Why verified accounts won’t kill off Twitter fraudsters

Preview of verified account on TwitterTwitter has announced on its blog that in the summer* it will be introducing a “Verified Accounts” feature for some of its more high profile users, designed to help reassure members that the account is real and not belonging to an impersonator.

The reason why they’ve introduced this is that there has been a steady stream of bogus Twitter accounts set up in the name of celebrities – Al Gore, Hermione Granger actress Emma Watson, Vint Cerf and Kanye West are amongst those in the public eye who have fallen victim to Twitter fraudsters.

While some fakes, like the woman who pretended to be Dr Who actor David Tennant, have been amusing, others have clearly been set up with mischief-making and even malice in mind.

Now, in the wake of a lawsuit from Tony La Russa, the manager of the St Louis Cardinals baseball team, Twitter has announced that it is doing something to try and stop users being fooled into believing that posts are from a celebrity – unless they’re really from the celebrity.

Sign up to our free newsletter.
Security news, advice, and tips.

But here’s the problem. Twitter’s solution of verifying the accounts of public officials, agencies and celebrities and displaying a “Verified Account” seal isn’t actually the answer.

After all, a “Verified Account” seal only tells you that it’s the official Twitter page for that person or organisation. It doesn’t tell you that it really was that individual or body that wrote the tweet you’ve just read.

Because it provides no protection at all against the problem of real celebrities’ accounts getting hacked like Miley Cyrus, Fox News, CNN’s Rick Sanchez, Britney Spears and Barack Obama, and a hacker posting from their account.

So, the best a “Verified Account” can do is help you tell the difference between the likes of @britneyspears, @britney_spears, @britneyspear, and @fakebritney.

It’s not going to stop celebrity and high profile Twitter users choosing dumb passwords, or being careless with their credentials, or Twitter itself having a security problem which exposes everyone’s account to hackers.

The only difference is going to be that now a hacked celeb account is more likely to have a seal claiming that the account is legitimate, and perhaps the poor user reading it being lulled into a greater sense of security that the post is for real.

And if it’s your (non-celeb) friend or family member who has their Twitter account comandeered by hackers you’ll be just as susceptible as ever to believing their Tweets to be true and in danger of clicking on their (potentially malicious) links.

There’s a danger that I sound very negative about “Verified Accounts on Twitter”, and I’m sorry about that. I would just like to see much more in the way of enhanced security on the site to better protect its ever-growing fanbase.

* By the way, what’s summer? I don’t ask that because I live in England where we appear to have had our summer (four days) and we’re now back to rain-sodden misery, but because summer is a different time of the year depending on where you live in the world. Summer in New Zealand is December – February, but in California it would be July or August. So I find it kind of funny when a Web 2.0 company like Twitter talks about something being ready in “the summer”. Get with the beat guys!

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.