Twitter’s Verified Badge Plan Raises New Security Concerns

Experts are warning that Twitter’s decision to open up its verified badge scheme to all-comers could create additional security risks for users.

Twitter announced the move earlier this week, claiming it would create an online application process for users and organizations who want to be branded with the badge – indicating they’ve received verified status as a tweeter of “public interest.”

"We want to make it even easier for people to find creators and influencers on Twitter so it makes sense for us to let people apply for verification," said Twitter VP of user services, Tina Bhatnagar, in a statement.

"We hope opening up this application process results in more people finding great, high-quality accounts to follow, and for these creators and influencers to connect with a broader audience."

Of the 300m+ users globally, only 187,000 are currently verified account holders, according to Twitter.

However, some commentators have expressed concern over black hats masquerading as verified account holders to exploit the feature for their own ends.

“We already know there is a growing trend of malware and ransomware attacks on social media with bad actors impersonating brands to bait users into clicking malicious links. Bad actors can exploit user trust by intercepting communication with rogue social media profiles and expose them to malware, ransomware or credential harvesting sites,” argued RiskIQ EMEA VP, Ben Harknett.

“We’ve been conditioned to spot the tell-tale signs of a scam when it comes to email, and we know better than to click on links from unknown sources. However, our interactions through social media take place ‘in the moment’ and as a result, users are even more susceptible to the same kinds of scams that happen on other channels.”

Meanwhile, Yoti CMO, Chris Field, argued the storage of details used to verify account holders’ identities could be an issue.

“It would be good to know more about how the application process for verification will scale as those applying for a 'Blue Verification Badge' are asked to submit quite a lot of information just to prove who they are,” he claimed. “Focusing in on the request for users to ‘scan and upload a copy of their government-issued ID’, I would want to know how that data is verified, processed and stored.”

Twitter could make things more secure by taking a leaf out of the banking industry’s book and using biometric authentication via smartphone for verification, he concluded.

Twitter’s track record on security isn’t the best in the world. In June a hacker put up for sale over 30 million Twitter account credentials, although on that occasion it’s thought the company itself wasn’t breached.

What’s Hot on Infosecurity Magazine?