“We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication,” the company said.
However, the social blogging platform did not provide a timeline for when the feature would be reinstated, but added that it will first reactivate it in markets that “depend on SMS for reliable communication.”
Last week, Twitter acknowledged that the phone number associated with Dorsey’s account was compromised due to what it blames on carrier “security oversight,” thereby allowing an unauthorized third-party to post tweets via text messages from the phone number.
Although not confirmed, it’s being suspected that Dorsey’s number fell victim to a SIM swapping attack — a clever social engineering trick used by cybercriminals to persuade phone carriers into transferring their victims’ cell services to a SIM card under their control.
This basically allows the attacker to intercept calls and text messages, including those used for two-factor authentication.
We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication (we’re working on improving this).
— Twitter Support (@TwitterSupport) September 4, 2019
Twitter and SMS were meant to be together
Tweeting via SMS has been a core feature of Twitter since its inception. Even the 140-character limit for tweets (since expanded to 280) was originally established to reflect the length of SMS messages.
But the company’s decision to disable the option underscores the seriousness of the problem, not least because such SIM swapping attacks undermine the use of phone numbers as IDs.
For now, pay close attention to your Twitter third-party app permissions and ensure you’ve granted access to only those apps you trust.
As for protecting yourself from SIM swapping, there isn’t really much you can do. One course of action is to switch to authenticator apps such as Google Authenticator, rather than your phone number, for two-factor authentication. But this is possible only on services that allow it.
There are some other steps you can take, like linking your Google Voice phone numbers to your online accounts. But Google Voice is US only, so you’re again out of luck if you live elsewhere.
Dorsey has consistently pledged to make the platform healthier and “publicly accountable towards progress.” Now it’s fair to wonder if having his own account hacked brings about a more serious change.