its Food Trust Platform quality assurance program for Australian beef exports.

A high magnification of TruTag particles, each of is an edible “chip” that authenticates the product it is applied to.

A high magnification of TruTag particles, each of is an edible “chip” that authenticates the product it is applied to.

Called TruTags, the company’s tiny barcodes are made out of nano-porous silica, a material that has received GRAS (generally recognized as safe) notice from the U.S Food and Drug Administration, and can be placed directly on products or in packaging to track it through the supply and logistics chain.

TruTags are used with hyperspectral imaging technology, which is able to process much more wavelengths than other imaging methods, so it can collect more precise and detailed data from an image. When scanned, the barcodes provide information about where a product was manufactured, lot numbers, authorized distributors and safe use.

In email, TruTag chief executive officer Michael Bartholomeusz, who holds a PhD in materials engineering from the University of Virginia, told TechCrunch that the company sees the most growth opportunities in industries, such as pharmaceuticals, nutraceutical foods and cannabis, that deal with counterfeit products from the black market or the “grey market,” including products from unauthorized suppliers.

A conceptual photo of TruTags' technology.

A conceptual photo of TruTags’ technology.

“TruTags material is an already approved excipient in pills by the FDA. Pharmaceuticals and food comprise a very large portion of the global counterfeiting problem, and given the very unique edible feature of TruTag’s solution, this is a core area of focus for the company,” he says.

For example, the technology can be used to lock vaping systems so they only work with authentic vaping pods, helping reduce the number of counterfeit pods on the market. Bartholomeusz adds that TruTags is close to coming to market in the CBD space.

TruTags’ ability to be placed directly on products, its edibility and instant authentication in one to five seconds differentiates it from other solutions. Bartholomeusz notes that other quality assurance tech include specialized symbols, inks and holograms, though many of those products have the disadvantages of being replicable by high-quality printers or relying on consumers’ ability to recognize them.

In a press statement, Matthew Cohen, director of technology at Pangaea, which focuses on investing in advanced materials technology, said “Pangaea is excited to partner with TruTag and help the company expand its team and product portfolio. We believe TruTag’s edible barcode technology will help increase consumer confidence and ultimately save lives. TruTag is making our world better by utilizing compelling advanced materials and advanced material process innovations to combat rising problems such as drug counterfeiting.”

Yubico launches its dual USB-C and Lightning two-factor security key

Almost two months after it was first announced, Yubico has launched the YubiKey 5Ci, a security key with dual support for both iPhones, Macs and other USB-C compatible devices.

Yubico’s latest Yubikey is the latest iteration of its security key built to support a newer range of devices, including Apple’s iPhone, iPad, and MacBooks in a single device. Announced in June, the company said the security keys would cater for cross-platform users — particularly Apple device owners.

These security keys may be small enough to sit on a keyring, but they contain the keys to your online line. Your Gmail, Twitter, and Facebook account all support these plug-in devices as a second-factor of authentication after your username and password — a far stronger mechanism than the simple code sent to your phone.

Security keys offer almost unbeatable security and can protect against a variety of threats, including nation-state attackers.

Jerrod Chong, Yubico’s chief solutions officer, said the new key would fill a “critical gap in the mobile authentication ecosystem,” particularly given how users are increasingly spending their time across a multitude of mobile devices.

The new key works with a range of apps, including password managers like 1Password and LastPass, and web browsers like Brave, which support security key authentication.

AT&T and T-Mobile team up to fight scam robocalls

Two major U.S. carriers, AT&T and T-Mobile, announced this morning a plan to team up to protect their respective customer bases from the scourge of scam robocalls. The two companies will today begin to roll out new cross-network call authentication technology based on the STIR/SHAKEN standards — a sort of universal caller ID system designed to stop illegal caller ID spoofing.

Robocalls have become a national epidemic. In 2018, U.S. mobile users received nearly 48 million robocalls — or more than 150 calls per adult, the carriers noted.

A huge part of the problem is that these calls now often come in with a spoofed phone number, making it hard for consumers to screen out unwanted calls on their own. That’s led to a rise in robocall blocking and screening apps. Even technology companies have gotten involved, with Google introducing a new AI call screener in Android and Apple rolling out Siri-powered spam call detection with iOS 13.

To help fight the call spoofing problem, the industry put together a set of standards called STIR/SHAKEN (Secure Telephony Identity Revisited / Secure Handling of Asserted information using toKENs), which effectively signs calls as “legitimate” as they travel through the interconnected phone networks.

