New hacking details are a bad look for the SEC—and also for Elon Musk’s X

As for the hack itself, the SEC told Fortune and others on Monday that the debacle came about because someone at the agency got SIM swapped—meaning the hacker bribed or tricked someone at T-Mobile or another big carrier to transfer the cellular service, and the phone number associated with it, to their phone. SIM swaps are not always nefarious. You might, for instance, be leaving the U.S. and ask your carrier to transfer your number and account to your sister. But they usually involve something crooked.

SIM swaps are used for a variety of crimes but are especially common in the crypto world (shocking, I know) because they can help a hacker break into someone’s financial or social media accounts. This happens because taking control of someone’s cellular account lets the hacker intercept verification codes sent by text message. You’ve no doubt received such texts from your bank or Facebook or some other platform when trying to log in.

There was a time when SIM swapping was on the cutting edge of cybercrime, but that’s no longer the case. Today, it’s common knowledge among security professionals—and even among the general public—that text messages are a weaker form of multifactor authentication (a.k.a. MFA or 2FA), and that it’s better to use an app like Google Authenticator or Authy to verify an account. Even if a hacker gets hold of your cellular service, they won’t—unless they have your phone, too—be able to see the codes displayed in those apps.

Chair Gary Gensler and other senior people at the SEC no doubt knew that relying on text message-based verification is considered poor security, and that it would increase the chances of their X account getting hacked. Yet they didn’t bother to demand their staff use an authenticator app. Worse, the SEC admitted in their comments on Monday that, at the time of the attack, they had multifactor authentication disabled entirely.

This is a horrible look for Gensler, but let’s also save some of the blame for Elon Musk. Recall that, shortly after the billionaire took over Twitter, the platform disabled text message-based verification for all users unless they paid for its new paid subscription service. For cybersecurity professionals, this is deeply unethical and akin to a car dealer saying they will remove a customers’ seat belts unless they pay more for their monthly lease. Worse, Musk and X did nothing to remind customers—including the SEC—that their accounts were unprotected and push them to add MFA via an authenticator app.

In that spirit, I’ll confess the SEC is hardly alone in failing to properly lock down its X account. Following Monday’s news, I checked the settings on my account and found I, too, had failed to add an additional form of MFA since X removed text message validation early last year. I’ve since spent two minutes adding app-based MFA to my account. I suggest you do the same.

Jeff John Roberts
jeff.roberts@fortune.com
@jeffjohnroberts

DECENTRALIZED NEWS

Figure, the blockchain venture started by a SoFi cofounder, is reportedly raising $250 million and seeking regulatory permission to issue the first federally approved stablecoin in the U.S. (Bloomberg)

The bankrupt FTX estate sold around $1 billion worth of newly created Grayscale Bitcoin ETF shares, an unusual event that likely contributed to the recent slump in prices. (CoinDesk)

A week after similar issues arose in Coinbase v. SEC, a second judge heard Binance's challenge to the agency's practice of labeling nearly every cryptocurrency a security. (Reuters)

The number of Bitcoin holders around the world grew 33% from 222 million to 296 million in 2023, according to an unverified survey by the exchange Crypto.com. (The Block)

The price of Bitcoin briefly dropped below $40,000 again for a 4% loss on Monday, while Ethereum fell over 6%. (Reuters)

MEME O’ THE MOMENT

Hope springs eternal, Bitcoin style: