[ad_1]
In a statement, the regulator said: “The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack’. Once in control of the phone number, the unauthorized party reset the password for the @SECGov account.”
What is a SIM swapping attack
This hacking tactic is referred to as a common scam in which attackers persuade customer service representatives to transfer phone numbers to new devices.
How this attack affected the SEC
During this attack, SEC’s X account was taken over to falsely claim that bitcoin ETFs had been approved. This attack has now raised questions about SEC’s security practices. Government-run social media accounts are typically required to have MFA enabled. Being a high-profile account that may have market-moving abilities, the @SECGiv not using the extra layer of security has already prompted questions from US Congress.
The SEC said that it has asked X’s support staff to disable MFA last July following “issues” with its account access. “Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it.”
The lack of MFA may have made it easier for the attacker to take over the SEC’s account. However, the regulator hasn’t revealed how those responsible knew which phone was associated with the X account.
SEC also hasn’t shared details about how the unnamed telecom carrier fell for the scam and who was behind it. The regulator said it’s currently investigating these points along with the Department of Justice, FBI, Homeland Security and its own Inspector General.
[ad_2]
Source link