However, the industry has been slow to roll out the system, which prompted the FCC to finally step in.

In November 2018, FCC Chairman Ajit Pai wrote to U.S. mobile operators, asking them to outline their plans around the implementation of the STIR/SHAKEN standards. The regulator also said that it would step in to mandate the implementation if the carriers didn’t meet an end-of-2019 deadline to get their call authentication systems in place.

Today’s news from AT&T and T-Mobile explains how the two will work together to authenticate calls across their networks. By implementing STIR/SHAKEN, calls will have their Caller ID signed as legitimate by the originating carrier, then validated by other carriers before they reach the consumer. Spoofed calls would fail this authentication process, and not be marked as “verified.”

As more carriers participate in this sort of authentication, more calls can be authenticated.

However, this system alone won’t actually block the spam calls — it just gives the recipient more information. In addition, devices will have to support the technology, as well, in order to display the new “verification” information.

T-Mobile earlier this year was first to launch a caller verification system on the Samsung Galaxy Note9, and today it still only works with select Android handsets from Samsung and LG. AT&T meanwhile, announced in March it was working with Comcast to exchange authenticated calls between two separate networks — a milestone in terms of cooperation between two carriers. T-Mobile and Comcast announced their own agreement in April.

The news also follows a statement by Chairman Pai that says the FCC will sign off to approve a T-Mobile/Sprint merger, as has been expected.

Google’s Titan security keys come to Japan, Canada, France and the UK

Google today announced that its Titan Security Key kits are now available in Canada, France, Japan and the UK. Until now, these keys, which come in a kit with a Bluetooth key and a standard USB-A dongle, were only available in the U.S.

The keys provide an extra layer of security on top of your regular login credentials. They provide a second authentication factor to keep your account safe and replace more low-tech two-factor authentication systems like authentication apps or SMS messages. When you use those methods, you still have to type the code into a form, after all. That’s all good and well until you end up on a well-designed phishing page. Then, somebody could easily intercept your code and quickly reuse it to breach your account — and getting a second factor over SMS isn’t exactly a great idea to begin with, but that’s a different story.

Authentication keys use a number of cryptographic techniques to ensure that you are on a legitimate site and aren’t being phished. All of this, of course, only works on sites that support hardware security keys, though that number continues to grow.

The launch of Google’s Titan keys came as a bit of a surprise, given that Google had long had a good relationship with Yubico and previously provided all of its employees with that company’s keys. The original batch of keys also featured a security bug in the Bluetooth key. That bug was hard to exploit, but nonetheless, Google offered free replacements to all Titan Key owners.

In the U.S., the Titan Key kit sells for $50. In Canada, it’ll go for $65 CAD. In France, it’ll be €55, while in the UK it’ll retail for £50 and in Japan for ¥6,000. Free delivery is included.

 

Developers can now verify mobile app users over WhatsApp instead of SMS

Facebook today released a new SDK that allows mobile app developers to integrate WhatsApp verification into Account Kit for iOS and Android. This will allow developers to build apps where users can opt to receive their verification codes through the WhatsApp app installed on their phone instead of through SMS.

Today, many apps give users the ability to sign up using only a phone number — a now popular alternative to Facebook Login, thanks to the social network’s numerous privacy scandals that led to fewer people choosing to use Facebook with third-party apps.

Plus, using phone numbers to sign up is common with a younger generation of users who don’t have Facebook accounts — and sometimes barely use email, except for joining apps and services.

When using a phone number to sign in, it’s common for the app to confirm the user by sending a verification code over SMS to the number provided. The user then enters that code to create their account. This process can also be used when logging in, as part of a multi-factor verification system where a user’s account information is combined with this extra step for added security.

While this process is straightforward and easy enough to follow, SMS is not everyone’s preferred messaging platform. That’s particularly true in emerging markets like India, where 200 million people are on WhatsApp, for example. In addition, those without an unlimited messaging plan are careful not to overuse texting when it can be avoided.

That’s where the WhatsApp SDK comes in. Once integrated into an iOS or Android app, developers can offer to send users their verification code over WhatsApp instead of text messaging. They can even choose to disable SMS verification, notes Facebook.

This is all a part of WhatsApp’s Account Kit, which is a larger set of developer tools designed to allow people to quickly register and log in to apps or websites using only a phone number and email, no password required.

This WhatsApp verification codes option has been available on WhatsApp’s web SDK since late 2018, but hadn’t been available with mobile apps until today.

