April 13, 2024

Twitter has announced an intriguing change to its 2FA (two-factor authentication) system.

The change will take impact in about a month’s time, and may be summarised very merely within the following brief piece of doggerel:


    Utilizing texts is insecure 
        for doing 2FA,
    So if you wish to stick with it
       you are going to must pay.

We stated “a few month’s time” above as a result of Twitter’s announcement is considerably ambiguous with its dates-and-days calculations.

The product announcement bulletin, dated 2023-02-15, says that customers with text-message (SMS) based mostly 2FA “have 30 days to disable this technique and enroll in one other”.

When you embody the day of the announcement in that 30-day interval, this means that SMS-based 2FA can be discontinued on Thursday 2023-03-16.

When you assume that the 30-day window begins at first of the subsequent full day, you’d count on SMS 2FA to cease on Friday 2023-03-17.

Nevertheless, the bulletin says that “after 20 March 2023, we are going to now not allow non-Twitter Blue subscribers to make use of textual content messages as a 2FA technique. At the moment, accounts with textual content message 2FA nonetheless enabled can have it disabled.”

If that’s strictly appropriate, then SMS-based 2FA ends at the beginning of Tuesday 21 March 2022 (in an undisclosed timezone), although our recommendation is to take the shortest doable interpretation so that you don’t get caught out.

SMS thought-about insecure

Merely put, Twitter has determined, as Reddit did just a few years in the past, that one-time safety codes despatched through SMS are now not protected, as a result of “sadly we now have seen phone-number based mostly 2FA be used – and abused – by unhealthy actors.”

The first objection to SMS-based 2FA codes is that decided cybercriminals have realized learn how to trick, cajole or just to bribe staff in cell phone corporations to provide them alternative SIM playing cards programmed with another person’s telephone quantity.

Legitimately changing a misplaced, damaged or stolen SIM card is clearly a fascinating characteristic of the cell phone community, in any other case you’d must get a brand new telephone quantity each time you modified SIM.

However the obvious ease with which some crooks have realized the social engineering expertise to “take over” different folks’s numbers, normally with the very particular purpose of getting at their 2FA login codes, has led to unhealthy publicity for textual content messages as a supply of 2FA secrets and techniques.

This type of criminality is understood within the jargon as SIM-swapping, nevertheless it’s not strictly any type of swap, given {that a} telephone quantity can solely be programmed into one SIM card at a time.

So, when the cell phone firm “swaps” a SIM, it’s really an outright alternative, as a result of the outdated SIM goes lifeless and received’t work any extra.

In fact, for those who’re changing your individual SIM as a result of your telephone acquired stolen, that’s an incredible safety characteristic, as a result of it restores your quantity to you, and ensures that the thief can’t make calls in your dime, or hear in to your messages and calls.

But when the tables are turned, and the crooks are taking up your SIM card illegally, this “characteristic” turns into a double legal responsibility, as a result of the criminals begin receiving your messages, together with your login codes, and you may’t use your individual telephone to report the issue!

Is that this actually about safety?

Is this variation actually about safety, or is it merely Twitter aiming to simplify its IT operations and lower your expenses by reducing down on the variety of textual content messages it must ship?

We suspect that if the corporate actually had been critical about retiring SMS-based login authentication, it will impel all its customers to change to what it considers safer types of 2FA.

Sarcastically, nonetheless, customers who pay for the Twitter Blue service, a bunch that appears to incorporate high-profile or common customers whose accounts we suspect are way more engaging targets for cybercriminals…

…can be allowed to maintain utilizing the very 2FA course of that’s not thought-about safe sufficient for everybody else.

SIM-swapping assaults are troublesome for criminals to tug off in bulk, as a result of a SIM swap usually entails sending a “mule” (a cybergang member or “affiliate” who’s keen or determined sufficient to threat displaying up in individual to conduct a cybercrime) right into a cell phone store, maybe with faux ID, to attempt to pay money for a selected quantity.

