From the sounds of it they had disabled MFA since it was to annoying, but the phone number was still setup to be able to do a password recovery (probably by default I'm guessing) so really the phone number was the only thing required to get in.
I wonder if MFA even was at play here. If you can reset the password with nothing but a SIM-swapped phone number then the password was basically vestigial. And if you were using text for 2FA then really it was single factor the whole time even though you might not realize it.
This is one of the reasons that I try to avoid giving companies my number. I'm always worry that they will decide that it is a valid recovery mechanism for my account. (Either that it is required locking me out or that it is sufficient allowing takeover)
Which worse? Your SIM as an alternate password, or public information about you being your alternate password? ("Security" questions and "identity verification")
I thought this was a good strategy too until some one said that a customer service rep once asked him one of the questions over the phone and, lacking his backed up security questions at hand, he just said "it is a bunch of random characters" and was let through...
Probably the best bet is using a passphrase here but it might not be fool proof.
I've started to make up answers that could be accurate, but aren't obvious / the first thing someone would guess. For example, if the question is "where were you born?", I pick a random city.
I have read a suggestion that one should pick real (but randomly generated) words because, where it is possible to call the company that maintains your account, an attacker might claim that the recovery answer is a series of random characters, and there is a chance that the employee will accept this and allow the attacker access to the account.
"Monday's statement also said that due to difficulties accessing the account, SEC staff had asked X Support in June of 2023 to disable MFA, which can offer added protection against unauthorized access."
I suppose life is about to get way more difficult for those who found accessing X with MFA too difficult ...
What's somewhat comical is that the federal government has a PKI system (common access cards [1]) that Login.gov supports, but SEC folks couldn't manage a Yubikey or similar secure hardware authenticator for their Twitter/X account.
A lot of this should land on X. This is a high-profile, high-risk account. Allowing a password reset on these accounts without an additional check is sloppy. When people look at how many people you need to actually run X, things like this often get lost, and over time, they degrade trust in the service.
Wouldn't it be more reasonable that government agencies treat their accounts as high risk and implement proper security measures themselves? Why should X use their manpower for special treatment to SOME of their users? If anything they should educate ALL users to use proper security, but the blame is entirely on the SEC. Don't be ridiculous.
The article also mentions that:
> The SEC also said that, six months prior to the attack, staff had removed an added layer of protection, known as multi-factor authentication (MFA), and did not restore it until after the Jan. 9 attack.
So they removed MFA for some reason. How should X handle a situation like that?
> Why should X use their manpower for special treatment to SOME of their users?
Because X wants to continue to be a trusted platform. The more account takeovers there are, the more people start to doubt what authoritative sources say on X, and the less they use X.
> How should X handle a situation like that?
Flag high-risk accounts to go through extra verification because the cost of not doing it is high.
Did you miss the part of the article where the SEC themselves removed the MFA? The SEC being complete idiots doesn't rub off on X. X isn't a source to trust that's not how it works, X is a platform.
You trust the source behind the account, and that varies based on who the account belongs to, not how many computer illiterate users got hacked. Any journalist worth their name will contact the source through official channels to confirm statements made on X.
In my country, carriers are allowed to cancel your SIM card if you don't use it for a couple of months, then give the number to some other, new customer.
It's a nightmare since you can lose your accounts and even the debit card is tied to a phone number to make online payments.
I wanted to swap providers but I had to keep the old SIM active in a phasing-out stage...
Intelligence agencies of the world should award a medal to the person who decided to push SMS confirmation as a security feature. SIMs are insecure, ephemeral and not even owned by you. I can't think of a worse method.
I wonder if MFA even was at play here. If you can reset the password with nothing but a SIM-swapped phone number then the password was basically vestigial. And if you were using text for 2FA then really it was single factor the whole time even though you might not realize it.