Fifty years of the internet

When my team of graduate students and I sent the first message over the internet on a warm Los Angeles evening in October, 1969, little did we suspect that we were at the start of a worldwide revolution. After we typed the first two letters from our computer room at UCLA, namely, “Lo” for “Login,” the network crashed.

Hence, the first Internet message was “Lo” as in “Lo and behold” – inadvertently, we had delivered a message that was succinct, powerful, and prophetic.

The ARPANET, as it was called back then, was designed by government, industry and academia so scientists and academics could access each other’s computing resources and trade large research files, saving time, money and travel costs. ARPA, the Advanced Research Projects Agency, (now called “DARPA”) awarded a contract to scientists at the private firm Bolt Beranek and Newman to implement a router, or Interface Message Processor; UCLA was chosen to be the first node in this fledgling network.

By December, 1969, there were only four nodes – UCLA, Stanford Research Institute, the University of California-Santa Barbara and the University of Utah. The network grew exponentially from its earliest days, with the number of connected host computers reaching 100 by 1977, 100,000 by 1989, a million by the early 1990’s, and a billion by 2012; it now serves more than half the planet’s population.

Along the way, we found ourselves constantly surprised by unanticipated applications that suddenly appeared and gained huge adoption across the Internet; this was the case with email, the World Wide Web, peer-to-peer file sharing, user generated content, Napster, YouTube, Instagram, social networking, etc.

It sounds utopian, but in those early days, we enjoyed a wonderful culture of openness, collaboration, sharing, trust and ethics. That’s how the Internet was conceived and nurtured.  I knew everyone on the ARPANET in those early days, and we were all well-behaved. In fact, that adherence to “netiquette” persisted for the first two decades of the Internet.

Today, almost no one would say that the internet was unequivocally wonderful, open, collaborative, trustworthy or ethical. How did a medium created for sharing data and information turn into such a mixed blessing of questionable information? How did we go from collaboration to competition, from consensus to dissention, from a reliable digital resource to an amplifier of questionable information?

The decline began in the early 1990s when spam first appeared at the same time there was an intensifying drive to monetize the Internet as it reached deeply into the world of the consumer. This enabled many aspects of the dark side to emerge (fraud, invasion of privacy, fake news, denial of service, etc.).

It also changed the nature of internet technical progress and innovations as risk aversion began to stifle the earlier culture of “moon shots”. We are currently still suffering from those shifts. The internet was designed to promote decentralized information, democracy and consensus based upon shared values and factual information. In this it has disappointed to fully achieve the aspirations of its founding fathers.

As the private sector gained more influence, their policies and goals began to dominate the nature of the Internet.  Commercial policies gained influence, companies could charge for domain registration, and credit card encryption opened the door for e-commerce. Private firms like AOL, CompuServe and Earthlink would soon charge monthly fees for access, turning the service from a public good into a private enterprise.

This monetization of the internet has changed it flavor. On the one hand, it has led to valuable services of great value. Here one can list pervasive search engines, access to extensive information repositories, consumer aids, entertainment, education, connectivity among humans, etc.  On the other hand, it has led to excess and control in a number of domains.

Among these one can identify restricted access by corporations and governments, limited progress in technology deployment when the economic incentives are not aligned with (possibly short term) corporate interests, excessive use of social media for many forms of influence, etc.

If we ask what we could have done to mitigate some of these problems, one can easily name two.  First, we should have provided strong file authentication – the ability to guarantee that the file that I receive is an unaltered copy of the file I requested. Second, we should have provided strong user authentication – the ability for a user to prove that he/she is whom they claim to be.

Had we done so, we should have turned off these capabilities in the early days (when false files were not being dispatched and when users were not falsifying their identities). However, as the dark side began to emerge, we could have then gradually turned on these protections to counteract the abuses at a level to match the extent of the abuse. Since we did not provide an easy way to provide these capabilities from the start, we suffer from the fact that it is problematic to do so for today’s vast legacy system we call the Internet.

A silhouette of a hacker with a black hat in a suit enters a hallway with walls textured with blue internet of things icons 3D illustration cybersecurity concept

Having come these 50 years since its birth, how is the Internet likely to evolve over the next 50? What will it look like?

That’s a foggy crystal ball. But we can foresee that it is fast on its way to becoming “invisible” (as I predicted 50 years ago) in the sense that it will and should disappear into the infrastructure.

It should be as simple and convenient to use as is electricity; electricity is straightforwardly available via a trivially simple interface by plugging it into the wall; you don’t know or care how it gets there or where it comes from, but it delivers its services on demand.

