The change to two-factor authentication (2FA) on Twitter comes as a surprise: Since text messages are too insecure to carry out 2FA, you will have to pay for this service on the social network in the future. It is not entirely clear when exactly users (only those who do not use the paid Twitter Blue service) should expect this change. Twitter itself gave users of SMS-based 2FA "30 days to deactivate this method and register for a new one" with its announcement on February 15th. One thing is certain: after March 20th, the 2FA method via SMS will be deactivated for accounts that are still activated.

Why is SMS considered insecure for two-factor authentication (2FA)?

Twitter has decided that one-time security codes sent via SMS are no longer secure because experience shows they have already been misused. The main objection to SMS-based 2FA is that cybercriminals are simply tricking, persuading or bribing employees of mobile phone companies into giving them replacement SIM cards programmed with someone else's phone number. Legally replacing a lost, broken or stolen SIM card is of course a desirable service from the mobile network, otherwise you would have to change the telephone number for every new SIM

But after fraudsters used clever social engineering skills to “take over” citizens’ phone numbers – usually in order to access their 2FA codes – the ranking of text messages as a secure 2FA source plummeted. This criminal type of “SIM swapping” is actually not an exchange at all, because a SIM card can only be programmed with a single phone number. So when a mobile phone company replaces a SIM card, there is no change, but rather, the old SIM card is dead and no longer works.

For the user who replaces his own SIM card because his cell phone has been stolen, this is a very useful security feature, as he gets his own number back and the thief cannot make calls or listen to messages and calls at his expense. But: if the SIM card ends up illegally in the hands of fraudsters, this function becomes doubly dangerous. Criminals then receive the messages intended for the user, including login codes, and the user cannot use their own phone to report the problem.

Is this ban really about safety?

Is Twitter really concerned with security or just streamlining its IT by reducing the number of text messages it sends? It's surprising that not all users are moving away from SMS-based 2FA to a more secure method, only those who don't use the paid Twitter Blue service. They are still allowed to use the SMS method.

SIM swapping requires a lot of effort for cybercriminals and is therefore not a mass-produced option. After all, they have to leave their anonymity and physically try to get a specific number in a cell phone store. This type of fraud is planned and targeted at a very specific account for which the criminals already have a username and password, and where they believe that the value of the account outweighs the risk of being caught. We therefore advise that if you choose the Twitter Blue service, you should no longer use SMS-based 2FA, even if you are authorized to do so.

This is what Twitter users should do now:

  • Anyone who is a Twitter Blue member or wants to become one should say goodbye to SMS-based 2FA. Because if this method is a security concern for the large number of non-Blue users, then of course it is also a security concern for the smaller group of Blue members.
  • If you are not a Blue user with SMS 2FA activated, you should switch to app-based 2FA. Definitely do not phase out 2FA and revert to legacy password authentication. After all, the user has first overcome the uncomfortable hurdle of 2FA and should now stay at the forefront on the security front.
  • Anyone who has given Twitter their phone number for 2FA purposes should now delete it, as the company does not do this automatically itself.
  • Users of app-based authentication should be aware that their 2FA codes are no more secure against phishing than an SMS. However, app-based 2FA codes are generally protected by the phone's lock code and cannot be calculated on someone else's phone - even if they put the user SIM card in the phone.
  • Users should be alert if their phone unexpectedly loses cellular service. Here you should investigate whether the SIM card has been replaced. Even if users don't use the phone for 2FA codes, a fraudster who has control of the victim's phone number can still send and receive messages on their behalf, as well as make or receive calls - all while pretending to be the victim to be. If there is suspicion of a takeover, the user should contact their mobile phone provider or, ideally, appear in person at a mobile phone store, including ID and account receipts.
  • If you haven't yet set up a PIN code on your SIM card, you should do so now. A thief who steals the phone probably won't be able to unlock it. But he could remove the SIM card, insert it into another device and take over calls and messages. You only have to enter the PIN for the SIM card when restarting or after switching off.

A quick addendum on switching to app-based 2FA: The steps involved in this are not significantly more complex than authentication via SMS: here too, you have to pick up your cell phone but read the code from the app instead of as a text message. So it doesn't require much effort, but it's very effective.

Source:

Sophos

Already read?
Mysterious: “Lights in the sky” during earthquake in Turkey
Welcome money for Ukrainian refugees is still nonsense!
Used clothing for the Turkish earthquake zone: No thanks!


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )