What is the Future of Account Verification?

So much of social media security comes down to making sure people are who they say they are. In that context, some policies make that road easier than others. Given their prominence as online real estate titans, it’s worth considering top social media platforms and their evolving account verification processes. Can they be trusted to serve their security-oriented purpose, or has the backbone of the ‘blue check’ been impersonated by something else?

Yesterday’s Account Verification

So long as social media platforms have given individuals a voice, there have been those wanting to steal those voices for their own purposes. Trust is hard to come by, and those with the trust of the masses have a wide amount of influence. Criminal hackers seek to take advantage of that hard-fought integrity by taking over an account of a celebrity (LeBron James, Bill Gates, Elon Musk, Jeff Bezos) and milking it for all its worth. Bitcoin anyone? 

In yesteryear, a blue check mark really “meant something”. While the process of receiving the label was itself a topic of controversy (especially for Twitter), it at least signified that real people at Twitter had talked to a real person and verified that the account was actually theirs. It may have been archaic, but it was reliable. Spammers had to ply their trade on less influential accounts and earn our business. 

Today’s Account Verification

Now, Twitter, Facebook, and Instagram all have pay-to-play verification methods. Here is the breakdown.

How to get the blue checkmark on Twitter: 

• Subscribe to Twitter Blue ($8-$11/month)
• Name and profile photo
• Active in the past 30 days
• Account older than 30 days, with a verified phone number
• Non-Deceptive (no history of spam)

How to get ‘Meta Verified’ on Facebook and Instagram (also a blue checkmark):

• Select the profile you want to be verified
• Subscribe to Meta Verified ($14.99/month)
• Submit a photo ID and, where possible, a ‘selfie video’

While there are basic tie-ins to security, the main requirement is that the applicant pays for their verification. But what does this mean?

Define “Verified”

The problem lies in the use of the word “verified”. 

"You keep using that word. I do not think it means what you think it means."  - Inigo Montoya, The Princess Bride.

In the case of Twitter, it simply means the user is good for $11 a month and has had the account for over 30 days. That’s great, but it does nothing to ensure that the ‘verified’ party isn’t a hacker with a nominal amount of patience. The photo ID requirement for Facebook is a step better but doesn’t preclude fake IDs (or AI-developed spoofs) that criminal scammers are likely not above using. 

The current model muddies the waters and defines “verified” as “paid”. We want to know that “verified” means “real”. Or submit a formal addendum to the newest edition of the Webster’s International Dictionary. The blue checkmark was once a way to rest assured that the account you were following represented the thoughts, words, and intentions of the person connected to it. Now, the response speaks for itself: Following the new Twitter checkmark requirements, countless “verified” spoofs of Elon Musk cropped up, none of which represented his genuine intent. Unless he really did want to give away 5,000 BTC to 1,000 new followers. 

While great for platforms' bottom line, the new approach makes the “verified” label virtually useless as a measurement of security, which was arguably its first (and only) purpose. 

Tomorrow’s Account Verification

If verifying the authenticity of a user account is what a platform aims to do, plenty of potential technological solutions exist. 

The user can be required to submit evidence of notoriety (or even identity) outside of the platform, like when applicants had to include evidence of influence in a business, YouTube channel, external platform, or government office. Even celebrity status would do. 

Layers of multi-factor authentication could tie the user more tightly to the account. This could be an additional email confirmation, push notification, or a 6-digit code. While this creates a hint of login friction, it would drastically reduce the number of spoofed and bot accounts that get in on a song and a prayer. 

Behind the scenes, a regulatory arm could further ensure authenticity by cracking down on spoofed accounts or imposing penalties higher than kicking them out of the pool. Scammers banned are just scammers who will get more creative on another day. Tying the account to more permanent identifiers – IPs, biometrics, even security questions – would help to eliminate repeat offenders. 

The Importance of Social Media Security

It’s “every organization for themselves” in this evolving online environment. Lax provisions give the sense that one doesn’t know who to trust, so companies find their own way to navigate the social media threat climate. 

Social media security is a vital part of any organization’s 2023 security roadmap, and if it isn’t, it should be. The FTC reported that 31% of people aged 18-59 who reported losing money on a scam said it started on a social media platform. Factor in that over 83% of companies allow BYOD for at least some employees, and the stakes rise much higher.

What ZeroFox can do

It’s a dangerous world out there. Some of the few safeguards of online trust can be confused for beacons of paid subscriber status, and organizations are left to manage increasing risk with fewer warnings. When navigating these and other perilous social media waters, having a guide is important. 

ZeroFox provides an integrated social media security approach that caters to the individual and catches criminals in the crosshairs. We know it’s a tricky world out there. We understand that in-house SOCs can’t do as much as they want to, especially when social media attacks originate outside the digital enterprise. So much effort is spent securing what’s within. We understand the Dark Web, the currents of hidden threat intelligence, and how to protect your brand and bottom line. 

Our experts understand not only how to track down malicious behavior but how to take down malicious accounts and negotiate on behalf of our clients. With a comprehensive external cybersecurity platform that’s the first of its kind, we put social media threats on your radar – and just as quickly, take them off.