Monday, February 20, 2023

Meta Verified and Twitter Blue

Mark Zuckerberg (Hacker News):

[This] week we’re starting to roll out Meta Verified -- a subscription service that lets you verify your account with a government ID, get a blue badge, get extra impersonation protection against accounts claiming to be you, and get direct access to customer support. This new feature is about increasing authenticity and security across our services. Meta Verified starts at $11.99 / month on web or $14.99 / month on iOS.

Juli Clover:

Meta also plans to make the same verification process available on Instagram, but separate subscriptions will be required for each platform, so an individual or business that wants to be verified on both Facebook and Instagram will need to pay separate subscription fees.

Instagram and Facebook are monetized through advertising at the current time, but changes like Apple’s App Tracking Transparency can make ads an unreliable revenue stream. Subscription payments will give Facebook a steady monthly income.

Elon Musk:

Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages

Eric Priezkalns (via Hacker News):

Having seen plenty of evidence about the revenue-generating schemes operated by dodgy telcos, and their symbiotic relationship with criminals both inside and outside of their companies, it comes as no surprise that an organization like Twitter would be targeted for an abuse of this nature. What is surprising is that the previous management were so ignorant, idle or incompetent that they did nothing about it. Twitter made a loss of USD221mn in 2021, which was significantly less than the previous year, but still large enough to question why USD60mn of fraud would be tolerated.


As a Twitter Blue subscriber, you can add another layer of protection to your account with access to two-factor authentication via SMS.


Twitter Blue subscribers who joined for $7.99 on iOS will be notified by Apple that their subscription will be automatically renewed for $11/month (or your local pricing) unless they choose to cancel their subscription.

Web pricing remains $8/month. These, along with YouTube Premium and Epic Direct Payment, are probably the highest profile examples of passing IAP fees on to the customer.

Dare Obasanjo:

After App Tracking Transparency (ATT), every major social app is now charging for features and Apple gets a cut on iOS.

Ricky Mondello:

SMS 2FA has documented and frequently-discussed limitations in terms of the security benefits it provides. It can also trip people up in terms of usability, like when people switch phones, or when they can’t receive texts at their phone number, like when they’re on an airplane, or sometimes when they’re traveling internationally.

Despite its limitations, I’ll argue that SMS 2FA is a huge success story in actually reducing the harm caused by weak and reused passwords.


People who don’t use password manager software — and that’s a lot of people — almost always reuse the same passwords across the services they use. For many of them, SMS 2FA provides value, despite its flaws. Making a person’s weak or reused password not sufficient to gain access to their accounts is genuinely good, even if a very motivated attacker could compromise the SMS channel or phish the one-time code.

So, offering e-mail 2FA as an alternative would perhaps not be as secure as you might think. On the other hand, it’s easier to use than authenticator apps. By not supporting e-mail, some users will end up without 2FA. But, given the choice, others would pick e-mail over an app and end up less secure.

On iOS, time-based one-time code generation is built into the operating system. No “authenticator app” is required to install.


Update (2023-02-21): Matt Sephton:

I was using SMS based 2FA only because the autofill experience is so much better, at least on iOS. The number appears over the keyboard, you tap it, done.

iOS 2FA (or other 2FA apps) don’t autofill as easily, they require more steps: worse user experience.


1 Comment RSS · Twitter · Mastodon

Isn't passkeys the solution to this?

Leave a Comment