The U.S. Securities and Exchange Commission (SEC) lost control of its social media account on X, formerly known as Twitter, as a result of a “SIM swapping” attack, a tactic employed by online scammers to hijack phone lines. Details of this occurrence, which happened earlier this month, were revealed by the SEC on Monday.
Bitcoin Approval Misinformation Hits SEC
The SEC disclosed that personnel had eliminated multi-factor authentication (MFA), an extra security measure, six months before the assault. Reinstatement of the MFA did not occur until after the January 9 attack. The incident happened at a time when many were expecting more than usual that exchange-traded products that track bitcoin would be approved by the SEC. Unknown users gained access to the account during the attack and made a bogus notification stating that approval had been given. The price of the cryptocurrency was briefly damaged by this false information, but the next day, a split vote finally resulted in approval.
SIM Swapping: A Growing Cyber Threat
Attackers can take control of a phone number by switching its SIM card to another device, a tactic known as SIM swapping. In this case, the password for the @SECGov account was reset by the unauthorized party after they gained control of the phone number.
“Once in control of the phone number, the unauthorized party reset the password for the @SECGov account,” an SEC official said. Although the cell provider for the SEC has not been identified, law enforcement is looking into how the hackers got them to switch.
Legislators are now looking for answers about why the SEC was open to this kind of attack, particularly in light of the strict cybersecurity regulations that are in place for publicly traded corporations. In its statement on Monday, the SEC confirmed that its staff had asked X Support to stop multi-factor authentication (MFA) in June 2023 because it was causing problems with account access. MFA is an extra security measure against illegal access.
Legislators Demand SEC Vulnerability Answers
“MFA is currently enabled for all SEC social media accounts that offer it,” the message made clear. The SEC did not say which MFA technique was being used, but MFA usually entails requesting two or more verification elements from users before allowing access.
Law enforcement and regulatory bodies are looking into the matter thoroughly. Among the organizations involved in the ongoing investigation are the Department of Justice, the Commodity Futures Trading Commission (which regulates bitcoin futures), the SEC’s Office of Inspector General and Division of Enforcement, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency.
Strong cybersecurity safeguards are desperately needed, as this security incident shows. This is especially true for regulatory organizations in charge of managing the financial markets. The SEC’s cybersecurity procedures will probably come under more scrutiny as the inquiry goes on, and bolstering defenses against sophisticated cyberattacks in the digital era will probably receive more attention.
