Twitter Verification: Check(mark) Cybersecurity Challenges

4 minute read

11.9.2022 UPDATE: Twitter product manager, Esther Crawford, announced that while the traditional verification badge will become a feature with the platform’s premium offering, Twitter Blue, they are introducing a gray “Official” badge with a separate verification process. Crawford noted that “Not all previously verified accounts will get the ‘Official’ label and the label is not available for purchase.” As details unfold, we will continue to evaluate the policies from a cybersecurity risk perspective and will provide updates as details unfold.

If you’ve been following Twitter news since Elon Musk’s takeover, you’ve probably seen it’s been rife with controversy, with the latest Twitterstorms going all in about the evolving policy to get or keep verification badges (often incorrectly referred to as blue check marks – they’re white or possibly transparent, but that’s a fight for another day). If you’re unfamiliar, Twitter’s coveted verification badges help identify legitimate accounts of high profile celebrities, journalists, politicians, personalities, and brands. In short, they build trust. These badges help both high profile accounts authenticate they’re really them, and they help users find the authenticated accounts they seek.

Twitter Announces New Verification Policy

On November 1, Elon Musk announced a major change to the Twitter verification system. Shifting away from its current criteria, to obtain or keep a verification badge, users must subscribe to Twitter Blue for $8/month. Although Twitter has not yet released many details about this policy change, the online feedback was swift. This decision is only one of several proposed changes since ownership changed hands. The verdict is still out on how these changes will impact the platform and its users. However, until we know more about the pending implementation and outcomes, this particular verification policy change may have security implications that businesses should be evaluating now.

Paid Verification Policy Could Enable Adversaries 

Commercializing the verification badge sounds good, but it also introduces some challenges. The current verification criteria require accounts to be “authentic, notable, and active.” Brands, businesses, and individuals must prove they are who they claim to be and use the platform in accordance with its rules. If these requirements are scaled back and replaced with a subscription model, it’s unclear how Twitter will maintain the integrity of the authentication badge. 

Following the announcement, several verified celebrity accounts mimicked other high profile accounts to illustrate the potential challenges to brands and individuals should verification policies divert from authentication. Musk then proposed permanent bans for impersonating accounts that don’t self-identify as parodies, suspending several of the accounts without warning. While these policies are seemingly reactive in nature and designed to balance revenue generation with the platform’s popular features, the mere conversations around these changes have sparked verification-badge account takeover scams.

When implemented, we could see several issues arise. Businesses and individuals might be unwilling to subscribe to Twitter Blue and could be endlessly competing with spoofers and scammers. Threat actors could seize the opportunity to verify fraudulent social media accounts masquerading as well-known brands, business executives, public officials, journalists – you name it. The reality is that social media has created unparalleled access to brand assets, information, and high profile individuals. There is already a low barrier to entry for cybercriminals seeking to impersonate established brands. Businesses should be able to operate securely on social media platforms, confident that their brand is protected. This new policy could undermine the established purpose of the verification badge, compounding a well-documented impersonation problem that has proliferated all social media platforms.

Figure 1: Phishing site impersonating (or spoofing) a bank’s customer service website

When Concerns Arise, Exercise Caution

As of this post’s publication, the promoted policy change has not taken effect. We can speculate as to what consequences will follow, but until more information is released about Twitter verifications, businesses would benefit from preparing for an uptick in social media spoofers and scams. 

If your brand, executives, or high profile employees are active on Twitter, verified or not, there are steps you can take to mitigate risks of social media impersonation scams. Here are some tips to consider as we report on relevant updates as they unfold: 

  • Monitor Twitter for lookalike accounts.
  • Monitor corporate social media accounts for cyber threats.
  • Adopt automated technologies to monitor, report, and remove malicious fake accounts and impersonations (#CheapPlug).
  • Pursue account verification where available, as networks typically prioritize abuse reports on verified accounts that have already completed some level of identity authentication.
    • I realize this is currently a loaded recommendation given the uncertainty of Twitter’s verification policy, but regardless of policy changes, external authentication that indicates you are who you say you are is important to build and maintain consumer trust.
  • Account admins should be on high alert for fraudulent phishing emails and account takeover scams trying to capitalize on rumored policy changes. Already, there are reports of account takeover scams leveraging the rumored change to Blue Check pricing and policy.

See ZeroFox in action