SMS-Based Tweets Are Dead, but SMS-Based Password Verification Is Not...Yet
You might think that tweeting without an internet connection is impossible, and you'd be right. Up until very recently, however, this wasn't the case.
Years ago, Twitter introduced a feature called Twitter via SMS. Through it, users could not only receive notifications related to their Twitter accounts but also post tweets in the absence of a smart device or a computer. There were a couple of requirements. Using the feature was impossible outside the supported geographical regions, and users who wanted to tweet via SMS would need to have their phone numbers connected to their Twitter accounts. The process itself, however, was extremely simple – the user would send their tweet as a text to a short number that was set up by Twitter and was specific for each country, and the content of the SMS would appear under their account.
Twitter stops supporting tweets via SMS
The people taking advantage of Twitter via SMS should now look for other ways of sharing their thoughts with their followers. On Monday, Twitter's support account announced that it's discontinuing the feature.
We want to continue to help keep your account safe. We’ve seen vulnerabilities with SMS, so we’ve turned off our Twitter via SMS service, except for a few countries.
Everyone will still have access to important SMS messages needed to log in to and manage their accounts.
— Twitter Support (@TwitterSupport) April 27, 2020
The service will continue to run in "a few countries," but it looks like most users won't be able to text their tweets anymore. The world's favorite microblogging platform says that the decision was taken because Twitter has "seen vulnerabilities with SMS" and wants to "help keep your account safe," which is a rather vague explanation. When you check out the back story, however, you'll see what's going on exactly.
It all started after hackers took over Jack Dorsey's account
The move shouldn't be too much of a shock to those who have been following Twitter and the mishaps it's been through. In August 2019, a group of hackers calling themselves the Chuckling Squad compromised the account of none other than Mr. Twitter himself, Jack Dorsey. The crooks managed to post a few offensive tweets, and predictably, the incident kicked up a bit of a storm. Critics were ready to blast Dorsey for using or reusing a weak password, but it soon became apparent that the crooks never managed to get to his login credentials. Instead, they performed a SIM swapping attack and used the Twitter via SMS feature to share their nonsense with Dorsey's 4.2 million followers.
Twitter's systems weren't compromised in any way, and you could argue that the social network isn't responsible for the attack. Initially, Twitter temporarily suspended the Twitter via SMS feature, but it insisted that Jack Dorsey's account got hacked because of "a security oversight by the mobile provider." Later, it turned it back on, but it looks like it has finally realized that in this day and age, the feature is not secure enough to be offered to end users.
SMS-based 2FA and password reset mechanisms remain active
Twitter also offers SMS-based two-factor authentication, and users who have forgotten their passwords can reset them after entering a code sent as a text message. These functions will remain despite the discontinuation of Twitter via SMS.
Many people wonder why. We know that 2FA authentication over SMS is not the most secure option, and we've also heard about the numerous vulnerabilities associated with relaying sensitive information via text messages. At first glance, turning these features off looks like a logical decision, but in reality, it isn't.
Users can always look through the options and pick the one that fits their needs the best. For some, SMS would be the only viable alternative, and for all its flaws, it will give them additional protection. Denying users this extra security is a bad call.