In different phrases, SIM-swapping assaults usually appear to be premeditated, deliberate and focused, based mostly on an account for which the criminals already know the username and password, and the place they suppose that the worth of the account they’re going to take over is well worth the time, effort and threat of getting caught within the act.

So, for those who do resolve to go for Twitter Blue, we recommend that you simply don’t keep it up utilizing SMS-based 2FA, although you’ll be allowed to, since you’ll simply be becoming a member of a smaller pool of tastier targets for SIM-swapping cybergangs to assault.

One other essential side of Twitter’s announcement is that though the corporate is now not keen to ship you 2FA codes through SMS free of charge, and cites safety considerations as a purpose, it received’t be deleting your telephone quantity as soon as it stops texting you.

Although Twitter will now not want your quantity, and although you’ll have initially supplied it on the understanding that it will be used specificially for the aim of enhancing login safety, you’ll want to recollect to go in and delete it your self.

What to do?

  • When you already are, or plan to turn out to be, a Twitter Blue member, contemplate switching away from SMS-based 2FA anyway. As talked about above, SIM-swapping assaults are usually focused, as a result of they’re difficult to do in bulk. So, if SMS-based login codes aren’t protected sufficient for the remainder of Twitter, they’ll be even much less protected for you when you’re a part of a smaller, extra choose group of customers.
  • In case you are a non-Blue Twitter person with SMS 2FA turned on, contemplate switching to app-based 2FA as an alternative. Please don’t merely let your 2FA lapse and return to plain outdated password authentication for those who’re one of many security-conscious minority who has already determined to simply accept the modest inconvenience of 2FA into your digital life. Keep out in entrance as a cybersecurity trend-setter!
  • When you gave Twitter your telephone quantity particularly for 2FA messages, don’t neglect to go and take away it. Twitter received’t be deleting any saved telephone numbers mechanically.
  • When you’re already utilizing app-based authentication, do not forget that your 2FA codes are not any safer than SMS messages in opposition to phishing. App-based 2FA codes are typically protected by your telephone’s lock code (as a result of the code sequence is predicated on a “seed” quantity saved securely in your telephone), and may’t be calculated on another person’s telephone, even when they put your SIM into their system. However for those who by accident reveal your newest login code by typing it right into a faux web site alongside along with your password, you’ve given the crooks all they want anyway, whether or not that code got here from an app or through a textual content message.
  • In case your telephone loses cellular service unexpectedly, examine promptly in case you’ve been SIM-swapped. Even for those who aren’t utilizing your telephone for 2FA codes, a criminal who’s acquired management over your quantity can neverthless ship and obtain messages in your identify, and may make and reply calls whereas pretending to be you. Be ready to indicate up at a cell phone retailer in individual, and take your ID and account receipts with you for those who can.
  • If haven’t set a PIN code in your telephone SIM, contemplate doing so now. A thief who steals your telephone most likely received’t be capable to unlock it, assuming you’ve set an honest lock code. Don’t make it simple for them merely to eject your SIM and insert it into one other system to take over your calls and messages. You’ll solely have to enter the PIN if you reboot your telephone or energy it up after turning it off, so the trouble concerned is minimal.

By the way in which, for those who’re comfy with SMS-based 2FA, and are apprehensive that app-based 2FA is sufficiently “totally different” that it is going to be onerous to grasp, do not forget that app-based 2FA codes typically require a telephone too, so your login workflow doesn’t change a lot in any respect.

As a substitute of unlocking your telephone, ready for a code to reach in a textual content message, after which typing that code into your browser…

…you unlock your telephone, open your authenticator app, learn off the code from there, and sort that into your browser as an alternative. (The numbers sometimes change each 30 seconds to allow them to’t be re-used.)


PS. The free Sophos Intercept X for Mobile safety app (out there for iOS and Android) consists of an authenticator part that works with nearly all on-line providers that help app-based 2FA. (The system typically used is known as TOTP, brief for time-based one-time password.)

Sophos Authenticator with one account added. (Add as many as you need.)
The countdown timer reveals you ways lengthy the present code remains to be legitimate for.