Sadly, the internet is far more complicated to access than that. When I walk into a room, the room should know I’m there and it should provide to me the services and applications that match my profile, privileges and preferences.  I should be able to interact with the system using the usual human communication methods of speech, gestures, haptics, etc.

We are rapidly moving into such a future as the Internet of Things pervades our environmental infrastructure with logic, memory, processors, cameras, microphones, speakers, displays, holograms, sensors. Such an invisible infrastructure coupled with intelligent software agents imbedded in the internet will seamlessly deliver such services. In a word, the internet will essentially be a pervasive global nervous system.

That is what I judge will be the likely essence of the future infrastructure. However, as I said above, the applications and services are extremely hard to predict as they come out of the blue as sudden, unanticipated, explosive surprises!  Indeed, we have created a global system for frequently shocking us with surprises – what an interesting world that could be!

Passbase is building a full stack identity engine with privacy baked in

Digital identity startup Passbase has bagged $600k in pre-seed funding led by a group of business angel investors from Alphabet, Stanford, Kleiner Perkins, EY; as well as seed fund investment from Chicago-based Upheaval Investments and Seedcamp.

The 2018-founded Silicon Valley-based startup — whose co-founder we chatted to briefly on camera at Disrupt Berlin — is building what it dubs an “identity engine” to simplify identity verification online.

Passbase offers a set of SDKs to developers to integrate facial recognition, liveness detection, ID authenticity checks and ID information extraction into their service, while also baking in privacy protections that allow individual users to control their own identity data.

A demo video of the verification product shows a user being asked to record a FaceID-style 3D selfie by tilting their face in front of a webcam and then scanning an ID document also by holding it up to the camera.

On the developer front, the flagship claim is Passbase’s identity verification product can be deployed to a website or mobile app in less than three minutes, with just seven lines of code.

Co-founder Mathias Klenk tells TechCrunch the system architecture draws on ideas from public-private key encryption, blockchain, and biometric authentication — and is capable of completing “zero-knowledge authentications”.

In practice that means a website visitor or app user can prove who they are (or how old they are) without having to share their full identity document with the service.

Klenk, a Stanford alumni, says the founding team pivoted to digital identity in the middle of last year after their earlier startup — a crypto exchange management app called Coinance — ran into regulatory difficulties right after they’d decided to go full-time on the project.

He says they got a call from Apple, in August 2018, informing them Coinance had been pulled from the AppStore. The issue was they needed to be able to comply with know your customer (KYC) requirements as regulators cracked down on the risk of cryptocurrency being used for money laundering.

“With a quick call to our lawyers, we learned it was because we now needed to complete strong identity verification with every exchange integrated for every user in order to fulfil our KYC obligations,” explains Klenk. “This is how our pivot to Passbase began.”

The experience with Coinance convinced Klenk and his two co-founders — Felix Gerlach (an ex-Rocket Internet product manager/designer) and Dave McGibbon (previously an investment associate at GoogleX) — that there was a “huge opportunity” to build a ‘full-stack’ identity verification tool that was easy for engineering teams to integrate. So it sounds like it’s thinking along similar lines to Estonian startup Veriff.

Klenk claims current vendors “take weeks to integrate and charged thousands of dollars from the start”. And in classic startup formula fashion he too condenses the idea down to: “Stripe for Identity Verification” — arguing that: “In order to solve digital identity verification, you cannot only streamline the identity verification process, you need to enable identity ownership and reuse across different services.”

At the same time, Klenk says the founding team saw a growing need for a privacy-focused identity verification tool — to “protect people’s information by design and help companies collect only the information they need”.

On this he freely cites Europe’s General Data Protection Regulation as an inspiring force. (“GDPR is built into the DNA of this product,” is the top-line claim.)

“Companies gain access to users information in a secure enclave, and avoid the dangers of getting hacked and leaking sensitive information,” says Klenk, describing the system architecture for verification as the core IP of the business.

They’re in the process of filing patents for the “developed technology”, working with two technical advisors, he adds. 

Passbase’s verification stack itself involves modular pieces so that it can adapt to changing threats, as Klenk tells it.

The startup is partnering with service providers for various verification components. Though he says it also has in-house computer vision experts who have built its anti-spoofing and liveness detection.

“This will always be an arms race against the latest spoofing tactics. We plan to stay ahead of the curve by introducing multi-factor authentication techniques and partnering with the best technology providers,” he adds on that.

