SEC’s account did not have 2-factor authentication: X security team

The attacker which is a third-party telecommunications provider into gaining control of the phone number associated with the @SECGov account.

 
Follow :
Gary Gensler | Image: X/Twitter

2-Factor Authentication: The safety team at X, formerly known as Twitter, has disclosed a security lapse involving the United States Securities and Exchange Commission (SEC). According to X's safety page, the SEC's main X account was compromised due to a SIM swap attack, facilitated by the absence of two-factor authentication (2FA). This breach led to a false endorsement of a spot Bitcoin exchange-traded fund (ETF) on the SEC's official X page, causing disruption in crypto markets.

A SIM swap attack involves an assailant taking control of a victim's phone number, subsequently gaining unauthorised access to various accounts, including social media and financial platforms. In this instance, the perpetrator likely coerced a third-party telecommunications provider into gaining control of the phone number associated with the @SECGov account. 

With access to the phone number and potential knowledge of the corresponding email address, the hacker could reset the account password and gain entry.

Concerns over cybersecurity measures

The incident has elicited strong reactions from policymakers. Senators JD Vance and Thom Tillis addressed a letter to SEC Chair Gary Gensler, expressing concerns over the agency's lax cybersecurity measures. 

They demanded an explanation within a four-day period, stating that the breach undermines the SEC's mandate to safeguard investors. Their missive joins a chorus of calls for transparency and accountability, with several congressional members advocating for an official investigation.

Furthermore, US Senator Bill Hagerty criticised the SEC's handling of the situation, highlighting the agency's swift action had the roles been reversed. Senator Cynthia Lumiss echoed this sentiment, urging transparency regarding "fraudulent announcements." 

Meanwhile, Elon Musk, CEO of Tesla and owner of X, refuted claims attributing the breach to X's internal systems. 

Published By : Anirudh Trivedi

Published On: 10 January 2024 at 15:09 IST