Security Procedure Suspended for Six Months on SEC's X Account
In a recent revelation, the US Securities and Exchange Commission (SEC) disclosed that a crucial security measure on its X account was inactive for six months, allowing hackers to post a fake announcement about Bitcoin in January. The incident caused a surge in the cryptocurrency's value before the post was removed.
Lack of Multi-Factor Authentication (MFA) Raises Concerns
The SEC admitted that it did not have multi-factor authentication in place when unauthorized access occurred on the compromised account. Cybersecurity experts emphasize the need for heightened security measures across governmental agencies in light of this incident.
Ilia Kolochenko from cyber-firm ImmuniWeb stated, "While the SEC's X account hack is a minor security incident, all governmental agencies should review the security of their social network accounts."
Disabled MFA and the Consequences
The SEC clarified that multi-factor authentication had been enabled on the @SECGov X account but was disabled by X Support in July 2023 due to issues accessing the account. The disabling of MFA remained in effect until staff re-enabled it after the account was compromised on January 9.
Sim-Swapping Attack Unveiled
The SEC confirmed that the account breach resulted from a sim-swapping attack, where a fraudster convinced a mobile operator to transfer an SEC employee's phone number to a new SIM card. With MFA disabled, the hacker successfully reset the password, logged in, and posted a fake announcement about the approval of Bitcoin exchange-traded funds (ETFs).
Warning for Governmental Agencies
Cybersecurity experts warn about the potential consequences of such lapses in agencies with higher stakes. Ilia Kolochenko emphasized, "A similar incident at a body such as the US Department of Defense could have more devastating consequences."
Post-Incident Actions and Market Impact
While the SEC has since confirmed the regulatory change regarding ETFs for Bitcoin, the cryptocurrency's value experienced a drop to just over $38,600 on Tuesday, marking its lowest value in 2024 so far.
Sim-Swapping Attack Explained
The SEC explained that in a sim-swapping attack, a hacker typically convinces a mobile phone operator to transfer a targeted individual's phone number to a new SIM card. The compromised employee's phone number was linked to the SEC's X account, facilitating the unauthorized access.
Importance of Multi-Factor Authentication
Multi-factor authentication (MFA) is crucial in preventing sim-swapping attacks. It can take various forms, such as using a dedicated app for generating a PIN code or receiving a text message. Experts recommend the use of more secure methods, like dedicated apps, to enhance verification processes and avoid potential breaches.