THE THREAT OF Facebook account takeovers always looms, whether they’re caused by attacks that steal users’ login credentials or hacks that, say, compromise users’ email accounts and exploit the access to launch rogue account recoveries. At the same time, though, Facebook users need to be able to regain access to their accounts if they forget their password or otherwise get locked out. Account recovery creates a classic tension for any digital service, but when you have close to 3 billion users, the stakes are at their highest. Now, Facebook parent company, Meta, is sharing new insight into its balancing act over the last year as it attempts to improve the account recovery process and detect more potentially malicious activity on its platforms without creating disruptions for users or compromising their account security.
Meta has focused its efforts on examining and expanding users’ options for setting “contact points,” or third-party services like email addresses and phone numbers where Facebook can communicate with a user about account recovery. Meta told WIRED that a quarter of all Facebook account compromises begin with abuse of a contact point. At the same time, though, Meta says people are twice as likely to successfully recover their account when their contact points are up to date, highlighting the fine line between keeping people out of their own accounts versus blocking bad actors.
“There’s a fundamental feedback loop, and the account compromise work is an area where it’s especially relevant because it’s such an adversarial space,” says Nathaniel Gleicher, Meta’s head of security policy. “Whenever my team gets involved in something, it means there’s an adversary on the other side. But we have to be really careful about how to stop bad actors without also stopping good actors.”
Meta didn’t provide specific statistics on how many accounts are compromised per month or how many people recover access to their accounts after a compromise.
The company says it employs a range of assessments and “verification challenges” in an attempt to separate the activity of real Facebook users trying to regain access to their accounts from malicious access attempts. Depending on the situation, Facebook may send a code to a device that was formerly logged in to the account or request that a user provide identification to authenticate them. Instagram is also exploring a recovery feature in which a randomly selected group of accounts a user interacts with most can be asked to testify to their identity and the validity of their login attempts.
Most account recovery features on Facebook are automated to handle the sheer scale of the social network’s user base. But in 2021, the company said it would begin expanding its offerings for users to live-chat with a person about account recovery issues. In October, Facebook’s systems offered 1.3 million users in nine countries the option to work with live agents as part of the account recovery flow, according to Meta. The company plans to expand the live chat to 30 countries. The rollout has been very gradual, Gleicher says, so Meta can fine-tune the system and reduce the chance that attackers can exploit it to social engineer, or trick, agents into granting improper access to accounts.
sourse:https://www.wired.com/
A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account’s two-factor protections just by knowing their phone number. Gtm Mänôz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when […]
U.S. nonprofit healthcare giant Maternal & Family Health Services has confirmed hackers accessed sensitive patient, financial and medical information months earlier. In an advisory published on its website on Thursday, MFHS said a “sophisticated ransomware incident” exposed the sensitive information of current and former patients, employees and vendors. This information included names, addresses, dates of birth, Social Security numbers, […]
Small and medium businesses have become a growing target for malicious online hackers in recent years, currently accounting for between 43% and 61% of all security breaches and some $7 billion annually in related losses, according to different estimates. Today, a startup called Guardz is emerging from stealth with a two-part offering aimed at protecting them: a SaaS-based set of low-code […]
Leave a Reply