THE THREAT OF Facebook account takeovers always looms, whether they’re caused by attacks that steal users’ login credentials or hacks that, say, compromise users’ email accounts and exploit the access to launch rogue account recoveries. At the same time, though, Facebook users need to be able to regain access to their accounts if they forget their password or otherwise get locked out. Account recovery creates a classic tension for any digital service, but when you have close to 3 billion users, the stakes are at their highest. Now, Facebook parent company, Meta, is sharing new insight into its balancing act over the last year as it attempts to improve the account recovery process and detect more potentially malicious activity on its platforms without creating disruptions for users or compromising their account security.
Meta has focused its efforts on examining and expanding users’ options for setting “contact points,” or third-party services like email addresses and phone numbers where Facebook can communicate with a user about account recovery. Meta told WIRED that a quarter of all Facebook account compromises begin with abuse of a contact point. At the same time, though, Meta says people are twice as likely to successfully recover their account when their contact points are up to date, highlighting the fine line between keeping people out of their own accounts versus blocking bad actors.
“There’s a fundamental feedback loop, and the account compromise work is an area where it’s especially relevant because it’s such an adversarial space,” says Nathaniel Gleicher, Meta’s head of security policy. “Whenever my team gets involved in something, it means there’s an adversary on the other side. But we have to be really careful about how to stop bad actors without also stopping good actors.”
Meta didn’t provide specific statistics on how many accounts are compromised per month or how many people recover access to their accounts after a compromise.
The company says it employs a range of assessments and “verification challenges” in an attempt to separate the activity of real Facebook users trying to regain access to their accounts from malicious access attempts. Depending on the situation, Facebook may send a code to a device that was formerly logged in to the account or request that a user provide identification to authenticate them. Instagram is also exploring a recovery feature in which a randomly selected group of accounts a user interacts with most can be asked to testify to their identity and the validity of their login attempts.
Most account recovery features on Facebook are automated to handle the sheer scale of the social network’s user base. But in 2021, the company said it would begin expanding its offerings for users to live-chat with a person about account recovery issues. In October, Facebook’s systems offered 1.3 million users in nine countries the option to work with live agents as part of the account recovery flow, according to Meta. The company plans to expand the live chat to 30 countries. The rollout has been very gradual, Gleicher says, so Meta can fine-tune the system and reduce the chance that attackers can exploit it to social engineer, or trick, agents into granting improper access to accounts.
sourse:https://www.wired.com/
Reddit has confirmed hackers accessed internal documents and source code following a “highly-targeted” phishing attack. A post by Reddit CTO Christopher Slowe, or KeyserSosa, explained that on February 5 the company became aware of the “sophisticated” attack targeting Reddit employees. He says that an as-yet-unidentified attacker sent “plausible-sounding prompts,” which redirected employees to a website masquerading as Reddit’s […]
Apple on Monday released a new version of the iPhone and iPad’s operating systems to fix a vulnerability that hackers were exploiting in the wild, meaning they were taking advantage of it to hack Apple devices. On the security update page, Apple wrote that it “is aware of a report that this issue may have […]
Facebook-parent Meta has launched a subscription service, called Meta Verified, that will allow users to add the coveted blue check mark to their Instagram and Facebook accounts for up to $15 a month by verifying their identity, its chief executive Mark Zuckerberg said on Sunday, tapping a new revenue channel that has returned mixed success […]
Leave a Reply