Security often comes at a price. But it doesn’t have to.
Twitter took this idea to a new level recently by removing digital account protections from non-subscription users.
The decision was abrupt and unexpected, and has left users of the popular service wondering how they can stay safe on the platform without payment.
What happened and why
For anyone following the recent Twitter saga, the latest announcement may not have been such a surprise. The social media giant in the last few months had already set the tone by charging for verified account status, or ‘Twitter Blue.’
Now, they’re taking it one step further by stripping basic account security from the users who haven’t obtained subscriber status.
Beginning in March 2023, Twitter will remove users’ ability to protect their accounts with phone number-based 2FA (two-factor authentication). Specifically, receiving a verification code via SMS to login will no longer be an option.
Paid users can still protect and access their accounts this way, but most Twitter users (approximately 99% are unverified) will have to seek other security options.
Why did Twitter do this?
Twitter decided to pull the plug on SMS authentication because of their experience with fraudsters working to exploit these security options. While Twitter stated in a public statement that 2FA is a popular way to secure accounts, it also pointed out that it is subject to exploitation.
How can bad actors exploit SMS-based 2FA?
Besides physically stealing your smartphone from you, one way a fraudster can get into your account is through a SIM swap.
SIM swapping is when a bad actor tricks a victim’s wireless carrier into porting their phone number to a new SIM card, giving the fraudster access to the incoming calls and texts for that number. They can leverage that to gain access into digital accounts protected by SMS-based 2FA.
Fraudsters can be extremely smart, sneaky, and capable. Fraud is a billion dollar industry, indirectly incentivizing innovation. It’s important to not let these bad actors have such an easy go at it.
Toll fraud speculation
Twitter has stated that the main reason for removing SMS 2FA is due to the lack of security it offers. However, they still allow it for paid accounts, and the alternatives they allow don’t seem any safer.
This has led to speculation about why they would consider moving away from SMS 2FA. One idea is that Twitter was overwhelmed with toll fraud, a common problem for many companies.
Toll fraud is a communications fraud in which bad actors obtain premium rate numbers and target companies that generate high volumes of calls and messages. These sophisticated attacks inflate traffic across a number range and steal money from every interaction.
Because of the recent hit Twitter took from these SMS pumpings ($60 million), if we were making a guess, it seems like toll fraud played a part in Twitter’s decision. Rather than stopping toll fraud, they opted to remove 2FA.
What are the risks of Twitter disabling SMS-based 2FA?
As we saw when Twitter initially changed the verification requirements to receive a blue checkmark, it doesn’t take much for things to go haywire on this platform.
The same could be true if 2FA is disabled, as many large companies could have their accounts hacked, leading to a spread of spammy tweets or potential misinformation.
Is there a workaround?
Many headlines around the digital world regarding this issue are misleading. While it is true that Twitter disabled a form of 2FA, they didn’t disable all forms of 2FA. In that sense, there is some workaround currently baked into the existing system.
Twitter suggests users can instead use an authentication app or a security key method. These are viable options from a user perspective, especially if becoming a verified Blue subscriber isn’t in your interest.
How to switch from text/phone to authentication app or security key
The system will automatically kick unverified users off of the text message 2FA option on March 20. To get ahead of it and switch to another option, complete the following steps:
- Once logged into Twitter, click ‘More’, and then ‘Settings and privacy’
- Click ‘Security and account access’
- Click ‘Security’, then click ‘Two-factor authentication’
- Choose between ‘Authentication app’ or ‘Security key’, then complete the final steps based on your selections.
Not many Twitter users will download a separate authentication app. It’s much less convenient, and puts up more barriers to entry. The better way to handle this is through silent verification.
Twitter isn’t alone in their conundrum about how to balance account security with the risk of toll fraud. Many companies are victims of toll fraud, especially those with a higher volume of daily calls and messages.
Rather than shutting down a tried and true security method, such as 2FA, Telesign offers companies a new alternative: Intelligence. This solution is among the best ways to stop toll fraud, and it’s easy to implement and add to your current security stack.
Intelligence stops toll fraud by analyzing phone number behavior and alerting you of red flags involved with particular phone numbers. It provides a risk score, so that you can effectively determine whether to block or allow a number.
Twitter may have pulled the plug on 2FA because of toll fraud, but this controversial and puzzling decision doesn’t have to be yours. Fraud protection shouldn’t be something consumers have to pay to receive. Telesign believes security, trust and protection is a right.
If your company is struggling with the high costs of toll fraud, consider a simple, effective solution. To hear more about how Telesign can protect you from toll fraud and secure your user accounts, chat with us today.