Twitter verification, or the blue checkmark that appears next to an official account’s name, is seen by most people as a badge of credibility. It’s meant to distinguish real accounts from the fake ones.
But for scammers, the same blue checkmark can be exploited to take money from unwitting users, as BuzzFeed reported last week.
The BuzzFeed story describes how an account called @Tronfoundation, a company offering the cryptocurrency token $TRX, was impersonated by about a dozen accounts. But the one fake account that really stuck out from the pack was @Tronfoundationl because it somehow acquired a blue verified checkmark — even though the account was fake.
The fake account has since been deleted, and it’s unclear how much the scam was actually able to achieve by impersonating the real Tron Foundation. But for Twitter and its community, it’s a major problem that such a scam happened in the first place.
Twitter CEO Jack Dorsey personally confirmed he’s aware of the problem, according to a tweet he shared on Monday in response to Techmeme founder Gabe Rivera.
How many verified users change their usernames each day?
How many verified users change their usernames, real name, profile photo, *and* header photo every day?
Probably a small enough number that it wouldn’t bee too onerous for Twitter to inspect all of them! https://t.co/dx9klP8lCv
— Gabe Rivera (@gaberivera) February 26, 2018
Twitter verification, by definition, is supposed to indicate authenticity, but now, its purpose has been muddled and evidently exploited. Of course, Twitter isn’t the only social network with verification issues. (Read more about Instagram’s verification black market here.)
Twitter has wrestled with its verification problem for years. The company finally paused verification after facing backlash for verifying white supremacist Jason Kessler in November. Then Twitter stopped accepting public requests for verification, and Dorsey said they were working on a new system to standardize the process. But Dorsey has been silent on what exactly that new verification process is.
To give Twitter at least some credit, the company does have safety policies in place. For example, changing a username (a.k.a. handle) should result in losing the account’s verification badge.
I decided to test with my own account @kerrymflynn, which has been verified since 2015, and found that my verification badge was stripped when I changed my handle.
That doesn’t mean other accounts aren’t finding loopholes, as BuzzFeed’s story alleges to be true for the case of @Tronfoundationl.
Upon further inspection, we found that @tronfoundationl hacked the verified Twitter profile of a nonprofit called @LiteracyBridge. The hackers then changed the handle (which according to Twitter’s rule should nullify the verification) and then started scamming away. 4/ pic.twitter.com/ehVW6bkjIn
— Ryan Mac (@RMac18) February 26, 2018
A Twitter spokesperson said that accounts should lose verification if the username is changed.
“We strongly encourage everyone to use login verification for account security. Also, if an account changes its username, it should lose its verified status. Any instance of this not occurring is an error. We are investigating recent errors around changed usernames and verification status,” a Twitter spokesperson told BuzzFeed.
When asked for more information on the issue and what Twitter is doing to further prevent verified accounts from being bought, sold, and then separately being used for scams, a Twitter spokesperson referred Mashable to the same statement given to Buzzfeed.
Still, it’s hard to discern a fake account from a real one. Scammers will often copy the same profile image, cover photo, and even create identical tweets to mimic a person or company’s identity. Scammers also can boost tweets by using botnets, or a coordinated effort from fake accounts, as cofounder of blockchain transparency startup Elementus Geoff Golberg noted.
This is brilliant when you break it down:
– hijack verified Twitter account, change display name to “binance”
– piggyback on tweet from Justin Sun
– botnets for amplification/social proof (retweets, likes, replies)
– fake screenshots to establish trust (hey, it works!) pic.twitter.com/PPAATEo3Qy
— geoff golberg (@geoffgolberg) February 26, 2018
Golberg told Mashable that bot accounts can often retweet, like, and reply to the impersonated accounts saying, “It worked!” Those responses, much like verification, adds unjust credibility to scammers.
Twitter has promised to crackdown on bots, in the wake of Russian propaganda scandal with the 2016 presidential election and in response to a New York Times investigation on selling and buying bot accounts.
Also, Twitter has stopped taking requests for verifications, but that might have done more harm than good. Twitter has not done a great job at publicizing that it’s request for verification is currently halted. For example, the pinned tweet for Twitter’s @verified account links to a page that used to be for public submissions:
Image: twitter screenshot
The link on the page support.twitter.com/forms/verify directs users to verification.twitter.com. That page currently looks like:
Image: twitter screenshot
Since Twitter verification’s early days, the process been a Wild West of people asking their friends within Twitter HQ to verify their accounts. Others got blue checkmarks and later sold their accounts, which is against Twitter’s terms but difficult to enforce. Clearly, it’s still happening.
MetaMark, a tool for interacting with Ethereum dApps in a web browser and a wallet for Ether and ERC20 tokens, tweeted that it would like to be verified on Twitter in an effort to prevent scams.
“As we have recently surpassed 1 million active downloads, the reality is that our users could be a big target for phishing and scams. Twitter verification is just a small step in preventing impersonating accounts from pretending to be us and victimizing our users,” James Moreau, MetaMask’s support and community lead, told Mashable in an email.
“We actively blacklist known phishing and malicious websites, which has saved many users from having their funds stolen. Receiving verification from Twitter would be a simple and effective added layer of security to protect our users from bad actors,” he continued.
And yet, Twitter’s verification program is still on hold. Twitter has made exceptions for HQ trivia host Scott Rogowsky and survivors of the Parkland, Florida shooting, for example. Now that I’ve sacrificed my verification for the good of content, I’m not sure of my own future.