Sleuthing the SEC’s SIM swap incident: Which carrier was involved?

On January 9, the Twitter account of Gary Gensler, Chairman of the Securities and Exchange Commission (SEC), notified the public that “The @SECGov Twitter account was compromised, and an unauthorized tweet was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”

The errant tweet jumped the gun by two days in announcing the SEC’s much-anticipated approval of a Bitcoin ETF. Twitter’s @Safety account immediately confirmed the breach, pointing the finger mainly at a SIM swapper, saying, “Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”

On January 12, the SEC said it was working with appropriate law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, among others, in investigating the incident. On January 22, the SEC confirmed that an unauthorized party “obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”

The Commission added, “Access to the phone number occurred via the telecom carrier, not via SEC systems. SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.” The SEC further confirmed that it disabled two-factor authentication on X in July of 2023, and it remained disabled until after January 9, but 2FA is now enabled for all accounts that offer it.

For a month now, the SEC has been silent on the details surrounding the SIM swap, including which carrier was involved and how the SIM swap occurred. Although the SEC didn’t identify the phone carrier, a little sleuthing indicates that it’s likely the carrier that accounted for 98% of mobile phone spending for the Commission in 2020.

SIM swap track records of the major carriers

Of the top three mobile carriers in the US, T-Mobile has the worst public track record for enabling SIM swaps. Last August, security consulting giant Kroll pointed to T-Mobile’s transfer of an employee’s phone number to a threat actor without any contact with the company or its employees. This swap led to the theft of user information for multiple cryptocurrency platforms that relied on Kroll services in their ongoing bankruptcy proceedings.

Last November, Ethereum co-founder Vitalik Buterin’s Twitter account was hijacked, and victims were scammed out of $691,000 because T-Mobile enabled the threat actor to take over his account via a SIM swap.

These high-profile incidents cap a long history of complaints against T-Mobile for lax standards that lead to SIM swaps. The company faces a history of SIM swap complaints that ultimately led to a major class-action lawsuit that is still pending.

Verizon and AT&T have better track records regarding SIM swaps but have also experienced their fair share of public incidents and lawsuits, including SIM attacks from an international cybercrime group. In one highly publicized incident, the SIM swapper allegedly bribed an AT&T employee in an incident that led to the theft of $24 million in cryptocurrency.

The growing rash of SIM swaps across all carriers prompted the US Federal Communications Commission to adopt new rules in November 2023 to require wireless providers to adopt more secure authentication methods.

Subscribe to Premium Metacurity Membership to read the rest.