Immediately after the exchange closed on January 9, the U.S. Securities and Exchange Commission published that it had approved exchange-traded funds, or ETFs, containing the cryptocurrency Bitcoin in X (née Twitter).
There was just one problem: The SEC never issued this announcement; someone else did it.
Fifteen minutes after the fake post was published, agency president Gary Gensler shared that the agency had not actually approved the listing. “The @SECGov Twitter account was hacked,” he wrote, “and an unauthorized tweet was sent.”
This revealed an obvious problem: global crypto markets trade 24/7, and this announcement clearly moved the needle. In the minutes following the unauthorized post, the Bitcoin price rose more than 4% and lost more than it gained after the SEC declared it fraudulent. The SEC began working with federal law enforcement to investigate how such a hack could have occurred. Finally, earlier this week the regulator announced on January 22 that they were considering how the breach occurred. As it turned out, the agency fell victim to a frighteningly simple scam.
The SEC was targeted with a SIM swap in which an attacker gained access to the phone number linked to the Twitter account, reset the password for account X, and then gained carte blanche to publish whatever they wanted. To do this, attackers must first figure out which phone number is tied to the account, contact that person’s phone service provider, and persuade that provider to reassign that number to a different device, experts told Fast Company.
“Just like you can call your phone service provider and say, ‘I dropped my phone in the toilet, I need a new phone,’ an attacker can do anything you can do during that phone call,” says Rachel Tobac. CEO of SocialProof Security.
The SEC made the simple mistake of turning off multi-factor authentication months before the attack because its staff had difficulty sharing access with the security measure on. It’s unclear whether the agency used text message-based authentication or app-based authentication, but the latter method, which experts think is more secure, could have prevented them from losing access to the account. There are also dedicated password managers and tools for companies to securely share passwords and multi-factor authentication codes.
Tobac says the flaw in X’s system is that it allows users to link a phone number and even requires a phone number for accounts that want to be verified. X also allows users to reset their passwords by sending a text message to their phone number; But Tobac says it’s much safer to initiate these changes through an email account that’s harder to hack. As for whether there is a way for X to catch such violations, Tobac says there is nothing to catch. “If they encourage you to add your phone number and then let you change your phone number’s password, there’s nothing to catch because that’s expected behavior,” she says.
Katie Moussouris, founder and CEO of Luta Security, said SIM swapping attacks will continue until mobile phone operators change the way they operate or are forced to do so with stronger rules and regulations.
“We should never have allowed organizations to authenticate through a technology that is as easily intercepted as text messages,” says Moussouris. “Until mobile phone operators are forced through regulation to make SIM swapping more difficult for attackers, we will see these attacks continue for years to come.”