Questions? Call us today: (516) 778-5639

authID Home
authID Home

Data Breach Insights

SEC X Account Takeover

  • SEC X account was taken over to manipulate bitcoin ETFs
  • Caused by cellphone SIM swap attacks
  • Biometric authentication would have likely prevented it

 

Home » Major Security Breaches » Securities and Exchange Commission X Account Taken Over

What Happened

On January 12, 2024, the Securities and Exchange Commission made a statement that after 4:00 pm ET on Tuesday, January 9, 2024, an unauthorized party gained access to their @SECGov X account by obtaining control over the phone number associated with the account. Once having control of the account, the party made two posts; the first announcing the SEC’s approval of spot bitcoin exchange-traded funds, and the second “$BTC.” SEC staff is assessing the scope of the incident, but there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.

How It Happened

The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with their X account by performing a “SIM swap” attack. SIM swapping transfers a person’s phone number to another device without their authorization, allowing the unauthorized party to begin receiving voice and SMS communications associated with the number. When the unauthorized party obtained control over the phone number, they were able to reset the password for the @SECGov X account.

authID Impact

If the SEC required their X user accounts to enroll the account owner’s facial biometrics in authID’s robust biometric authentication solution for authorizing posts, it would have necessitated the attacker to authenticate using their face to make a post. This method would be unaffected by a SIM swap attack since authID’s biometric authentication solution is not tied to any device or phone number. If the attacker attempted to use a digital facial image of the X account owner by presenting it to a camera or injecting it through software, hardware, or network means, it would be identified as a presentation or injection attack, resulting in a blocked post.

Some of the Top Financial, Medical and Hospitality Brands Trust authID

Beem Logo from authID
Hamilton Reserve Bank Logo from authID
ABM Logo from authID
ABR American Board of Radiology Logo from authID
PickleJar Logo from authID
Syntrove Logo from authID
Intellicheck Logo from authID
Kompliant Logo from authID
KaiaSoft Logo from authID
IDMWORKS Logo from authID
EinStrong Foundation Logo from authID
ShotPro Logo from authID
authID Free Trial Image

According to IBM Cost of a Data Breach Report - 2023

The average data breach in the US last year cost business $4.4M. Biometric verification would have helped stop it.

Set up a free 30-day trial today to help prevent a data breach!

We will contact you within 24 hours to set up your demo.
authID Free Trial Image

According to IBM Cost of a Data Breach Report - 2023