Scams & Phishing News SEC confirms SIM Swap Attack on their X

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Today, the SEC has confirmed that a cell phone account associated with the X account suffered a SIM-swapping attack.

"Two days after the incident, in consultation with the SEC's telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," explains an updated SEC press statement on the breach.
The SEC also confirmed that multi-factor authentication was not enabled on the account, as they had asked X support to disable it when they encountered problems logging into the account.

If MFA was enabled via SMS, the hackers would still have been able to breach the account as they would have received the one-time passcodes.
However, if the security setting had been configured to use an authentication app, it would have prevented the threat actors from logging into the account, even after the attackers had changed the password.

For this reason, it is always advised that MFA only be used with a hardware security key or an authentication app rather than through SMS.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,486
For this reason, it is always advised that MFA only be used with a hardware security key or an authentication app rather than through SMS.
I am glad it was confirmed, if only some security devs would take notice. SMS is mandatory on FB for recovery and MS is bugging me about it more and more, I guess they will force it eventually.

capture_01232024_130053.jpg
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
I am glad it was confirmed, if only some security devs would take notice. SMS is mandatory on FB for recovery and MS is bugging me about it more and more, I guess they will force it eventually.

View attachment 281080
Email and SMS are only for Unusual Alerts and Account Changes, not 2FA codes unless you haven't enabled the secure methods below.

There is no harm is adding these details to your Microsoft account.
account.live.com/proofs/manage/additional

By default you should either be using the Microsoft Authenticator app, or a Security Key.

If you've set up Passwordless, the MS Authenticator prompts for verification using biometrics.
 
  • Like
Reactions: Nevi and vtqhtr413

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,486
Email and SMS are only for Unusual Alerts and Account Changes, not 2FA codes unless you haven't enabled the secure methods below.
MS literally states that it will use phone for recovery, I do not want that, I have a backup code, authenticators and emails. I have added phone for contact and billing already, but not for recovery.

capture_01232024_185110.jpg
 
  • Like
Reactions: vtqhtr413

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
MS literally states that it will use phone for recovery, I do not want that, I have a backup code, authenticators and emails. I have added phone for contact and billing already, but not for recovery.

View attachment 281085
I assume it would be used under the worse case scenario, but as you use other forms of authentication then SMS/Email won't be used. I have never received 2FA via SMS, unless I request it.

It's not the case of you not wanting them to have your phone number. They already have more information about you on file.

Edit: If you lose access to SMS, recovery email, authentication, the last time of defense will be your 25 character recovery code.


Edit: Using 2 recovery emails instead of 1 should disable the SMS prompt notification.
 
Last edited:

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,486
Using 2 recovery emails instead of 1 should disable the SMS prompt notification.
Thank you so much, MS finally stopped asking me (forcing me) to add the phone. All checks are green. (y)
I route emails through each other, so I have like 5 emails in 1 and I do not consider them as different emails.
 

Attachments

  • capture_01242024_145217.jpg
    capture_01242024_145217.jpg
    41.7 KB · Views: 36
  • capture_01242024_145330.jpg
    capture_01242024_145330.jpg
    41.3 KB · Views: 38

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Thank you so much, MS finally stopped asking me (forcing me) to add the phone. All checks are green. (y)
I route emails through each other, so I have like 5 emails in 1 and I do not consider them as different emails.
Additional security options allow you to completely remove the Microsoft password, which reduces common phishing and password attacks. Learn more about removing your password.

Screenshot 2024-01-24 at 14.37.57.png
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,486
Additional security options allow you to completely remove the Microsoft password, which reduces common phishing and password attacks.
I have watch connected to the phone, so MFA prompt would notify me instantly. Anyway, last year MS had passwordless outage for several hours, a workaround was to login via a password. 🤣
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top