While I don’t claim to be much of a security expert, I know some things shouldn’t be used when securing internet accounts. Cell phone numbers shouldn’t be one of those things. Thanks to the SEC, we now have new information as to what went down with their Twitter account earlier this month.
SEC was SIM swapped
The Securities and Exchange Commision (SEC) has stated that a SIM swap attack was behind the Twitter account hack. The attack led to a fake post being made to suggest Bitcoin ETFs had been approved. That led to an increase in the cryptocurrency’s price. The federal agencies said that an “unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”
The SEC claims that it had MFA access up until July of 2023. MFA disabled due to issues getting access to the account. It was disabled by Twitter support. It was left disabled until the SEC noticed that the account was compromised. All other social accounts for the SEC have MFA active, according to the agency.
What is SIM swapping?
For those who do not know, SIM swapping occurs when a malicious actor acts on behalf of a cellular customer. They then use social engineering to gain access to an account. At that point, they can switch a number to a different SIM card in their possession and intercept phone calls and SMS/MMS messages. This is especially useful when trying to acquire MFA codes that are sent via SMS. While it may be a long while for a regular customer to notice, it would probably be longer for a federal agency to notice if they are using a random phone nobody uses.
While the Tech Talk Commandments say use MFA as much as possible, we do have a footnote. We do not condone the use of SMS-based MFA for this very reason.
Source: The Verge