the threat of Facebook account takeovers always looms, whether they’re caused by attacks that steal users’ login credentials or hacks that, say, compromise users’ email accounts and exploit the access to launch rogue account recoveries. At the same time, though, Facebook users need to be able to regain access to their accounts if they forget their password or otherwise get locked out. Account recovery creates a classic tension for any digital service, but when you have close to 3 billion users, the stakes are at their highest. Now, Facebook parent company, Meta, is sharing new insight into its balancing act over the last year as it attempts to improve the account recovery process and detect more potentially malicious activity on its platforms without creating disruptions for users or compromising their account security.
Meta has focused its efforts on examining and expanding users’ options for setting “contact points,” or third-party services like email addresses and phone numbers where Facebook can communicate with a user about account recovery. Meta told WIRED that a quarter of all Facebook account compromises begin with abuse of a contact point. At the same time, though, Meta says people are twice as likely to successfully recover their account when their contact points are up to date, highlighting the fine line between keeping people out of their own accounts versus blocking bad actors.
“There’s a fundamental feedback loop, and the account compromise work is an area where it’s especially relevant because it’s such an adversarial space,” says Nathaniel Gleicher, Meta’s head of security policy. “Whenever my team gets involved in something, it means there’s an adversary on the other side. But we have to be really careful about how to stop bad actors without also stopping good actors."
Meta didn’t provide specific statistics on how many accounts are compromised per month or how many people recover access to their accounts after a compromise.
The company says it employs a range of assessments and “verification challenges” in an attempt to separate the activity of real Facebook users trying to regain access to their accounts from malicious access attempts. Depending on the situation, Facebook may send a code to a device that was formerly logged in to the account or request that a user provide identification to authenticate them. Instagram is also exploring a recovery feature in which a randomly selected group of accounts a user interacts with most can be asked to testify to their identity and the validity of their login attempts.
Most account recovery features on Facebook are automated to handle the sheer scale of the social network's user base. But in 2021, the company said it would begin expanding its offerings for users to live-chat with a person about account recovery issues. In October, Facebook's systems offered 1.3 million users in nine countries the option to work with live agents as part of the account recovery flow, according to Meta. The company plans to expand the live chat to 30 countries. The rollout has been very gradual, Gleicher says, so Meta can fine-tune the system and reduce the chance that attackers can exploit it to social engineer, or trick, agents into granting improper access to accounts.
Meta says it applies the concepts of “adversarial design” to build systems with the assumption that attackers will try to exploit them, rather than ignoring the reality of these risks and being caught off guard.
“You’re living in an adversarial space and you expect the bad guys to keep exploiting, and one way to tackle this is whenever you build a system, you roll it out slowly and you watch carefully for how it gets exploited, and then you rapidly build systems to protect it,” Gleicher says. “But all of that is reactive, and you want to be careful about being purely reactive. ‘Threat ideation’ is a system we’ve built that relies on a combination of strategic foresight, tabletop exercises, red teaming, blue teaming, purple teaming techniques to take a new product that we’re considering, an event that’s coming up, a policy, and put people both inside the company and outside in the shoes of the bad guys and the shoes of the good guys to see what they're going to do.”
Using some of the same signal analysis methodology, Meta plans to roll out more nuanced warnings to users for Facebook Messenger and Instagram to automatically redirect suspicious links to spam when they may lead to targeted phishing attacks or malware and expand alerts when a user communicates with a new account that may be an imposter posing as someone the target user knows and trusts.
It's difficult to bring all of these components together without accidentally blocking legitimate content or locking people out, but Meta says it remains motivated to find the balance. And hey, at the end of the day, helping more users get back into their accounts is good for user retention and, therefore, good for business.
“When bad actors compromise email, those are things that are outside of our direct control, and it's not necessarily a compromise targeted at Meta assets,” Gleicher says. “But we have a lot of users, which means we have a really important, wide-ranging responsibility.”
As always, the best protections for all of your online accounts are strong unique passwords, using a password manager to keep track of them all, and enabling two-factor authentication on every account that offers it.
