Experts brand Twitter security settings change a ‘desperate drive’ to save money

Twitter
social media
Elon Musk
Technology
Monday 20 February 2023 at 12:28pm

Elon Musk took over Twitter last year. Credit: PA

Cybersecurity experts have branded changes to Twitter's security settings around two-factor authentication as a "desperate drive" to save money, after some users were told they could risk losing their accounts.

Over the weekend, users began receiving a message telling them that text message-based two-factor authentication (2FA) was being moved into the Twitter Blue subscription.

The message warns that anyone who does not want to join the pay monthly subscription must stop using the security feature by March 19 or lose access to their account.

Two-factor authentication is a security feature designed to make online accounts more secure as it requires users to confirm who they are using a second log-in method after entering their username and password.

Computer security writer and podcaster Graham Cluley said Twitter's decision could mean “many users will be left worse protected than before.”

Mr Cluley said that although it was true that other forms of 2FA were more secure than text messages, the social media giant's approach to the change was questionable.

“Yes, authentication apps and hardware keys are a more secure way to harden your account than SMS-based 2FA… but this is being done by Twitter in a desperate drive to save itself money, NOT to improve the security of its users,” he tweeted.

Currently, Twitter users can opt to receive an automatically generated text message containing a code – which is sent to the phone number linked to their account – and use this code to complete their login.

But users have now been sent a message telling them “you must remove text message two-factor authentication”, and have instead been encouraged to choose a different method, such as a physical security key that plugs into a user’s device, or an authentication app.

Twitter owner Elon Musk has defended the decision by claiming that the platform was “getting scammed by phone companies” for millions of dollars each year through “fake” 2FA text messages.

Elon Musk says he will step down as Twitter boss once he finds a successor

Twitter owner Elon Musk has defended the decision. Credit: PA

However commentators have warned that Twitter’s approach could create confusion among users who were not cybersecurity experts and aware of the different forms of 2FA.

Javvad Malik, lead security awareness advocate at cybersecurity firm KnowBe4 said the announcement had given out “mixed messages”.

“On one hand it is a positive move to restrict SMS as a second authentication mechanism because of its weaknesses and the ability of criminals to social engineer users,” he said.

“On the other hand, by making it available to paying Twitter Blue subscribers, it gives the impression that it is a premium security feature, which it is not.

Brits urged to delete TikTok by MP after China 'spy balloon' shot down

Why does Andrew Tate keep talking about The Matrix?

“From a technical perspective, the use of alternative 2FA methods, such as using an authenticator app is more secure than 2FA.

"But we have an educational issue whereby most people are still not overly familiar with how these options work, or how to enable them.

“Therefore, what we see here is not necessarily a technical security issue – but rather one of usability and education, one where it’s important to architect security controls in a manner that makes the user experience a frictionless one, while at the same time enhancing the security,” he added.

In a blog post on the issue, Twitter said: “While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors.”

Meta Verified launched

Meanwhile, Meta is testing a new subscription service that would let Facebook and Instagram users pay for a verified account.

Meta CEO Mark Zuckerberg announced Meta Verified on his social media accounts on Sunday, with testing due to begin in New Zealand and Australia this week with other countries to follow.

For $11.99 (£9.97) per month on the web or $14.99 (£12.47) per month on Apple and Android operating systems, Meta will use a government identification to verify a user’s account and give the account a blue badge.

Previously, Meta’s blue badges were free and reserved for notable public figures or businesses.

Meta CEO Mark Zuckerberg. Credit: PA

Subscribers will also get extra protection against account impersonation and direct access to customer support, Meta said.

Public figures and others who were previously verified won't be affected by the change.

The company said Meta Verified is aimed at influencers and others who use social media for their business but aren't notable public figures.

Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know...