US’ SEC disables MFA, falls to fraud attack

A pair of events, one nefarious and the other seemingly innocuous, allegedly combined to allow the takeover of a U.S. government regulator’s X account.

Someone reportedly was able to perform a SIM swap on a Securities and Exchange Commission phone account January 9.

Complicating the situation, SEC staff in July decided to temporarily disable multi-factor authentication on the agency’s X account to deal with problems staff were having accessing the account.

MFA was not restored until after the January 9 SIM swap attack.

That means the X account was unprotected for whoever swapped the SIM card and changed the access password.

It is not known who pulled off the attack, but there was at least one fraudulent post on @SECGov: the bogus announcement that the SEC signed off on spot bitcoin exchange-traded funds.

The government is still collecting information on both incidents, but as of January 22, investigators could find no evidence that someone “gained access to SEC systems, data, devices, or other social media accounts,” according to an agency statement.

The SIM swap occurred using the SEC’s telecommunication carrier systems and not SEC systems. The carrier has not been named.

It is not known how someone persuaded the telco to alter the card or how the person knew which phone number was on the account.

The American government’s top cybersecurity bodies urged IAM developers and vendors to strengthen MFA implementations to protect against hacks late last year.

Article Topics

cybersecurity  |  multifactor authentication  |  social media  |  U.S. Government  |  X (twitter)