Twitter restricts 2FA

Sophos security expert Paul Ducklin classifies the risk and gives tips for users:

“The Change of Two–factor–Authentication (2FA) on Twitter comes as a surprise: Since text messages are too insecure to carry out 2FA, you will have to pay for this service on the social network in the future. It is not quite clear when exactly users – only those who do not use the paid Twitter Blue service – will have to expect this change. Twitter itself gave users of SMS-based 2FA “30 days to disable this method and sign up for a new one” with its February 15 announcement. One thing is certain: after March 20th, the 2FA–Method via SMS disabled for accounts that are still activated.

Why is SMS considered unsafe for 2FA?

Twitter has decided that one-time security codes sent via SMS are no longer secure, as experience has shown that they have already been misused. The main objection to SMS-based 2FA is that cybercriminals simply trick, persuade, or bribe cell phone company employees into handing them replacement SIM cards programmed with someone else’s phone number. Legal replacement of a lost, broken or stolen SIM card is of course a desirable service of the mobile network, otherwise you would have to change the phone number with every new SIM

But after scammers with sophisticated social engineering skills “hijacked” citizens’ phone numbers—usually to steal their 2FA codes—the text message’s ranking as a safe 2FA source dropped. This criminal type of “SIM swapping” is actually not an exchange at all, because a SIM card can only be programmed with a single telephone number. So if a mobile phone company exchanges a SIM card, then there is no change here, but the old SIM card is dead and no longer works.

For the user who is replacing their own SIM card because their phone has been stolen, this is a very useful security feature as it allows them to get their own number back and the thief cannot make phone calls or listen to messages and calls at their expense. But: if the SIM card illegally falls into the hands of fraudsters, this function becomes doubly dangerous. Criminals then receive the messages intended for the user, including login codes, and the user cannot use their own phone to report the problem.

Is this ban really about safety?

Is Twitter really about security or just streamlining its IT by reducing the number of text messages sent? It is surprising that not all users are redirected from SMS-based 2FA to a more secure method, only those not using the paid Twitter Blue service. They may continue to use the SMS method.

SIM swapping involves some effort for cybercriminals and is therefore not a commodity. After all, they have to leave their anonymity and physically try to get a specific number at a cell phone store. This type of scam is planned and targeted to a very specific account for which the criminals already have a username and password and believe the value of the account is greater than the risk of being caught. Therefore, our advice: If you decide to use the Twitter Blue service, you should stop using SMS-based 2FA, even if you are entitled to it.

That’s what Twitter users should do now

• Anyone who is a Twitter Blue member or wants to become one now should say goodbye to SMS-based 2FA. Because if this method is a security concern for the large number of non-Blue users, then of course it is also for the smaller group of Blue members.

• If you are not a Blue user with SMS 2FA enabled, you should switch to app-based 2FA. Definitely don’t phase out 2FA and go back to legacy password authentication. After all, once the user has cleared the uncomfortable hurdle to 2FA, they should now stay ahead on the security front as well.

• Anyone who gave Twitter their phone number for the 2FA determination should now delete it, as the company does not do this automatically itself.

• Users of app-based authentication should be aware that their 2FA codes are no more secure against phishing than an SMS. However, app-based 2FA codes are generally protected by the phone’s lock code and cannot be calculated on another person’s phone – even if they put the user’s SIM card into the phone.

• Users should be alert when the phone unexpectedly loses cellular service. Here they should investigate whether the SIM card has been replaced. Even if users aren’t using the phone for 2FA codes, a scammer who has control of the victim’s phone number can still send and receive messages on their behalf, and make and receive calls – all while pretending to be the victim to be. If there is a suspicion of a takeover, the user should contact his cell phone provider or, ideally, go to a cell phone shop in person, including ID and account receipts.

• Anyone who has not yet set up a PIN code on their SIM card should do so now. A thief who steals the phone is unlikely to be able to unlock it. But he could take out the SIM card, put it in another device and take calls and messages. You only have to enter the PIN for the SIM card when restarting or after switching off.

A short addendum to the change to the app-based 2FA: The steps involved are not significantly more complex than authentication via SMS: because here too you have to pick up the cell phone, but read the code from the app instead of as a text message. So no major effort, but with great effectiveness.”