Short Answer:
Unlike Signal and WhatsApp, Lochbox does not follow the phone number. When a device is SIM Swapped, the phone number transfers to the attacker's device. All Signal and WhatsApp texts and calls are delivered to the attacker.
Lochbox’s texts and calls are delivered to the device that the intended recipient is fully authenticated upon regardless of the device’s SIM. Lochbox is not affected by SIM Swapping.
More Details:
Lochbox authenticates devices separately from human users. In a SIM Swap attack, it is not the device that gets stolen, but the device’s network id that gets stolen. Signal and WhatsApp key off of the device’s network id (the phone number). When a device is SIM Swapped, all Signal and WhatsApp texts and calls go the attacker’s device, not the intended human’s device.
BTW, keying off of the phone number is what makes Signal and WhatsApp “open network” communications; subject to phishing campaigns.
Lochbox places a private key into the device’s secure storage (e.g. the iOS KeyChain on Apple devices, the X.509 certificate store on other platforms). The public key is tracked centrally by the Lochbox servers and the by customer’s encryption Key Management Server. This enables these servers to encrypt things that only the device can access via the device’s secured private key.
Lochbox assigns a trust value to any device’s public key. Devices with an authenticated human user are considered trusted. When the human logs out of a device, the trust is removed and all local content, encrypted at rest, is removed. Users can also block a device, forcing a Lochbox logout, local content deletion, and the inability for the device to allow any user to successfully authenticate. For security reasons, a blocked device will always report that the userid/password do not match.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article