The protection staff at Twitter (I refuse to name the location X as a result of that’s the fully daft form of identify a nine-year-old would select) has responded to the excessive profile hack of the SEC Twitter account, which made headlines world wide.

And what have they got to say?

Effectively, in a nutshell – “it’s not our fault.”

Based mostly on our investigation, the compromise was not on account of any breach of X’s methods, however quite on account of an unidentified particular person acquiring management over a cellphone quantity related to the @SECGov account by means of a 3rd occasion. We are able to additionally affirm that the account didn’t have two-factor authentication enabled on the time the account was compromised.

What @Security is saying is that somebody hijacked management of the cell phone quantity related to the official SEC account. This was, one assumes, by means of a SIM swap assault.

A SIM swap assault is the place a scammer manages to trick the customer support workers of a cellphone supplier into giving them management of another person’s cellphone quantity. Typically that is completed by a fraudster reciting private details about their goal to the telecoms firm, tricking them into believing they’re somebody they’re not.

When a service – corresponding to Twitter – later sends a password reset hyperlink or authentication token to the consumer’s cellphone quantity through SMS it leads to the arms of the felony.

Victims of SIM swap assaults previously have included former Twitter boss Jack Dorsey, who had his Twitter account hijacked in 2019.

And, I’m afraid, Twitter does make it doable to reset an account password simply by realizing and gaining access to a cell phone quantity.

The opposite attention-grabbing revelation is that the official SEC Twitter account didn’t have two-factor authentication (2FA) enabled. This can be a characteristic that I’d advocate all customers activate, because it supplies an extra layer of safety – and may make it more durable (albeit not completely inconceivable) for criminals to interrupt into an account.

To listen to that the US Securities & Trade Fee didn’t have multo-factor authentication enabled is frankly bonkers.

Is that this the identical SEC that’s chaired by Gary Gensler, who throughout cybersecurity consciousness month in October, reminded everybody of the significance of establishing multi-factor authentication to safe their accounts?

Hey, right here’s an thought for Twitter/X/Elon’s multi-billion greenback self-importance venture (delete as relevant).

Why don’t you make two-factor authentication (ideally not SMS-based, as there are higher types of 2FA) necessary for verified and company accounts on Twitter?

Discovered this text attention-grabbing? Observe Graham Cluley on Twitter, Mastodon, or Threads to learn extra of the unique content material we publish.