Inspired by the growth of social media subscription models, notably ‘Twitter Blue’, and how they impact user security, Scott McKinnon, Field CISO at VMware explores the critical value in security education for the consumer. As Twitter has locked SMS-based two factor authentication behind Twitter Blue’s paywall, the traditional user without the means or inclination to offer up their cash for subscription perks must now become their own security expert
More than 4.74 billion people worldwide are social media users, according to recent data from Hootsuite. As a source of news and entertainment, its enormous benefits are accessible and essential to our everyday lives, which can overshadow its pitfalls.
As we’ve become more reliant on the internet, people put their trust in digital services, whether misplaced or not, particularly social media. However, consumers who rely solely on social platform providers to protect them against cyber criminals are, perhaps, playing with fate. User experience is changing as social media platforms restructure their business models to grow subscription plans. The full impact of these new revenue drivers is yet to be seen, but the security implications are undeniable.
Due to the alleged increase in bad actor exploitation of two factor authentication (2FA) using text, or SMS, Twitter now limits its SMS-based 2FA services to ‘Twitter Blue’ users only. While it’s reassuring that these platforms are in tune with the attack landscape, this change limits access to full security for those who are without the means or are unwilling to pay for it. Withdrawing access to 2FA from non-subscribers highlights one key change for the masses – we must all become our own security experts.
Peeling back the layers of authentication
Twitter’s decision has come under fire for its security implications. SMS-based 2FA is often hailed as an effective protective barrier to hacker attempts, as it requires a user’s login to be authenticated via a third-party application that we all have access to – our texts. Critics express concern that while the decision to withhold SMS-based 2FA for verified users will only benefit the business by generating consistent revenue, the majority of social media users are no longer guaranteed the peace of mind of encrypted security.
For users who have not opted to pay for the premium perks, having a more secure online experience remains a priority. Social media users must do it for themselves, paying closer attention to their account activity, taking more accountability in their own data privacy, and remaining vigilant of suspicious activity by taking additional measures.
Friend or foe?
A common way for hackers to steal identities is by creating convincingly fake profiles to gain access to personal networks. Unfortunately for many, their latest friend request may look authentic, but it could be a hacker posing as a connection they may or may not recognise. In fact, Lloyds Bank has warned that impersonation fraud on Instagram is on the rise, having increased by 155% from 2020 to 2021, according to This is Money. The average scam resulted in a loss of £336 per victim. Alternatively, hackers are known to pose as a friend having already compromised their account, to send you false links and alerts embedded with malware. By clicking through, you have enabled a hack on your account.
To avoid falling victim in the first place, users must use caution in their digital interactions. My advice is to trust your instincts first and foremost. If something is suspicious, ensure you verify the sender’s identity and resource’s destination before engaging, such as clicking on a video link, and avoid accepting connections from unknown accounts.
Designing your fortress
Hackers also know most people use the same password again and again, which opens you up to other accounts becoming compromised – including your bank account. However, those who use different passwords, introduce symbols and numbers – and not simply your birthdate – across their various sites and apps are much less likely to fall victim to data theft than those who copy and paste their passwords for the sake of ease.
An alternative to creating unique passwords is using a third-party passcode manager. These services generate and store unique and complex passwords for each account with encryption. They often come as a package deal with a mobile device such as Apple Keychain and Google Password Manager or are available for download in app stores.
While these are very simple approaches, they can mitigate the risks of doing nothing if your SMS-based 2FA is withdrawn and are just good security hygiene.
Power in your hands
When we think social media, we think entertainment, and not security. However, we cannot afford to take a back seat to our online security with data key to cybercrime.
Users are more than ever responsible for their first line of defence.