HomeWinBuzzer NewsU.S. Securities and Exchange Commission Hit by SIM-Swapping Scheme

U.S. Securities and Exchange Commission Hit by SIM-Swapping Scheme

SEC account hacked via SIM-swap, attackers exploited phone number, not internal systems. Hackers spread misinformation after gaining control.

-

The U.S. Securities and Exchange Commission has confirmed a breach of its X/Twitter account due to a SIM-swapping attack. Illustrating the persisting dangers of this type of threat, the attackers successfully commandeered the phone number associated with the commission's account without internal system access.

Details of the SIM-Swap Attack

A SIM-swap attack is a fraudulent act where cybercriminals deceive a mobile carrier into transferring a victim's phone number to a device they control. This diversion allows the unauthorized party to intercept texts, calls, and, critically, one-time passcodes used for multi-factor authentication (MFA). The SEC's breach illustrates the vulnerability to such attacks, as the manipulated the mobile carrier to port the SEC's phone number, enabling them to broadcast fake information.

Contrary to an earlier SEC notification, which lacked clarity on the breach's mechanism, the updated statement pinpoints the SIM-swap as the attack vector. Multi-factor authentication on the account had been disabled due to previous login issues, which increased its susceptibility. Had MFA been in place through an authentication app rather than SMS, the breach might have been averted, highlighting the recommendation to secure accounts with authentication apps or hardware security keys.

Continuing Threats and User Reaction

Recent times have seen a spike in hijacked accounts and fraudulent cryptocurrency promotions across various platforms. Users are increasingly frustrated with the onslaught of malicious activity online, a sentiment underscored by the conspicuousness of the SEC's hacked account and its aftermath. The SEC is currently cooperating with law enforcement in an ongoing investigation to understand the full scope of the SIM-swapping attack.

While the hack did not extend to internal systems or additional accounts, the event serves as a potent reminder of the importance of stringent cybersecurity measures, particularly regarding sensitive information and high-profile entities. The incident highlights vulnerabilities in current security practices and underscores the critical need for enhanced protection against sophisticated cyber-attacks.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.