Just after the stock market closed on January 9, the U.S. Securities and Exchange Commission posted on X (née Twitter) that it had approved exchange-traded funds, or ETFs, that included the cryptocurrency bitcoin. It was a massively important, potentially market-moving announcement, and one that was hotly anticipated by crypto fanatics, professional traders, and casual investors alike.
There was only one problem: The SEC never posted that announcement—someone else did.
Fifteen minutes after the false post went up, agency chair Gary Gensler posted that the agency had not in fact approved the listing. “The @SECGov Twitter account was compromised,” he wrote, “and an unauthorized tweet was posted.”
This presented an obvious problem (never mind the fact that the SEC actually did approve bitcoin ETFs a mere two days after the hack): the global crypto markets trade 24/7 and this announcement clearly moved the needle. The price of bitcoin shot up more than 4% in the minutes following the unauthorized post and lost even more than it gained after the SEC clarified it was fraudulent. The SEC, for its part, went right to work alongside federal law enforcement to investigate how such a hack could occur. Finally, earlier this week, the regulator disclosed on January 22 how they think the breach transpired. As it turns out, the agency fell victim to a frighteningly uncomplicated scam.
The SEC was targeted by a SIM swap, whereby an attacker—or group or perpetrators—gained access to the phone number linked to the Twitter account, reset the X account’s password, and then gained carte blanche to post whatever they pleased. In order to do this, experts tell Fast Company, the attackers needed to first figure out what phone number was linked to the account, contact that person’s phone service provider, and convince that provider to reassign that number to a different device.
“Just like you can call up your telephone service provider and say, ‘Hey I dropped my phone in the toilet, I need a new phone,’ anything you can do on that phone call an attacker can do as well,” says Rachel Tobac, the CEO of SocialProof Security.
The SEC made a simple error months before the attack, turning off multifactor authentication because its staff had difficulty sharing access with the security precaution turned on. It’s not clear whether the agency used text-message-based authentication or app-based authentication (such as Google Authenticator), but the latter method—which experts consider more secure—could have prevented them from losing access to the account. There are also special password managers and tools for companies to securely share passwords and multifactor-authentication codes.
Tobac says the flaw in X’s system is that it allows users to link a phone number—and even requires a phone number for accounts that want to be verified. X also allows users to reset their passwords through a text message to their phone number, though Tobac says initiating these changes through an email account, which are harder to hack, is a much more secure method. As to whether there’s any way for X to catch these kinds of breaches, Tobac says there’s nothing to catch. “If they encourage you to add your phone number, and then allow you to change your password to your phone number, there’s nothing to catch—because that’s an expected behavior,” she says.
Katie Moussouris, the founder and CEO of Luta Security, said that SIM swap attacks will continue happening until mobile phone carriers change how they operate—or are forced to do so with stronger rules and regulations.
“We should never have let organizations build authentication on a technology as easily hijacked as text messages,” Moussouris says. “Until mobile phone carriers are forced via regulation to make SIM swapping hard for attackers, we will see these attacks persist for years to come.”
Recognize your brand’s excellence by applying to this year’s Brands That Matter Awards before the final deadline, June 7.
Sign up for Brands That Matter notifications here.
