pinkeyes - stock.adobe.com
SEC social media hack highlights value of MFA
The US SEC briefly appeared to approve new bitcoin trading rules after a social media account was targeted by troublemakers, proving the value of MFA once again
Cryptocurrency markets fluctuated wildly on the evening of Monday 9 January after the US financial regulator, the Securities and Exchange Commission (SEC), briefly appeared to claim it had approved spot bitcoin exchange-traded funds (ETFs) for the first time.
The fake announcement was made via X, the service formerly known as Twitter, at around 9pm GMT on 9 January, and was widely reported at the time. It stated that the SEC had granted approval for bitcoin ETFs on all registered national securities exchanges, which it may yet do later this week, and will be a landmark moment for crypto assets should it happen.
The statement, which was swiftly retracted, was in fact the result of a compromise of the SEC’s X account, which was confirmed by chair Gary Gensler moments later.
“The @SECGov Twitter account was compromised, and an unauthorised tweet was posted,” said Gensler via X. “The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”
Computer Weekly understands the SEC was able to regain control of the account within an hour.
Following an investigation overnight, a spokesperson for X, which has been beset with problems since its takeover by erratic billionaire Elon Musk, said: “We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation.
“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.
“We can also confirm that the account did not have two-factor authentication [2FA, MFA] enabled at the time the account was compromised. We encourage all users to enable this extra layer of security,” they said.
ESET global cyber security adviser Jake Moore said: “This proves that accounts on X continue to be targeted, and if an official account is compromised, then serious consequences can follow. Cryptocurrency scams remain the focal point, and with social pressure on X, they can still reap huge gains.
“Legitimate third-party access compromise or targeted social engineering are still the most common ways to obtain access to an account, which leaves the security onus very much on individuals. Therefore, even more significance should be directed at training staff and account owners, especially when dealing with high-profile accounts.”
What is an ETF?
An ETF is in essence a bucket of multiple different assets, such as stocks, bonds, currencies, debits, futures and commodities, that let investors hedge their bets across a diverse range of assets without needing to buy one of each.
ETFs are traded like shares on stock exchanges, and the majority of them exist to track various stock or bond market indexes such as the FTSE 100 or Nasdaq. They confer some advantages, such as lower average costs for investors and are considered less risky due to the number of diverse assets they hold, but they are not without their problems.
A crypto spot ETF – such as that teased by the SEC’s hackers – would invest directly in cryptocurrencies and track their real-time prices, so their share prices would fluctuate based on the underlying value of the cryptocurrencies gathered in the bucket. There is also the possibility of futures-based crypto ETFs.
According to the Financial Times, the SEC has been resisting the approval of bitcoin ETFs for some time, largely on the grounds of concerns of risk management and investor protection.
However, last year, an appeals court in the US ruled against the regulator’s previous rejection of an application from crypto asset manager Grayscale to set one up.
Citing sources familiar with the situation, the newspaper said that insiders at the SEC have suggested it could approve such mechanisms imminently.
Read more about MFA
- Not every MFA technique is effective in combating phishing attacks. Enterprises need to consider new approaches to protect end users from fraudulent emails.
- While MFA improves account security, attacks still exploit it. Learn about two MFA challenges, SIM swapping and MFA fatigue, and how to mitigate them.
- Organisations need to protect user accounts from malicious attackers. IAM expert Marco Fanti offers tips organisations can use when implementing MFA.