SEC GOT SIM SWAPPED

Good Morning!

I asked last week whether you guys liked multiple topics vs a short deep dive on one. Well, here’s the results:

Do we like multiple topics?

🟩🟩🟩🟩🟩🟩 Yes!

🟨🟨🟨🟨⬜️⬜️ Prefer one topic, "kinda deep" dive

🟨⬜️⬜️⬜️⬜️⬜️ Mix of both is best

via @beehiiv polls

So, here’s what we’ll do. Beginning next week, I’ll start the week with multiple news topics / current events and then close the week with a deep dive on a story, scam/hack, or security concept.

Two a week! Let’s go!

SEC Twitter Hack Update

Quick recap on the U.S. Securities and Exchange Commissions (SEC’s) account security breach. On Jan. 9th, an unauthorized party gained access to the SEC’s twitter account and displayed a fake post, claiming the SEC approved of the first ever spot bitcoin exchange traded funds, causing a quick spike in the digital markets before the post could be deleted and walked back by the commission.

Last week, I stated that the compromise most likely spawned from a phishing campaign. Well, the government agency has recently released more details of the hack and it turns out, breach originated from a SIM Swap attack.

What’s a SIM Swap Attack?

Good question. A SIM Swap is when a telephone number is transferred to another device without permission from the rightful owner. An attacker in control of your phone number will receive all text messages and phone calls meant to be received by you.

Now, in order to get your number transferred to their device, they first need to manipulate your cell provider into conducting the swap. The scammer will call in pretending to be you, and claim that the SIM card is broken and the line needs to be transferred to a new sim (theirs).

Your cell provider most likely will ask for sensitive information, like your address, social security number, and date of birth to validate your identity. This is information researched and collected by the hackers from phishing attempts, your social media, or even bought off the dark web’s data brokers. Remember our newsletter on OSINT?

In the case of the SEC, the twitter account was attached to the compromised phone number, allowing the hacker to change the password of the account and gain access.

How NOT to get got by a SIM Swap attack

Fortunately there’s a few ways to secure your number :

• Set up a PIN number with your cell provider. A 4-8 digit number or a passphrase that can further provide security to your account.

• Don’t build your security and identity authentication solely around your phone number. This includes text messaging (SMS), which is not encrypted. Enable Multi Factored Authentication. EMPHASIS on the the MULTI

• Call-backs: Some organizations call customers back to make sure they are who they say they are

Take this opportunity to review your accounts and change old passwords so you Don't Get Got!

P.S. Your experiences matter. If you've encountered a scam or hack and have insights to share, we invite you to connect with us. Let's build a community that stands against cyber threats.