US SEC blames 'SIM swapping' for its X account hack
The U.S. Securities and Exchange Commission (SEC), a Wall Street regulator, revealed that its social media account on the platform X was hacked using the SIM swapping technique. The SEC had removed multi-factor authentication (MFA) six months prio...
By Reuters | Updated:
Reuters
Wall Street's top regulator was the victim of "SIM swapping," a technique internet fraudsters use to seize control of telephone lines, when its account on the social media platform X, formerly known as Twitter, was hacked earlier this month, the U.S. Securities and Exchange Commission said on Monday.
The SEC also said that, six months prior to the attack, staff had removed an added layer of protection, known as multi-factor authentication (MFA), and did not restore it until after the Jan. 9 attack.
As anticipation mounted for the agency's approval of exchange-traded products tracking bitcoin, an unidentified person or persons gained access to the account, posting the false announcement that approval had already been granted, causing a momentary jump in the cryptocurrency's price.
In a split vote, the commission granted approval the following day.
SIM swapping is a technique in which attackers gain control of a telephone number by having it reassigned to a new device.
"Once in control of the phone number, the unauthorized party reset the password for the @SECGov account," an SEC spokesperson said in a statement.
Law enforcement agencies are working to learn how the hackers prevailed on the SEC's mobile carrier to make the switch, the SEC said, without identifying the carrier.
Lawmakers have demanded explanations as to how the SEC could have left itself exposed to such an attack, when it holds publicly traded companies to tough cybersecurity requirements.
Monday's statement also said that due to difficulties accessing the account, SEC staff had asked X Support in June of 2023 to disable MFA, which can offer added protection against unauthorized access.
"MFA currently is enabled for all SEC social media accounts that offer it," the statement said.
A representative for X did not immediately respond to a request for comment.
U.S. agencies set their own policies on access to social media accounts but guidelines from the U.S. National Institute of Standards and Technology generally encourage the use of MFA, NIST told Reuters.
The incident is under investigation by agencies including SEC's Office of Inspector General and its Division of Enforcement; the Commodity Futures Trading Commission, which regulates bitcoin futures; Federal Bureau of Investigation; Department of Justice; and Cybersecurity and Infrastructure Security Agency, the statement said.
The SEC also said that, six months prior to the attack, staff had removed an added layer of protection, known as multi-factor authentication (MFA), and did not restore it until after the Jan. 9 attack.
As anticipation mounted for the agency's approval of exchange-traded products tracking bitcoin, an unidentified person or persons gained access to the account, posting the false announcement that approval had already been granted, causing a momentary jump in the cryptocurrency's price.
In a split vote, the commission granted approval the following day.
SIM swapping is a technique in which attackers gain control of a telephone number by having it reassigned to a new device.
"Once in control of the phone number, the unauthorized party reset the password for the @SECGov account," an SEC spokesperson said in a statement.
ADVERTISEMENT
Law enforcement agencies are working to learn how the hackers prevailed on the SEC's mobile carrier to make the switch, the SEC said, without identifying the carrier.
Lawmakers have demanded explanations as to how the SEC could have left itself exposed to such an attack, when it holds publicly traded companies to tough cybersecurity requirements.
Monday's statement also said that due to difficulties accessing the account, SEC staff had asked X Support in June of 2023 to disable MFA, which can offer added protection against unauthorized access.
"MFA currently is enabled for all SEC social media accounts that offer it," the statement said.
ADVERTISEMENT
A representative for X did not immediately respond to a request for comment.
U.S. agencies set their own policies on access to social media accounts but guidelines from the U.S. National Institute of Standards and Technology generally encourage the use of MFA, NIST told Reuters.
ADVERTISEMENT
The incident is under investigation by agencies including SEC's Office of Inspector General and its Division of Enforcement; the Commodity Futures Trading Commission, which regulates bitcoin futures; Federal Bureau of Investigation; Department of Justice; and Cybersecurity and Infrastructure Security Agency, the statement said.
Download
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
Download
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
Related Articles
How SIM swap fraud drains your money and what you can do todayADVERTISEMENT
