Tech Drivers

The big security risks behind Meta, Twitter verified identity subscriptions

Key Points
  • Two of the biggest social media companies in the world, Meta Platforms and Twitter, are moving to paid subscription models for security and identity verification tools.
  • Social media account takeovers by scammers increased 288% year-over-year in 2022.
  • Online scammers are using those social media accounts not only to steal information, but also to try to scam your contacts as well.

In this article

Aaron Elekes shows his Facebook at his home studio in Las Vegas, Nevada. Film and TV producer Elekes spent months trying to recover his hacked Facebook account and multiple attempts to set up a new account under his name.
Bridget Bennett | The Washington Post | Getty Images

As Twitter and Meta Platforms move to paid subscriptions for social media identity verification and security, the battle to stay safe online continues.

In 2022, the number of social media account takeover reports spiked 288% over the previous year, according to The Identity Theft Resource Center, a non-profit that helps educate consumers about these matters. 

Meta's new verification subscription, first rolling out overseas, offers users of Instagram and Facebook the ability to submit their government ID and get a blue verification badge for $11.99 a month on the web and $14.99 a month on iOS and Android. For that fee, users also get "proactive monitoring" for account impersonation, the company recently told CNBC.

"This new feature is about increasing authenticity and security across our services," Meta CEO Mark Zuckerberg wrote in a blog post.

The company's new subscription service is similar to Twitter's revamped service called Twitter Blue, which also grants users a verification badge if they pay a monthly or annual fee.

When you interact with a verified account, there's a greater assurance that someone is who they say they are. However, this isn't foolproof. It is possible, although difficult, to dupe the verifying systems within these social platforms. In the case of Twitter, only verified users will be permitted the benefit of SMS-based two-factor authentication.

Meta unveils "verified" service to authenticate accounts and generate revenue
VIDEO4:3904:39
Meta unveils "verified" service to authenticate accounts and generate revenue

Account impersonation is fairly simple, according to Zulfikar Ramzan, chief scientist of data protection company Aura, and that makes it the biggest security risk in social media today. "With the right profile photo and a creative misspelling of a username, anyone in the world can be impersonated, including you. That means if my followers receive a message from an imposter representing themselves as me, the imposter may be able to more easily dupe my followers into divulging sensitive information or maybe even transacting money," he said. 

Once scammers gain access to your social media account, they can usurp your personal information, read your private messages, scam your contacts, post publicly as you and take other nefarious actions. 

"Once they are in, the sky's the limit as to what they can do to your account," Ramzan said. "It's not only about protecting you; it's about protecting your friends and family from potential threats, scams and cybercrime."

What cybersecurity experts are saying about Meta, Twitter

For some users, such as public figures with many followers — and also "semi-public" figures well known within a specific community — the case is strongest for paying to have identity verification as a way to protect one's followers and one's brand. And in-depth verification requires human labor, additional monitoring, and additional resources and operational upkeep, meaning increased costs for the technology companies. 

Wall Street seems optimistic about the opportunity to make more money from these social media subscriptions, with Bank of America estimating that Meta may add as many as 12 million paid users by early next year, worth about $1.7 billion in revenue.

Consumer internet advocates, though, are worried about the security implications of these changes.

"This will be a monumental waste of time and money, in my opinion," said James E. Lee, chief operating officer at the Identity Theft Resource Center.

Lee said it remains to be seen how rigorous the verification process will be.

Twitter Blue briefly launched in November, and its first iteration became a major embarrassment for the company, which pulled it after users abused the new paid option by impersonating celebrities and brands.

With social engineering and phishing the primary sources of social media account compromise, it's unlikely verified accounts will actually be more secure. "They'll just be compromised by a criminal who was able to pass the verification," Lee said. But beyond that, "it's just plain wrong to charge people to verify their identity to help keep their personal information secure," he added.

Consumers should not have the mistaken idea that paying for these services makes account security 100% guaranteed, which isn't possible. "When you interact with a verified account, there's a greater assurance that someone is who they say they are. However, this isn't foolproof. It is possible, although difficult, to dupe the verifying systems within these social platforms," Ramzan said.

As the social media world shifts its approach to identify verification and cybersecurity, here are five basic steps all users can take to help secure social media accounts and help prevent takeover fraud.

Practice smart password management principles

Reusing passwords is a perennial problem that causes internet users many headaches, said John Buzzard, lead fraud and security analyst at Javelin Strategy & Research. Once a password is cracked, it's a no-brainer that scammers are going to try to use it to breach other accounts associated with the individual.

