Why is Twitter turning millions of accounts into defenseless targets?
Okay, lemme see if I've got this right.
Effective March 19, Twitter has decided to open up millions of user accounts to hacking and theft, just to pick up a little spare coin. Really?
In Depth: These experts are racing to protect AI from hackers. Time is running out
And, apparently, Twitter (or He Who Shall Go Unnamed) somehow thinks that users value their SMS two-factor authentication method so much that opening their accounts up to attack will motivate them to pay $8/month in protection fees.
What-the-ever-lovin'-frak?
We gotta unpack this. It's just too bonkers to leave as a simple news article. It's more like watching a live action version of the movie Idiocracy unfolding in real-time.
I discovered this on Friday, when I popped over to Twitter in my browser. I was greeted by this message:
I have been on Twitter since 2009 and set up two-factor authentication way back in the day using SMS messaging, which, as I recall, was all that was available at the time. I'm not a fan of SMS 2FA for a lot of reasons.
Also: Losing text 2FA on Twitter? Here's how to keep your account secure
One of those reasons is that it's impossible to keep track of all the services I've used over the years that still expect my phone to answer texts. What if I want to change my phone number? With Authy or Google Authenticator, you can see a list of everything you have 2FA accounts on.
So I don't mind moving off of SMS for Twitter 2FA and moving to Authy. That took me all of about five minutes.
But that's not where the idiocracy is playing out. Let's start with this blog post signed merely by Twitter Inc (no one person, apparently, wants to take credit for this scheme). There are a few points of interest in the 287 word blog post.
Starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.
Twitter will still allow folks who don't subscribe to the $8/mo Twitter Blue program to authenticate using an authenticator app or a security key. With how problematic SMS authentication can be, it's not clear why it would be sold as a perk for signing up to Twitter Blue rather than using better alternatives, but so be it.
Here's where it gets bizarre:
Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another. After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method. At that time, accounts with text message 2FA still enabled will have it disabled.
If I'm reading "accounts with text message 2FA still enabled will have it disabled" correctly, Twitter will leave those accounts active, but remove the second factor authentication protection from them -- leaving those accounts open for mega-p0wn1ng by bad actors.
Essentially, majillions of Twitter accounts will soon be susceptible to brute force password attacks. Twitter is turning these accounts into defenseless targets.
It seems to me the most vulnerable of these soon to be defenseless accounts are those whose owners rarely login. After all, those of us who check Twitter daily will simply switch our 2FA from SMS to an authentication app or key, as I did when I got the notice shown above.
But owners of inactive accounts, or those who rarely log in, already appear to be in a potential gray area. Just last December, the Chief Twit tweeted that Twitter is planning to clear out old accounts to free up user names for new users.
I've reached out to Twitter asking for clarification of when those old accounts will be purged and to confirm 2FA will be disabled on active accounts, but haven't yet heard back. There is probably a fairly large cross-over between accounts to be purged and soon-to-be-vulnerable SMS-less Twitter accounts that will no longer have 2FA.
But even so, I can't help but think it's incredibly wrong-headed to make accounts vulnerable on purpose.
There is some math here, but it doesn't add up. This odd Tweet pair indicates that Twitter loses a whopping $60 million per year on SMS scamming.
If true, that's a lot of money. But how much will it cost Twitter to deal with the fallout from all the vulnerable accounts that will be hacked due to this new policy? How much tech support time? How much additional reputation damage? How many more peeved users? How many defections from the service? How many lawsuits from companies whose Twitter accounts were hacked and used maliciously?
There's no doubt Twitter is between a rock and a hard place due to many of its practices over the years. And there's no doubt that trying to make Twitter profitable is a fair goal.
But this isn't the way to do it. Turning previously protected accounts into targets of opportunity for every hacker, cybercriminal, and nation state that wants to get more of a foothold in the Twitterverse is just not the way to go.
Twitter Blue is, perhaps, an appropriate name. Actions that Twitter is taking to try to create value for that service are certainly going to give its users the blues.
I have to shake my head about this. It's just so irresponsible. Go ahead. Comment below. Tweet about it. Do it now, because who knows what barmy bodge will come next to broker more Twitter blue subscriptions?
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.