The protection staff at Twitter (I refuse to name the location X as a result of that’s the utterly daft sort of title a nine-year-old would select) has responded to the excessive profile hack of the SEC Twitter account, which made headlines world wide.
And what have they got to say?
Nicely, in a nutshell – “it’s not our fault.”
Based mostly on our investigation, the compromise was not resulting from any breach of X’s techniques, however quite resulting from an unidentified particular person acquiring management over a cellphone quantity related to the @SECGov account via a 3rd social gathering. We are able to additionally affirm that the account didn’t have two-factor authentication enabled on the time the account was compromised.
What @Security is saying is that somebody hijacked management of the cell phone quantity related to the official SEC account. This was, one assumes, via a SIM swap assault.
A SIM swap assault is the place a scammer manages to trick the customer support workers of a cellphone supplier into giving them management of another person’s cellphone quantity. Typically that is carried out by a fraudster reciting private details about their goal to the telecoms firm, tricking them into believing they’re somebody they’re not.
When a service – reminiscent of Twitter – later sends a password reset hyperlink or authentication token to the person’s cellphone quantity by way of SMS it leads to the arms of the prison.
Victims of SIM swap assaults prior to now have included former Twitter boss Jack Dorsey, who had his Twitter account hijacked in 2019.
And, I’m afraid, Twitter does make it attainable to reset an account password simply by realizing and accessing a cell phone quantity.
The opposite fascinating revelation is that the official SEC Twitter account didn’t have two-factor authentication (2FA) enabled. It is a characteristic that I might suggest all customers activate, because it offers a further layer of safety – and might make it more durable (albeit not solely unattainable) for criminals to interrupt into an account.
To listen to that the US Securities & Change Fee didn’t have multo-factor authentication enabled is frankly bonkers.
Is that this the identical SEC that’s chaired by Gary Gensler, who throughout cybersecurity consciousness month in October, reminded everybody of the significance of establishing multi-factor authentication to safe their accounts?
Hey, right here’s an thought for Twitter/X/Elon’s multi-billion greenback self-importance undertaking (delete as relevant).
Why don’t you make two-factor authentication (ideally not SMS-based, as there are higher types of 2FA) necessary for verified and company accounts on Twitter?