Data Breach Insights
SEC X Account Takeover
- SEC X account was taken over to manipulate bitcoin ETFs
- Caused by cellphone SIM swap attacks
- Biometric authentication would have likely prevented it
What Happened
On January 12, 2024, the Securities and Exchange Commission made a statement that after 4:00 pm ET on Tuesday, January 9, 2024, an unauthorized party gained access to their @SECGov X account by obtaining control over the phone number associated with the account. Once having control of the account, the party made two posts; the first announcing the SEC’s approval of spot bitcoin exchange-traded funds, and the second “$BTC.” SEC staff is assessing the scope of the incident, but there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.
How It Happened
The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with their X account by performing a “SIM swap” attack. SIM swapping transfers a person’s phone number to another device without their authorization, allowing the unauthorized party to begin receiving voice and SMS communications associated with the number. When the unauthorized party obtained control over the phone number, they were able to reset the password for the @SECGov X account.
authID Impact
If the SEC required their X user accounts to enroll the account owner’s facial biometrics in authID’s robust biometric authentication solution for authorizing posts, it would have necessitated the attacker to authenticate using their face to make a post. This method would be unaffected by a SIM swap attack since authID’s biometric authentication solution is not tied to any device or phone number. If the attacker attempted to use a digital facial image of the X account owner by presenting it to a camera or injecting it through software, hardware, or network means, it would be identified as a presentation or injection attack, resulting in a blocked post.
According to IBM Cost of a Data Breach Report - 2023
The average data breach in the US last year cost business $4.4M. Biometric verification would have helped stop it.
Set up a free 30-day trial today to help prevent a data breach!
According to IBM Cost of a Data Breach Report - 2023