- In yet another plot twist, the SEC revealed that they purposefully disabled multi-factor authentication about six months prior to the hack.
- An exploit called “Sim swapping” is blamed, which has raised eyebrows over such a significant security lapse at a major government agency.
- The incident highlights the importance of cybersecurity for everyone – even those you’d assume would have the best security in the business.
Unless your name is Gary Gensler, the news that someone hacked the Securities and Exchange Commission’s Twitter account to post a false Bitcoin ETF approval was an incredibly amusing revelation. The irony was especially delicious after the very same Twitter account posted that the SEC account was the only source worth trusting for news on the SEC a few months earlier.
But new light being shed on the incident has revealed perhaps the most amusing twist in the ETF approval debacle to date – the SEC intentionally turned off multi-factor authentication (MFA) in the months leading up to the hack.
Sim Swap Responsible for Breach
Imagine you’re a massive regulatory agency working for the US government. You are responsible for preventing fraud, scams and other malicious financial behaviour that can ruin livelihoods…such as the market manipulation that may occur if a big-name Twitter account were to be compromised…
If this were the case, you’d think that a simple defensive measure like, I don’t know, multi-factor authentication, would be enabled. But what if I told you that you forgot your password? Okay, the next step is to personally reach out to Twitter support and request they disable MFA while providing some other form of identity verification. Great, now we have access again.
So what’s the next step? Surely it’s to immediately re-enable multi-factor authentication. Right???
Wrong.
According to the Securities and Exchange Commission, a “Sim Swap” exploit was responsible for the unknown hacker gaining access to its social media account. This technique essentially involves a hacker accessing the communication from a specific mobile number – in this case, the SEC’s. They were then able to remotely access texts (such as password reset codes) and gain full control over their Twitter account.
If only there was some kind of application that prevented this type of exploit. An Authenticator-type application perhaps?
Ahh…forget it. The technology probably isn’t there yet.
Credit: Source link
