The security staff at Twitter (I refuse to name the positioning X as a result of that’s the utterly daft form of title a nine-year-old would select) has responded to the excessive profile hack of the SEC Twitter account, which made headlines around the globe.
And what have they got to say?
Nicely, in a nutshell – “it’s not our fault.”
Based mostly on our investigation, the compromise was not attributable to any breach of X’s techniques, however relatively attributable to an unidentified particular person acquiring management over a telephone quantity related to the @SECGov account by means of a 3rd get together. We will additionally verify that the account didn’t have two-factor authentication enabled on the time the account was compromised.
What @Security is saying is that somebody hijacked management of the cell phone quantity related to the official SEC account. This was, one assumes, by means of a SIM swap assault.
A SIM swap assault is the place a scammer manages to trick the customer support employees of a cellphone supplier into giving them management of another person’s telephone quantity. Generally that is achieved by a fraudster reciting private details about their goal to the telecoms firm, tricking them into believing they’re somebody they’re not.
When a service – akin to Twitter – later sends a password reset hyperlink or authentication token to the consumer’s telephone quantity by way of SMS it leads to the fingers of the prison.
Victims of SIM swap assaults prior to now have included former Twitter boss Jack Dorsey, who had his Twitter account hijacked in 2019.
And, I’m afraid, Twitter does make it potential to reset an account password simply by understanding and gaining access to a cell phone quantity.
The opposite attention-grabbing revelation is that the official SEC Twitter account didn’t have two-factor authentication (2FA) enabled. It is a function that I’d advocate all customers activate, because it gives an extra layer of safety – and may make it more durable (albeit not solely unimaginable) for criminals to interrupt into an account.
To listen to that the US Securities & Change Fee didn’t have multo-factor authentication enabled is frankly bonkers.
Is that this the identical SEC that’s chaired by Gary Gensler, who throughout cybersecurity consciousness month in October, reminded everybody of the significance of establishing multi-factor authentication to safe their accounts?
Hey, right here’s an concept for Twitter/X/Elon’s multi-billion greenback vainness undertaking (delete as relevant).
Why don’t you make two-factor authentication (ideally not SMS-based, as there are higher types of 2FA) obligatory for verified and company accounts on Twitter?
