Twitter has "temporarily" suspended users' ability to tweet via SMS, just days after company CEO Jack Dorsey had his account hacked using similar methods. Some users are going to be affected more than others.
Twitter said on Wednesday that it is temporarily suspending the ability to tweet via SMS, or text message, in order "to protect people's accounts."
The decision came less than a week after the Twitter account of the company's chief executive, Jack Dorsey, was hacked, resulting in a 20-minute stream of racial slurs and swear words going out to his 4.2 million followers.
"We're taking this step because of vulnerabilities that need to be addressed by mobile carriers," the company tweeted via its technical support account. It added that it will "reactivate this in markets that depend on SMS for reliable communication soon."
However, the time frame for this reactivation remains unclear.
While most Twitter users across the globe rely on its smartphone app or the web version in order to publish tweets, the old SMS-based tweeting feature has been an integral part of the social media platform since its early days.
The feature is more important than often realized, especially in countries and areas which suffer from poor internet access. In addition, when internet blackouts take place, mobile data can sometimes be the only way for people to communicate with the outside world.
While such outages can be due to cyberattacks or technical disruptions, governments can also purposefully shut internet access down.
Last month, authorities in India-administered Kashmir cut all communication in the disputed region, including internet and landline phone services. Earlier this year, mobile internet was shut down in parts of Myanmar due to a government decree. Several African governments have also ordered some form of internet restriction in recent years.
Tweeting via text: At risk of SIM hacking
Until now, tweeting via text was relatively straightforward: Users needed only to add a mobile number to their Twitter account. Then they could tweet simply by sending a text message containing the desired text to a short or long code. The text would then be posted as a tweet.
Users also had the option of using a service called Cloudhopper. Acquired by Twitter in April 2010, Cloudhopper allowed users to text their tweet to the number 40404 from a mobile phone linked to their account.
Both ways let users post their Tweets without having to log in to the Twitter app itself.
Despite the advantages, this method also allows unauthorized persons to compose and send tweets via text message from a stolen phone number. Such theft, also known as SIM hacking, is a relatively easy task for experienced hackers.
SIM swapping is a similar and likewise relatively common phenomenon. It involves tricking a mobile company into transferring a number. The technique exploits the fact that phone numbers are linked to Twitter accounts.
All it took in Dorsey's case is for the hackers — a group that goes by the name Chuckling Squad — to make his provider, AT&T, believe that the device they were holding in their hands was essentially connected to his number.
"Mobile accounts' text messages can be hijacked by sophisticated hardware techniques, but also by so-called 'social engineering' — convincing a mobile provider to migrate your account to another, unauthorized phone," R. David Edelman, a former White House adviser who heads a cybersecurity research center at the Massachusetts Institute of Technology, said, as cited by news agency AFP. "It only takes a few minutes of confusion to make mischief like Dorsey experienced."
Mobile providers or Twitter: Who is to blame?
Twitter has blamed mobile providers' insufficient security measures for Dorsey's compromised account. However, the company has also admitted it needs to do more due to its "reliance on having a linked phone number for two-factor authentication." Twitter has promised to solve the matter, but has not defined a time or elaborated on how it intends to do so.
While Twitter's communications account tweeted that the "issue is now resolved," it's still unclear whether they meant resolved only with respect to Dorsey's case or to a general correction of loopholes in the Cloudhopper service.
Either way, Twitter may need to figure out a more sustainable solution, one that potentially involves an adequate substitute for the familiar SMS confirmation method that two-step authentification uses. Until then, setting up a SIM pin code can be a good way to prevent SIM theft.