There are many takeaways from the SEC’s X account breach. Most significant, and most concerning, is the lack of two-factor authentication (2FA) implemented on the account. This is probably the easiest and, arguably, the most important security step to take when securing an online account. Not only can it actually protect your account, it can serve as a deterrent as most cyber criminals will see 2FA implemented and just move on to another target to compromise that does not utilize 2FA.
In a secure world, IF the SEC had deployed 2FA utilizing an authenticator application, such as Google or Microsoft, instead of receiving the ephemeral code via text message, it is likely that even a successful SIM swap would not be sufficient to take over the account. Targeting of cryptocurrency related accounts and exchanges will continue.
Crypto platforms handle large amount of money in digital assets which can be transferred incredibly quickly to anonymized wallets and accounts which are incredibly hard to trace. Reversing transfers is also impossible due to the nature of blockchain transactions. 2FA should be a mandatory requirement for all account holders – there is no reason why a social media platform such as X – where compromised accounts can sew seeds of doubt and spread global disinformation within seconds – should not enforce this as a mandatory security feature as well.
There is no doubt that a compromise of an account belonging to an organization as prominent as the SEC will impact the trust in online, public messaging going forward.