On Jan. 9, the US Securities and Exchange Commission’s X (formerly Twitter) account made a highly-anticipated announcement: That it had approved spot bitcoin exchange-traded fund (ETF), which would open the floodgates for institutional investments. Bitcoin spiked. The only problem was that the news was fake. The SEC account was “compromised, and an unauthorized tweet was posted,” chair Gary Gensler clarified within minutes, adding that the listing and trading of spot bitcoin exchange-traded products has not been greenlit. Bitcoin plunged.
Fraudulent announcements, like the one on SEC’s X profile, create volatility in the markets. Calls from lawmakers and senators descended upon the federal agency to investigate how its X account was compromised. The SEC got to work, cooperating with law enforcement to get to the bottom of the debacle.
The apparent truth, shared by X today (Jan. 10), shows that the incident wasn’t any sort of sophisticated hack. Instead, it was a simple SIM-swap of sorts, where fraudsters gain access to personal information to access and manipulate a phone number.
“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the SEC account through a third party,” X’s Safety team posted. “We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”
The goof-up is especially ironic given that, mere months ago, Gensler was reminding people to protect themselves against identity theft and fraud by using “multifactor authentication,” among other things.
The case for two-factor authentication, or 2FA
Using 2FA means that even with a username and password, a hacker can’t simply log into your account. The second step–a one-time SMS passcode, a randomly generated code on an authenticator app, a fingerprint, or something similar—is a guardrail to protect users from phishing, social engineering, and password brute-force attacks.
The SEC isn’t alone in skipping this crucial step. As of 2022, half the companies surveyed in CyberEdge’s annual Cyberthreat Defense Report had not activated this additional security layer. Despite all its plusses, it’s perceived as costly, confusing, and cumbersome.
Quotable: SEC’s cybersecurity under scrutiny
“These developments raise serious concerns regarding the Commission’s internal cybersecurity procedures and are antithetical to the Commission’s tripart mission to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation...It is unacceptable that the agency entrusted with regulating the epicenter of the world’s capital markets would make such a colossal error.”
—Senators JD Vance and Thom Tillis in a Jan. 9 letter to the SEC. They’ve given Gensler until Jan. 23 to issue a response detailing who made the post—an SEC employee or an outside—and how the agency plans to rectify financial losses borne by investors as a result of the errant announcement, among other things.