The security workforce at Twitter (I refuse to name the positioning X as a result of that’s the utterly daft type of title a nine-year-old would select) has responded to the excessive profile hack of the SEC Twitter account, which made headlines world wide.
And what have they got to say?
Properly, in a nutshell – “it’s not our fault.”
Based mostly on our investigation, the compromise was not as a result of any breach of X’s programs, however slightly as a result of an unidentified particular person acquiring management over a cellphone quantity related to the @SECGov account by way of a 3rd celebration. We are able to additionally affirm that the account didn’t have two-factor authentication enabled on the time the account was compromised.
What @Security is saying is that somebody hijacked management of the cell phone quantity related to the official SEC account. This was, one assumes, by way of a SIM swap assault.
A SIM swap assault is the place a scammer manages to trick the customer support workers of a cellphone supplier into giving them management of another person’s cellphone quantity. Typically that is executed by a fraudster reciting private details about their goal to the telecoms firm, tricking them into believing they’re somebody they’re not.
When a service – equivalent to Twitter – later sends a password reset hyperlink or authentication token to the consumer’s cellphone quantity through SMS it results in the fingers of the felony.
Victims of SIM swap assaults previously have included former Twitter boss Jack Dorsey, who had his Twitter account hijacked in 2019.
And, I’m afraid, Twitter does make it doable to reset an account password simply by figuring out and gaining access to a cell phone quantity.
The opposite attention-grabbing revelation is that the official SEC Twitter account didn’t have two-factor authentication (2FA) enabled. It is a characteristic that I might suggest all customers activate, because it supplies a further layer of safety – and might make it tougher (albeit not solely inconceivable) for criminals to interrupt into an account.
To listen to that the US Securities & Alternate Fee didn’t have multo-factor authentication enabled is frankly bonkers.
Is that this the identical SEC that’s chaired by Gary Gensler, who throughout cybersecurity consciousness month in October, reminded everybody of the significance of establishing multi-factor authentication to safe their accounts?
Hey, right here’s an thought for Twitter/X/Elon’s multi-billion greenback self-importance undertaking (delete as relevant).
Why don’t you make two-factor authentication (ideally not SMS-based, as there are higher types of 2FA) obligatory for verified and company accounts on Twitter?
