Twitter’s murky verification process is helping cryptocurrency scams thrive

Twitter verification has been on hold for about four months.

Image: vicky leta/mashable

Twitter verification, or the blue checkmark that appears next to an official account’s name, is seen by most people as a badge of credibility. It’s meant to distinguish real accounts from the fake ones.

But for scammers, the same blue checkmark can be exploited to take money from unwitting users, as BuzzFeed reported last week. 

The BuzzFeed story describes how an account called @Tronfoundation, a company offering the cryptocurrency token $TRX, was impersonated by about a dozen accounts. But the one fake account that really stuck out from the pack was @Tronfoundationl because it somehow acquired a blue verified checkmark — even though the account was fake.

The fake account has since been deleted, and it’s unclear how much the scam was actually able to achieve by impersonating the real Tron Foundation. But for Twitter and its community, it’s a major problem that such a scam happened in the first place. 

Twitter CEO Jack Dorsey personally confirmed he’s aware of the problem, according to a tweet he shared on Monday in response to Techmeme founder Gabe Rivera. 

Twitter verification, by definition, is supposed to indicate authenticity, but now, its purpose has been muddled and evidently exploited. Of course, Twitter isn’t the only social network with verification issues. (Read more about Instagram’s verification black market here.)

Twitter has wrestled with its verification problem for years. The company finally paused verification after facing backlash for verifying white supremacist Jason Kessler in November. Then Twitter stopped accepting public requests for verification, and Dorsey said they were working on a new system to standardize the process. But Dorsey has been silent on what exactly that new verification process is. 

To give Twitter at least some credit, the company does have safety policies in place. For example, changing a username (a.k.a. handle) should result in losing the account’s verification badge. 

I decided to test with my own account @kerrymflynn, which has been verified since 2015, and found that my verification badge was stripped when I changed my handle. 

That doesn’t mean other accounts aren’t finding loopholes, as BuzzFeed’s story alleges to be true for the case of @Tronfoundationl.

A Twitter spokesperson said that accounts should lose verification if the username is changed. 

“We strongly encourage everyone to use login verification for account security. Also, if an account changes its username, it should lose its verified status. Any instance of this not occurring is an error. We are investigating recent errors around changed usernames and verification status,” a Twitter spokesperson told BuzzFeed.

When asked for more information on the issue and what Twitter is doing to further prevent verified accounts from being bought, sold, and then separately being used for scams, a Twitter spokesperson referred Mashable to the same statement given to Buzzfeed. 

Still, it’s hard to discern a fake account from a real one. Scammers will often copy the same profile image, cover photo, and even create identical tweets to mimic a person or company’s identity. Scammers also can boost tweets by using botnets, or a coordinated effort from fake accounts, as cofounder of blockchain transparency startup Elementus Geoff Golberg noted.

Golberg told Mashable that bot accounts can often retweet, like, and reply to the impersonated accounts saying, “It worked!” Those responses, much like verification, adds unjust credibility to scammers. 

Twitter has promised to crackdown on bots, in the wake of Russian propaganda scandal with the 2016 presidential election and in response to a New York Times investigation on selling and buying bot accounts. 

Also, Twitter has stopped taking requests for verifications, but that might have done more harm than good. Twitter has not done a great job at publicizing that it’s request for verification is currently halted. For example, the pinned tweet for Twitter’s @verified account links to a page that used to be for public submissions: 

Twitter's @verified

Twitter’s @verified

Image: twitter screenshot

The link on the page support.twitter.com/forms/verify directs users to verification.twitter.com. That page currently looks like: 

Image: twitter screenshot

Since Twitter verification’s early days, the process been a Wild West of people asking their friends within Twitter HQ to verify their accounts. Others got blue checkmarks and later sold their accounts, which is against Twitter’s terms but difficult to enforce. Clearly, it’s still happening. 

MetaMark, a tool for interacting with Ethereum dApps in a web browser and a wallet for Ether and ERC20 tokens, tweeted that it would like to be verified on Twitter in an effort to prevent scams. 

“As we have recently surpassed 1 million active downloads, the reality is that our users could be a big target for phishing and scams. Twitter verification is just a small step in preventing impersonating accounts from pretending to be us and victimizing our users,” James Moreau, MetaMask’s support and community lead, told Mashable in an email.

“We actively blacklist known phishing and malicious websites, which has saved many users from having their funds stolen. Receiving verification from Twitter would be a simple and effective added layer of security to protect our users from bad actors,” he continued. 

And yet, Twitter’s verification program is still on hold. Twitter has made exceptions for HQ trivia host Scott Rogowsky and survivors of the Parkland, Florida shooting, for example. Now that I’ve sacrificed my verification for the good of content, I’m not sure of my own future. 

[embedded content]