In December, Elon Musk claimed Twitter lost USD60mn a year because 390 foreign telcos created bot accounts to pump two-factor authentication SMS messages. That was a big story when Commsrisk published it, but it became even bigger on Saturday when droves of Twitter users were told they would no longer be allowed to authenticate by SMS.
A Twitter news account that had read Commsrisk’s article asked the billionaire if fraud was the reason for disabling SMS-based two-factor authentication for all users except those paying for Twitter Blue. The billionaire provided confirmation with a single word: “yup”.
— Elon Musk (@elonmusk) February 18, 2023
A later tweet from Musk reiterated his thinking more explicitly.
Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages
— Elon Musk (@elonmusk) February 18, 2023
During the rush for new clickbait, several tech journalists claimed credit for ‘breaking’ the story of Twitter charging customers for two-factor authentication. This was lousy reporting for two reasons. Firstly, the story was actually broken by Twitter themselves in a blog they published on Wednesday 15 February. Secondly, there is a big difference between trying to increase revenues by making people pay for two-factor authentication and trying to cut losses by reducing the amount spent on A2P SMS messages. Twitter’s blog explained:
While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.
Holders of free Twitter accounts will not have to pay for two-factor authentication using either of the alternative methods.
We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead. These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure.
Musk’s approach inevitably upset many people, though the actual number affected should not be exaggerated. The most recent figures given by Twitter’s Transparency Report stated only 2.6 percent of Twitter users had enabled two-factor authentication. SMS was the most popular method, adopted by 74.4 percent of users who used two-factor authentication, ahead of authentication apps at 28.9 percent and security keys at just 0.5 percent. Many of those expressing anger with Musk’s decision were concerned it would discourage users from protecting their privacy. However, SMS is a lousy way to authenticate users because SMS was never meant to be a secure communications channel. The FBI started warning businesses about the weaknesses surrounding SMS authentication back in 2019. Overuse of A2P SMS for the transmission of one time passwords has fueled the rapid rise of a criminal subculture devoted to SIM swapping. SMS messages are also vulnerable because of all the known security weaknesses surrounding SS7 signaling.
The high-energy, low-intelligence style of most tech reporting inevitably sought to generate clicks by slamming Musk whilst providing no insight into the factors that led to his decision. Musk only has a rudimentary understanding of the SMS ecosystem but the same can be said of most tech journalists. Few tech journalists are willing to believe Musk when he states the decision is motivated by costs, not revenues. However, none has performed their own analysis of the likely costs and likely revenues. Musk did not get rich by trying to force less than 2 percent of a platform’s users to pay USD8 per month for a service they previously obtained for free. My most conservative projections based on user numbers, how often they authenticate, and the cost of A2P SMS messages suggest this change will reduce Twitter’s expenditure by USD40mn a year, and that is without making any assumptions about reducing the cost of fraud or whether users with two-factor authentication are likely to log on more often than most of their peers. Losing free users costs Twitter money indirectly because it makes the platform less attractive to advertisers, the dominant revenue stream for this business. But as Musk keeps pointing out, Twitter has lots of users who have announced they are about to leave because they are sick of Musk’s antics… and keep tweeting the same announcement day after day, week after week.
I expect journalists to do a lousy job of reporting on security because knowing how to read what is shown on a screen is different to knowing the systems that connected one person’s screen to the screen of another person on the far side of the planet. The biggest shock has been how many people who consider themselves to be experts in security will publicly demonstrate their lack of insight into the fundamentals of networking businesses in the real world. For the previous paragraph, I performed a simple back-of-envelope calculation to show why Musk’s decision is intelligible. It may be the wrong decision, but it is intelligible. However, a multitude of so-called experts have gone on public record as saying Musk’s decision “is silly”, “is a money grab”, or that “it doesn’t make sense”. What is so difficult to understand about trying to save money, especially when Musk and Twitter have openly stated they are trying to save money? It may be a miscalculation; neither I nor the so-called experts have enough data to judge if the cost saving is sufficient to offset the potential downsides. But if you find it silly or incomprehensible that a loss-making business would want to cut costs then you really should not be giving advice on security. That is because security must be cost-effective like everything else. Nobody ever delivered a sustainable security strategy at an unsustainable cost.
The extent of the anger expressed by some experts who claim proficiency in security makes me wonder if they represent a threat to the organizations they advise because they lack a sufficiently rounded worldview. Imagine a security expert telling you to keep your cash in the thickest, heaviest, most secure safe that you can put in your home. No safecracker will be able to determine the combination, no explosives will blow the door off its heavy hinges. Buying this safe might seem like a good investment. But what if your house is built on bamboo stilts above a river? Watching that safe crash through your floor and sink to the river bed may lead you to think again. SMS is insecure. The weakness of SMS has been a godsend to criminals. There are many reasons to believe the extent of SMS crime is underreported because, unlike Musk, some executives want bots that simulate genuine users so they can overreport the value of their companies. But a legion of supposed experts see no problem with erecting secure systems on foundations that are woefully insecure.
The inadequacies of SMS as a channel for private communications were made obvious to me as a young professional in the 1990’s. But that did not discourage banks, governments, Uncle Tom Cobley and all from choosing SMS as their favorite method to send passwords. Authentication using an app on a smartphone is far more secure. There is little excuse for serious organizations to keep pushing SMS as the default method for two-factor authentication in countries where only a negligible number of feature phones remain in use. SMS continues to be used only because it avoids the discomfort of asking users to configure app-based authentication. Sparing ourselves that trivial burden is as short-sighted as the previous institutional resistance to implementing a second factor to complement the use of passwords.
Musk need not have upset so many people because there are other ways Twitter could have reduced A2P SMS fraud. The problem with small teams like the one surrounding Musk at Twitter is that they may not have access to the best advice on how to tackle a challenge that sits outside of their areas of expertise. Musk spends a lot of time tweeting and communicating directly with the masses, but that will not reliably foster insightful feedback. To be fair to Musk, the largest teams may also be too ignorant, too incompetent or too bound by bureaucracy and convention to fix problems in the most efficient manner. That should be evident at the macroeconomic scale by observing how societies are trying to mitigate a pandemic of fraud by relying on a threadbare 1990’s comms protocol that was only created as a byproduct of network signaling. SMS became a mass market service because kids want attention without actually talking to each other; the world now secures transactions worth trillions of dollars in total by relying upon a service initially sold as a children’s toy. There were smarter ways for Twitter to cut A2P SMS fraud, but Musk’s disruptive approach has hit upon the right answer for the longer term. Forcing users to adopt app-based authentication is inevitable.
The radical decisions made by Musk cause so much fury because they often prove his haters wrong. Musk is the living antithesis of groupthink, and hence the personification of everything that threatens groupthinkers. Many insisted that mass redundancies would cause Twitter to collapse within days. If Twitter had stopped existing then they would not have so unashamedly switched to complaining about every flaw they perceive with its continuing service. Persuading Twitter users to implement app-based authentication would be a huge improvement in safeguarding their privacy, not just on Twitter, but because it would demonstrate that the same transition could be achieved for other services too. That shows us the real threat posed by Musk’s latest disruption. If A2P SMS suddenly falls out of favor with large institutional customers, a swathe of the telecoms industry will be extinguished with it.