Twitter Switches Off SMS Services for Security Reasons

Twitter has announced it is to switch off its SMS-based service in most countries for security reasons, marking the end of an era for the social network.

When it was first launched, the service was specifically built around SMS, with users texting their tweets, hence the 140-character limit. Things soon moved on as smartphones became near-ubiquitous and account holders switched to the more user-friendly app.

However, in an update this week, the firm said: “We want to continue to help keep your account safe. We’ve seen vulnerabilities with SMS, so we’ve turned off our Twitter via SMS service, except for a few countries.”

It’s unclear exactly what these vulnerabilities are, although Twitter previously switched off the ability to tweet via text after hackers hijacked the account of co-founder and CEO, Jack Dorsey.

On that occasion they managed to get hold of his phone number via a classic SIM-swap attack and used the feature to send out tweets in his name.

Twitter is not turning off SMS for two-factor authentication, although text-based authentication codes have been abused multiple times in the past by SIM-swap attackers.

“Everyone will still have access to important SMS messages needed to log in to and manage their accounts,” the firm said.

Twitter sought to tackle this problem in November last year when it allowed users to enroll in 2FA without a linked phone number, meaning they can choose any 2FA system that supports the FIDO2 WebAuthn protocol.

In February this year, the social network was forced to act to fix an API bug that was being abused by state actors to unmask individual users around the world.

The decision to abandon SMS-based tweets has been met with some resistance, as users took to the site to complain that the service is useful in situations such as power outages when internet connectivity goes down.

What’s Hot on Infosecurity Magazine?