Scams & Phishing News SEC confirms SIM Swap Attack on their X

[Ink]

Content source

https://www.bleepingcomputer.com/news/security/sec-confirms-x-account-was-hacked-in-sim-swapping-attack/

Today, the SEC has confirmed that a cell phone account associated with the X account suffered a SIM-swapping attack.

"Two days after the incident, in consultation with the SEC's telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," explains an updated SEC press statement on the breach.

The SEC also confirmed that multi-factor authentication was not enabled on the account, as they had asked X support to disable it when they encountered problems logging into the account.

If MFA was enabled via SMS, the hackers would still have been able to breach the account as they would have received the one-time passcodes.

However, if the security setting had been configured to use an authentication app, it would have prevented the threat actors from logging into the account, even after the attackers had changed the password.

For this reason, it is always advised that MFA only be used with a hardware security key or an authentication app rather than through SMS.

 

[TairikuOkami]

For this reason, it is always advised that MFA only be used with a hardware security key or an authentication app rather than through SMS.

I am glad it was confirmed, if only some security devs would take notice. SMS is mandatory on FB for recovery and MS is bugging me about it more and more, I guess they will force it eventually.

 

[Ink]

I am glad it was confirmed, if only some security devs would take notice. SMS is mandatory on FB for recovery and MS is bugging me about it more and more, I guess they will force it eventually.

View attachment 281080

Email and SMS are only for Unusual Alerts and Account Changes, not 2FA codes unless you haven't enabled the secure methods below.

There is no harm is adding these details to your Microsoft account.
account.live.com/proofs/manage/additional

By default you should either be using the Microsoft Authenticator app, or a Security Key.

If you've set up Passwordless, the MS Authenticator prompts for verification using biometrics.

 

[TairikuOkami]

Email and SMS are only for Unusual Alerts and Account Changes, not 2FA codes unless you haven't enabled the secure methods below.

MS literally states that it will use phone for recovery, I do not want that, I have a backup code, authenticators and emails. I have added phone for contact and billing already, but not for recovery.

 

[Ink]

MS literally states that it will use phone for recovery, I do not want that, I have a backup code, authenticators and emails. I have added phone for contact and billing already, but not for recovery.

View attachment 281085

I assume it would be used under the worse case scenario, but as you use other forms of authentication then SMS/Email won't be used. I have never received 2FA via SMS, unless I request it.

It's not the case of you not wanting them to have your phone number. They already have more information about you on file.

Edit: If you lose access to SMS, recovery email, authentication, the last time of defense will be your 25 character recovery code.

Edit: Using 2 recovery emails instead of 1 should disable the SMS prompt notification.

 

[TairikuOkami]

Using 2 recovery emails instead of 1 should disable the SMS prompt notification.

Thank you so much, MS finally stopped asking me (forcing me) to add the phone. All checks are green.
I route emails through each other, so I have like 5 emails in 1 and I do not consider them as different emails.

 

[Ink]

Thank you so much, MS finally stopped asking me (forcing me) to add the phone. All checks are green.
I route emails through each other, so I have like 5 emails in 1 and I do not consider them as different emails.

Additional security options allow you to completely remove the Microsoft password, which reduces common phishing and password attacks. Learn more about removing your password.

 

[TairikuOkami]

Additional security options allow you to completely remove the Microsoft password, which reduces common phishing and password attacks.

I have watch connected to the phone, so MFA prompt would notify me instantly. Anyway, last year MS had passwordless outage for several hours, a workaround was to login via a password.