The protection staff at Twitter (I refuse to name the positioning X as a result of that’s the utterly daft sort of identify a nine-year-old would select) has responded to the excessive profile hack of the SEC Twitter account, which made headlines world wide.
And what have they got to say?
Effectively, in a nutshell – “it’s not our fault.”
Primarily based on our investigation, the compromise was not resulting from any breach of X’s techniques, however slightly resulting from an unidentified particular person acquiring management over a telephone quantity related to the @SECGov account by means of a 3rd social gathering. We are able to additionally affirm that the account didn’t have two-factor authentication enabled on the time the account was compromised.
What @Security is saying is that somebody hijacked management of the cell phone quantity related to the official SEC account. This was, one assumes, by means of a SIM swap assault.
A SIM swap assault is the place a scammer manages to trick the customer support workers of a cellphone supplier into giving them management of another person’s telephone quantity. Generally that is completed by a fraudster reciting private details about their goal to the telecoms firm, tricking them into believing they’re somebody they’re not.
When a service – similar to Twitter – later sends a password reset hyperlink or authentication token to the person’s telephone quantity through SMS it leads to the arms of the legal.
Victims of SIM swap assaults prior to now have included former Twitter boss Jack Dorsey, who had his Twitter account hijacked in 2019.
And, I’m afraid, Twitter does make it attainable to reset an account password simply by understanding and gaining access to a cell phone quantity.
The opposite fascinating revelation is that the official SEC Twitter account didn’t have two-factor authentication (2FA) enabled. This can be a function that I’d suggest all customers activate, because it offers an extra layer of safety – and may make it tougher (albeit not solely unattainable) for criminals to interrupt into an account.
To listen to that the US Securities & Alternate Fee didn’t have multo-factor authentication enabled is frankly bonkers.
Is that this the identical SEC that’s chaired by Gary Gensler, who throughout cybersecurity consciousness month in October, reminded everybody of the significance of establishing multi-factor authentication to safe their accounts?
Hey, right here’s an concept for Twitter/X/Elon’s multi-billion greenback self-importance challenge (delete as relevant).
Why don’t you make two-factor authentication (ideally not SMS-based, as there are higher types of 2FA) necessary for verified and company accounts on Twitter?
