Twitter Ends 2-Step SMS Verification (2FA) via SMS for all but paid users due to its vulnerability to possible attacks by cybercriminals.
Twitter sets a date for the end of the blue tick: if you don’t pay, it will disappear from this day.
Twitter has eliminated the two-factor authentication system (2FA) via SMS for all its users, except paid ones. A decision that, like other recent measures by the giant of social networks, has sparked a controversy that has transcended the digital universe.
Through a statement, Twitter stated in mid-February that, despite being a common form of verification, unfortunately, it has been found that this system based on verification through the telephone number is being used —and exploited— by users. cybercriminals.
Throughout the years, the business and many of its users, including its previous CEO Jack Dorsey, have discovered the hard way that text messages are susceptible to data theft and that phone numbers are lousy identifiers.
How 2FA authentication works and how it fails
Two-Step Verification is a way to add a valuable extra layer of protection to all accounts and is especially useful if cybercriminals have already gotten their hands on your password. It is unfortunate, therefore, that only 2.6% of active Twitter accounts had at least one double authentication method in the second half of 2021 (compared to a meager 2.3% the previous year). Of these, three-quarters used SMS as a source of verification.
First developed in the mid-1990s, this verification method has become by far the most popular system across email, social media, online stores, and banking platforms.
Waiting for a text message with a code and entering it after the password is a convenient way to improve account security. But while any second verification is much better than none, text messages have long been known to be susceptible to various attacks, as incoming texts are not encrypted and can be relatively easily intercepted, read, or redirected by cyber criminals.
In recent years, there have been numerous cases of attacks with which they have gained access to accounts as a result of, for example, SIM card swapping scams. In these scams, cybercriminals trick phone companies into transferring their victim’s phone numbers to a device under their control. From there, they can access bank accounts, social networks, and other platforms that use the same phone number to verify.
Throughout all this time, researchers such as those from the cybersecurity company ESET have found many examples of malware capable of circumventing two-factor authentication protections.
For example, in 2016, specialists from this company detected an Android banking Trojan that stole the access credentials of 20 mobile banking apps. The malware transferred all received text messages to the criminals. Three years later, ESET discovered malicious applications that exploited novel techniques to read One-Time Password (OTP) notifications that appeared on device screens.
Twitter’s own 2FA protections and security posture came under scrutiny in 2020 when a vishing attack against its staff led to the hijacking of some 130 accounts belonging to prominent personalities. In the attack, cybercriminals subverted the platform’s two-factor protections and used the accounts of Barack Obama, Elon Musk, and Bill Gates, among others, to sell a bitcoin scam.
To carry out the attack, the scammers mimicked the Twitter VPN website, where employees enter their credentials. As soon as the attackers entered the login credentials into the real Twitter VPN, they waited for the employees to receive one-time passwords. Once the victims filled in the password on the fake VPN, the hackers were in.
However, before saying goodbye to SMS for good, keep in mind that using any verification method is much better than relying solely on the security of a password. Therefore, given the disappearance of this free system and with the aim of avoiding greater risks of hacking, ESET explains how to improve the security of your Twitter account to keep it more protected than ever through the two main types of 2FA authentication that it supports. the platform.
Even for the 0.2% of Twitter users who pay to subscribe to the platform, many of these tips can be useful.
First, use dedicated device authentication apps like Microsoft Authenticator or Google Authenticator, which provide very strong security and offer more flexibility than hardware verification. Authenticator apps generate a one-time code that is used to confirm identity when signing in to websites and platforms.
The advantage is that instead of receiving a code via text message, the code appears in the app and is linked directly to the device, rather than a phone number. This significantly complicates the job of cybercriminals trying to read or steal the code. (However, there is also malware that can get hold of this type of authentication system).
On the other hand, to further increase protection, it is possible to purchase a physical security key that connects via USB, NFC, or Bluetooth. Physical keys offer a high level of protection, especially since the codes cannot be intercepted or redirected. Thus, to break into an account, criminals would have to steal both the key and the access credentials.
One disadvantage of this method is that you have to carry the key with you every time you want to log in and, furthermore, the ones currently available on the market are not compatible with all devices and platforms. The most advanced versions, such as those that incorporate fingerprint recognition, can cost more than 100 euros.
“When we stop using double authentication by SMS, we must make sure that we carefully review the security and privacy settings of our accounts. Among other things, it is essential to establish a strong and unique password, in addition to adding a multifactor authentication system through a compatible application such as Google Authenticator”, highlights Josep Albors, director of research and awareness at ESET Spain.
Even if you have decided to pay to subscribe to the platform, “these tips can be very useful when it comes to protecting your account,” he concludes.