i dont think spear-phishing training is the solution here; especially given the possibility of collaborating insiders. Short social media usernames are bizarrely coveted and so there's an entire cottage industry based on illicitly commandeering accounts and these operations have used insiders working for cellular telephone companies who are paid to grease along processes like unauthorized SIM-swaps/porting.
For operations on accounts where illicit access can cause massive irreversible damage -- either by exfiltrating private information (emails, DMs/PMs, posts on locked accounts, etc) or by making a post that appears authorized (the more notable the victim the worse it gets) -- there has got to be some sort of two-man rule (https://en.wikipedia.org/wiki/Two-man_rule) integrated into the system that can't be bypassed by the people with authority to make changes to accounts. Otherwise any insider / careless spear-phishing victim will make the changes they want, and theres no reason the adversary will limit themselves to posting shoddily-executed (they used the same address instead of generating one per victim!) bitcoin scams.
Furthermore, i'd really like there a way for any user (not just bluechecks) to opt-in to some sort of feature where Twitter enforces more stringent requirements/documentation/delays for the email/phone-change / password-reset processes -- at the cost of accepting higher delays or maybe even monetary payment.
There's no reason i need such critical account procedures to happen on twitter (or my email accounts, for that matter) to happen in real-time, and i would happily give that up in order to require that such a procedure only happen after, like, a week of enforced, non-bypassable delay where they contact me with details of the change on all my phone-numbers and emails every day.
For operations on accounts where illicit access can cause massive irreversible damage -- either by exfiltrating private information (emails, DMs/PMs, posts on locked accounts, etc) or by making a post that appears authorized (the more notable the victim the worse it gets) -- there has got to be some sort of two-man rule (https://en.wikipedia.org/wiki/Two-man_rule) integrated into the system that can't be bypassed by the people with authority to make changes to accounts. Otherwise any insider / careless spear-phishing victim will make the changes they want, and theres no reason the adversary will limit themselves to posting shoddily-executed (they used the same address instead of generating one per victim!) bitcoin scams.
Furthermore, i'd really like there a way for any user (not just bluechecks) to opt-in to some sort of feature where Twitter enforces more stringent requirements/documentation/delays for the email/phone-change / password-reset processes -- at the cost of accepting higher delays or maybe even monetary payment.
There's no reason i need such critical account procedures to happen on twitter (or my email accounts, for that matter) to happen in real-time, and i would happily give that up in order to require that such a procedure only happen after, like, a week of enforced, non-bypassable delay where they contact me with details of the change on all my phone-numbers and emails every day.