If you do not want to lose your accounts, information associated with them and other private and important data, it is necessary to not leave any security gaps in your digital life. Losing a simple password can be a big setback if it falls into the wrong hands.
Even if you try to come up with a good password, you still need to go further to try to protect accounts as much as possible. No one is safe from danger, not even government agencies, and, in fact, the The US Securities and Exchange Commission (SEC) had its X account – formerly known as Twitter – stolen, although it didn’t last long.
Interestingly, they made a pretty fundamental mistake, but one that could happen to anyone with a social media account, and there’s a lot we can learn from it. The goal of the people who took over the account, it seems, was to ensure that an article related to Bitcoin to increase its value, which they achieved momentarily.
Verification is key
It was the Commission itself, SEC, for its acronym in English, which revealed this malicious act of cybercriminals, which they took control of their official X account This is due, in part, to the fact that they haven’t enabled two-step verification, which all cybersecurity experts highly recommend.
And it seems that the event happened when someone in the The Securities and Exchange Commission disabled two-step account verification, which was exploited in an attempt to carry out a SIM swap attack. This ultimately paid off for them as they managed to take control of the account for a few minutes. As the agency confirms, at no time did they have access to their internal systems or their databases, only to their account on the social network, so this will remain a simple anecdote.
This method is carried out using social engineering, since the criminal took control of a phone number by tricking the phone company, likely posing as its owner, into giving him control and access to text messages and incoming calls from said number . So any type of verification message with a login code will not reach the person who owns the number.
Cybercriminals only had to go through the password reset process, send them a confirmation SMS, and enter their own passcode. And it’s something that can happen to anyone. The post they made on the agency’s profile caused Bitcoin to rise to $48,000, but soon after it fell by 6%. If they had stolen a different type of account, they might have succeeded in stealing data or even money from the owner; in this case the goal was clear.
How to prevent this from happening
The first mistake made by the American agency was disable two-step verification. This decision was made because it was causing connection problems, and they contacted the X offices to deactivate this security mechanism, which they should have reactivated as soon as they managed to reconnect.
Two-step verification is a very advantageous mechanism in terms of security, since it means that in addition to entering the password correctly, a second security measure is necessary. In this case the operation was carried out via SMS, but experts recommend not using this method, because someone – as happened in this case – can fraudulently access the SIM card, but it is more complicated to do so if another medium is used.
It’s best to use verification apps like Microsoft Authenticator or Google Authenticator. In these, a code is displayed and changes every few seconds, and to access it, the cybercriminal would first have to be able to access our Google account, which, if well protected, can also be complicated. In fact, X itself recommended doing two-step authentication through these types of apps, not SMS.
If you continue to use SMS as a verification method, it is better to replace this with another compatible alternative, like the previous ones, although it is true that they cannot be used on all platforms, since they must be compatible with said applications.