US regulator admits cyber-security lapse earlier than rogue Bitcoin put up
The US monetary regulator has confirmed a key safety process on its X account had been suspended for six months when hackers made a faux put up about Bitcoin in January.
The cryptocurrency surged in worth earlier than the put up was deleted.
The Securities and Exchange Commission (SEC) didn’t have multi-factor authentication (MFA) in place when hackers gained entry to the account.
Cyber-security specialists say it ought to be a wake-up name for different companies.
“While the SEC’s X account hack is a minor security incident, all governmental agencies should review the security of their social network accounts,” stated Ilia Kolochenko from cyber-firm ImmuniWeb.
He identified {that a} comparable incident at a physique such because the US Department of Defense might have extra “devastating consequences”.
“While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC stated in a press release.
“Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9.
“MFA presently is enabled for all SEC social media accounts that provide it.”
Sim-swapping assault
The SEC has confirmed the account was compromised by a fraudster convincing a mobile operator to transfer an SEC employee’s phone number to a new Sim.
The employee who was targeted had their phone number associated with the SEC’s account for X, formerly known as Twitter.
Because MFA had been suspended on the account, the hacker was able to reset the password, log in and make a post.
It announced the SEC had approved so-called exchange-traded funds (ETFs) for Bitcoin, which shot up in value to $48,000 (£37,800) before the post was withdrawn.
Though the SEC has subsequently confirmed the regulatory change, the cryptocurrency fell to just over $38,600 on Tuesday, its lowest value in 2024 so far.
In a Sim-swapping attack, typically a hacker will call a mobile phone operator claiming they have lost the phone they are targeting and need a new Sim card sent out to them.
Sometimes, the hackers will go into a store in person to carry out the con.
MFA is intended to protect against this kind of hack.
It takes many forms, including having a dedicated app that gives you a pin code for a website, as well as sending a text message, though this is considered less secure.
If the verification a person chooses is to receive a text confirming they are the user, a person who has gained access to their phone number will receive the text message instead.
Because of this, experts advise people to use a dedicated app for verification instead.
Related Topics
-
-
23 hours ago
-
-
-
10 January
-