He says they’re also working with a US-based security company and other security experts to test the robustness and security of their system on an ongoing basis, adding: “We are planning to obtain all required certifications to ensure the security of our system e.g. ISO, Fido.”

Passbase’s product is currently in a closed beta with more than 200 companies signed up to its early access program.

Five have been “handpicked and onboarded” for a closed pilot — and Klenk says it’s now running tests and figuring out final requirements for an open beta launch planned for the middle of this year.

“Our early customers are mostly trust-based marketplaces (like an Airbnb),” he tells TechCrunch. “We are adding features such as PEP, OFAC, and others over the next month to allow us to also service the mobility space, age-restricted products, and eventually online banking and fintechs with KYC obligations.”

The startup’s first tranche of investor funding will be used for building out its core tech and mobile apps — while also “delighting our first clients with our B2B solution, getting traction, nailing product market fit”, as Klenk puts it.

He emphasizes that they’re also keen to nail a healthy startup culture from the get-go — saying that building “an exciting and inclusive place to work” is a priority. (“Since many high growth startups dropped the priority for this in order for growth. We want to get this right from the beginning.”)

On the competitive front, Passbase is certainly driving into a noisy arena with no shortage of past effort and current players touting identity and digital verification services — albeit, all that activity underlines the high demand level for robust online verification.

Demand that’s likely to rise as more policymakers and governments wake up to the risks and challenges posed by online fakes — and prepare to regulate Internet firms.

Discussing the competitive landscape, Klenk name-checks Jumio, Onfido, and Veriff in the identity verification space, though he argues Passbase’s “developer-focused go-to-market and focus on creating digital identity” creates a different set of incentives which he also claims “allow us to get really creative on price and auxiliary offerings”.

“Our competition cares about price x volume. We care about creating a robust and secure network of trusted user-owned digital identities,” he suggests.

On the digital identity from he points to Civic, Verimi, and Authenteq as being focused on “digital and self-sovereign identity”, though he says they have “tended” to take a B2C approach vs Passbase’s “full-stack” developer offering which he claims is “immediately useful to a large market of players”.

There’s clearly plenty still to play for where digital identity is concerned. It remains a complex and challenging problem that loops in all sorts of entities, touchpoints and responsibilities.

But add privacy considerations into the mix and Passbase’s hope is that, by going the extra mile to build a zero-knowledge architecture, it can become a key player.

 

How to protect your cell phone number and why you should care

Getty Images

Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.

You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!

Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.

Why you need to protect your phone number

Your cell phone number is a single point of failure.

Think about it. You use your cell phone number all the time. You use it when you sign up to sites and services, and sometimes you’ll use it to log into an app or a game on your phone. Your phone number can be used to reset your account if you forget your password. And, you use it for two-factor authentication to securely login to your accounts.

If someone steals your phone number, they become you — for all intents and purposes. With your phone number, a hacker can start hijacking your accounts one by one by having a password reset sent to your phone. They can trick automated systems — like your bank — into thinking they’re you when you call customer service. And worse, they can use your hijacked number to break into your work email and documents — potentially exposing your employer up to data theft.

Just think of every site and service that has your phone number. That’s why you need to protect your phone number.

How do hackers steal cell phone numbers?

It’s easier than you might think. Phone numbers can be found anywhere – thanks in part to so many data breaches.

Often, hackers will find the cell phone number of their target floating around the internet (or from a phone bill in the garbage), and call up their carrier impersonating the customer. With a few simple questions answered — often little more than where a person lives or their date of birth, they ask the customer service representative to “port out” the phone number to a different carrier or a SIM card.

That’s it. As soon as the “port out” completes, the phone number activates on an attacker’s SIM card, and the hacker can send and receive messages and make calls as if they were the person they just hacked.

In most cases, the only sign that it happened is if the victim suddenly loses cell service for no apparent reason.

From there, it’s as simple as initiating password resets on accounts associated with that phone number. Facebook, Gmail, Twitter — and more. A hacker can use your hijacked phone number to steal all of your cryptocurrency, take over your vanity Instagram username or maliciously delete all of your data.

You can read what happened to TechCrunch’s own John Biggs when his phone number was hijacked.

In the worst cases, it can be difficult or impossible to get your phone number back — let alone the accounts that get broken into. Your best bet is to make sure it never happens in the first place.

What you can do to protect your phone number

Just like you can apply two-factor authentication to your online accounts, you can add a secondary security code to your cell phone account, too.