Beyond having unique passwords for every site, it's also advisable to use longer phrases and hard-to-guess passwords so they are difficult to crack through brute force. Password managers can even generate passwords containing random strings of characters, making it even harder for a would-be-scammer to guess.

Enable two-factor authentication

Even if a scammer gets your password, they generally shouldn't be able to access your account if you have what's known as two-factor, or multi-factor, authentication enabled. It's not hard to set up, and in general, enabling two-factor authentication is perhaps the single best thing you can do to protect an online account, Ramzan said.

Twitter's new approach will make text-based multi-factor authentication only available with a paid subscription, and that raises a new risk of Twitter users' identities being stolen if they don't enable another form of two-factor authentication.

"Anyone who is losing this protection will have an increased risk of their account being compromised," Ramzan said.

However, there is an important caveat. SMS-based authentication is arguably the poorest since there are ways to abuse this with so-called SIM swapping attacks. "Twitter is only eliminating the SMS-based two-factor authentication capability, and does offer two additional methods for two-factor authentication that are stronger and more reliable than SMS-based authentication," Ramzan said. 

Twitter has warned that non-subscriber accounts that use SMS authentication need to switch it off before a deadline of March 20, or two-factor authentication for that account will be disabled.

On most social media services, using Instagram as an example, it is easy to set up this security feature. Go to "Settings," "Security," and tap "Two-Factor Authentication." Select either "Authentication App" or "Text Message."

An authentication app such as Google Authenticator is preferable because text messages can be spoofed, according to The Identity Theft Resource Center.

Don't share one-time security codes

Even if you have two-factor authentication enabled, thieves can still access your account if you share one-time codes with them. 

"Do not share codes ever, no matter how legitimate the reason sounds," said Eva Velasquez, president and chief executive of The Identity Theft Resource Center. 

These scams can work in a number of ways. Often, a scammer, who has gained access to a social media user's username and password, will pretend to be a friend claiming an inability to access his or her account. The scammer asks permission to have a code sent to the friend's phone. The person complies, thinking she is helping out a friend. In reality, she's just given the scammer the ability to access her account, typically locking herself out in the process.

A good rule of thumb, Buzzard said: If you didn't initiate a phone call or email or text, don't give any information to the requestor.

"Threat actors are really good at coming up with ruses that convince people to act fast" and that can have all sorts of consequences, Ramzan said.

Give social media platforms as little info as possible

Social media account compromise may be relatively new, but Ramzan gave one real example of how it's updating some of the oldest scams, such as preying on elders. A thief contacts an account holder's grandmother for money, and with a social media identity stolen, the criminal knows that a grandson routinely addresses his grandmother as "Nanna," making the request sound especially realistic. The grandmother, thinking her grandson had actually been in an accident and needed money immediately, willingly obliged — wiring the thief a few thousand dollars.

When signing on for a social media account, try to give away as little personal information as possible, Buzzard said. "If it isn't mandatory, don't fill it in. Especially things like your phone number and your email. "You don't want people to find your number, spoof it and try to be you," he said. If you've already given these details, you can generally remove them from your account after the fact.

Aura recommends social media users disable third-party apps that are connected to their social media accounts. This way, if hackers do get into a person's account, they won't have immediate access to other personal accounts and apps. Facebook users, for instance, can disable third-party apps by clicking on "Settings & Privacy," "Settings" and "Apps and Websites."

Social media users should not trust services claiming to help with account recovery. "If you've publicly posted about your Instagram account being hacked, bots can use that against you," the company wrote in a blog post. "They'll reach out about a recovery service that will help you 'reclaim' your account. Don't fall for it."

Deleting your personal online data to the extent possible is another trick that makes it harder for scammers to use the information for social engineering purposes, Ramzan said. This can be done through a professional service, or on your own, though it's an ongoing process since data that's deleted tends to reappear. 

Recognize the warning signs of a stolen account

If something seems suspicious, alert the social media provider immediately.

Facebook tells users: "Your account may have been hacked if you notice your email or password has changed, your name or birthday has changed, friend requests have been sent to people you don't know, messages have been sent that you didn't write or posts have been made that you didn't create."

If any of these applies, Facebook asks that you contact the platform. Likewise, if you suspect your Instagram account has been hacked, visit Instagram's support website. 

Also be sure to alert your circle of friends, other than through the platform that's been compromised, so they are on the lookout for odd messages or requests for money, Buzzard said. "The next thing you know, [scammers] are going to impersonate you and try to victimize your circle."

—Additional reporting from CNBC's Carolyn Chun

How phone scammers tricked Americans out of tens of billions of dollars each year
VIDEO10:5710:57
How phone scammers tricked Americans out of tens of billions of dollars each year