The news that Tesla’s high-profile billionaire CEO Elon Musk was buying the popular social messaging platform Twitter for $44 billion garnered plenty of media coverage and think pieces since his intentions were announced.
Musk claimed part of his mission as Twitter’s new owner will be to “authenticate all humans” and defeat the spambots on the platform; just two of the security challenges he will face along with the platform’s struggles to keep a CISO—the company has gone through three in rapid succession—as well as data breaches and lackluster multifactor authentication (MFA) uptake.
In Twitter’s own security report published in January, the company revealed that a paltry 2.5% of its users deploy MFA, and admitted the low numbers illustrated the continued need to encourage broader adoption of MFA, while also working to improve the ease with which accounts may use 2FA.
“The problem with MFA is that it complicates the user experience and people don’t like it,” John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company, explained. “If I got an MFA challenge for every tweet I wanted to post, likely I’d stop using Twitter. But MFA can be used for suspect posts or from suspicious parts of the internet.”
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation, also noted the average Twitter user is probably not willing to go through the extra effort of using MFA in practice.
“There is already some resistance from users when their banking applications want to implement it,” he said. “If people are unwilling to use MFA for their banking applications, it’s certain they’d resist it for a social media application like Twitter.”
Bots and fake accounts, including massive swarms of bot accounts, have also plagued the social media service, with various reports estimating the level of Twitter’s fake profile rests between 5% and 15%, and could even be considerably higher.
“The tools are there; it’s always been the will that has been lacking,” Bambenek said. “Many researchers have enumerated bot networks; Twitter can just use the same techniques to drop the ban hammer. They can also use IP reputation to find botnets, mark suspicious accounts and look for entities posting the same content across many accounts.”
From Parkin’s perspective, there will be multiple challenges in eliminating bots from the platform: While there are some “good” bots, there are a lot of malicious ones and their writers are always trying to find ways around any effort to eliminate them.
“The challenge for Twitter, going forward, will be identifying and eliminating the bad actors without removing legitimate users or tools and doing it reliably and transparently,” he said.
He explained that eliminating bots from a social media application like Twitter could have applications and repercussions across the rest of the social media landscape, as bots, spam and disinformation are serious problems across most of those platforms.
“This will only happen, however, if the tools and techniques are made available and adopted by the rest of the industry,” he said.
Parkin added that adding end-to-end encryption to Twitter may prove to be problematic.
While the technical overhead is relatively minor, as other apps that offer-end-to end encryption have shown, some regions of the world restrict cryptology and Twitter may not want to lose access to those areas.
Bambenek pointed out that many social media companies are valued based on user counts, even when those users are synthetic.
“If Twitter can show it’s profitable to kick out the trash while increasing real engagement, capitalism will kick in and other companies will follow,” he said. “The only way to get enterprises to do the right thing is to show them it’s profitable to do so.”
Parkin said the disinformation issue is, perhaps, the greatest challenge and striking the balance between having an open free-speech platform and having one that’s abused for disinformation and propaganda is hard.
“Bots play a large role in these, so eliminating them will help,” he said. “But, again, it can be hard to eliminate bots without affecting legitimate users while the bot writers are constantly evolving their tools.”
Regarding Musk’s statement that he plans to open source the platform’s algorithm, Bambenek said if Twitter gets it right and shows everyone else how to do it, then engineers can simply adopt the same approach.
“If you can make it work at Twitter’s scale, it will work on smaller scales,” he said.
Parkin pointed out that, because Twitter is such a large and visible platform, if the company starts rolling out features like MFA and end-to-end encryption, other applications will follow to keep up.
“These would both be good things to see across the board, though there will be user resistance to MFA and likely some state-level resistance to end-to-end encryption,” he added.
Image: Katja Just