You can either call up customer services or do it online. (Many feel more reassured by calling up and talking to someone.) You can ask customer service, for example, to set a secondary password on your account to ensure that only you — the account holder — can make any changes to the account or port out your number.

Every carrier handles secondary security codes differently. You may be limited in your password, passcode or passphrase, but try to make it more than four to six digits. And make sure you keep a backup of the code!

For the major carriers:

If your carrier isn’t listed, you might want to check if they employ a similar secondary security code to your account to prevent any abuse. And if they don’t, maybe you should port out your cell phone number to a carrier that does.

Check out our full Cybersecurity 101 guides here.

How to protect your cell phone number and why you should care

Getty Images

Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.

You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!

Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.

Why you need to protect your phone number

Your cell phone number is a single point of failure.

Think about it. You use your cell phone number all the time. You use it when you sign up to sites and services, and sometimes you’ll use it to log into an app or a game on your phone. Your phone number can be used to reset your account if you forget your password. And, you use it for two-factor authentication to securely login to your accounts.

If someone steals your phone number, they become you — for all intents and purposes. With your phone number, a hacker can start hijacking your accounts one by one by having a password reset sent to your phone. They can trick automated systems — like your bank — into thinking they’re you when you call customer service. And worse, they can use your hijacked number to break into your work email and documents — potentially exposing your employer up to data theft.

Just think of every site and service that has your phone number. That’s why you need to protect your phone number.

How do hackers steal cell phone numbers?

It’s easier than you might think. Phone numbers can be found anywhere – thanks in part to so many data breaches.

Often, hackers will find the cell phone number of their target floating around the internet (or from a phone bill in the garbage), and call up their carrier impersonating the customer. With a few simple questions answered — often little more than where a person lives or their date of birth, they ask the customer service representative to “port out” the phone number to a different carrier or a SIM card.

That’s it. As soon as the “port out” completes, the phone number activates on an attacker’s SIM card, and the hacker can send and receive messages and make calls as if they were the person they just hacked.

In most cases, the only sign that it happened is if the victim suddenly loses cell service for no apparent reason.

From there, it’s as simple as initiating password resets on accounts associated with that phone number. Facebook, Gmail, Twitter — and more. A hacker can use your hijacked phone number to steal all of your cryptocurrency, take over your vanity Instagram username or maliciously delete all of your data.

You can read what happened to TechCrunch’s own John Biggs when his phone number was hijacked.

In the worst cases, it can be difficult or impossible to get your phone number back — let alone the accounts that get broken into. Your best bet is to make sure it never happens in the first place.

What you can do to protect your phone number

Just like you can apply two-factor authentication to your online accounts, you can add a secondary security code to your cell phone account, too.

You can either call up customer services or do it online. (Many feel more reassured by calling up and talking to someone.) You can ask customer service, for example, to set a secondary password on your account to ensure that only you — the account holder — can make any changes to the account or port out your number.

Every carrier handles secondary security codes differently. You may be limited in your password, passcode or passphrase, but try to make it more than four to six digits. And make sure you keep a backup of the code!

For the major carriers:

If your carrier isn’t listed, you might want to check if they employ a similar secondary security code to your account to prevent any abuse. And if they don’t, maybe you should port out your cell phone number to a carrier that does.

Check out our full Cybersecurity 101 guides here.

Hacker Kevin Mitnick shows how to bypass 2FA

A new exploit allows hackers to spoof two-factor authentication requests by sending a user to a fake login page and then stealing the username, password, and session cookie.

KnowBe4 Chief Hacking Officer Kevin Mitnick showed the hack in a public video. By convincing a victim to visit a typo-squatting domain liked “LunkedIn.com” and capturing the login, password, and authentication code, the hacker can pass the credentials to the actual site and capture the session cookie. Once this is done the hacker can login indefinitely. This essentially uses the one time 2FA code as a way to spoof a login and grab data.

“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, KnowBe4 CEO. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”

Sjouwerman notes that anti-phishing education is deeply important and that a hack like this is impossible to complete if the victim is savvy about security and the dangers of clicking links that come into your email box. To demonstrate this, Sjouwerman sent me an email seemingly addressed to me from Matt Burns ([email protected]) talking about a typo in a post. When I clicked on it I was transferred to a SendGrid redirect site and dumped into TechCrunch – but the payload could have been more nefarious.

“This highlights the need for new-school security awareness training and simulated phishing because people are truly your last line of defense,” said Sjouwerman. He estimates that hackers will begin trying this technique in the next few weeks and urges users and IT managers to harden their security protocols.