THE THREAT OF Facebook account takeovers always looms, whether they’re caused by attacks that steal users’ login credentials or hacks that, say, compromise users’ email accounts and exploit the access to launch rogue account recoveries. At the same time, though, Facebook users need to be able to regain access to their accounts if they forget their password or otherwise get locked out. Account recovery creates a classic tension for any digital service, but when you have close to 3 billion users, the stakes are at their highest. Now, Facebook parent company, Meta, is sharing new insight into its balancing act over the last year as it attempts to improve the account recovery process and detect more potentially malicious activity on its platforms without creating disruptions for users or compromising their account security.
Meta has focused its efforts on examining and expanding users’ options for setting “contact points,” or third-party services like email addresses and phone numbers where Facebook can communicate with a user about account recovery. Meta told WIRED that a quarter of all Facebook account compromises begin with abuse of a contact point. At the same time, though, Meta says people are twice as likely to successfully recover their account when their contact points are up to date, highlighting the fine line between keeping people out of their own accounts versus blocking bad actors.
“There’s a fundamental feedback loop, and the account compromise work is an area where it’s especially relevant because it’s such an adversarial space,” says Nathaniel Gleicher, Meta’s head of security policy. “Whenever my team gets involved in something, it means there’s an adversary on the other side. But we have to be really careful about how to stop bad actors without also stopping good actors.”
Meta didn’t provide specific statistics on how many accounts are compromised per month or how many people recover access to their accounts after a compromise.
The company says it employs a range of assessments and “verification challenges” in an attempt to separate the activity of real Facebook users trying to regain access to their accounts from malicious access attempts. Depending on the situation, Facebook may send a code to a device that was formerly logged in to the account or request that a user provide identification to authenticate them. Instagram is also exploring a recovery feature in which a randomly selected group of accounts a user interacts with most can be asked to testify to their identity and the validity of their login attempts.
Most account recovery features on Facebook are automated to handle the sheer scale of the social network’s user base. But in 2021, the company said it would begin expanding its offerings for users to live-chat with a person about account recovery issues. In October, Facebook’s systems offered 1.3 million users in nine countries the option to work with live agents as part of the account recovery flow, according to Meta. The company plans to expand the live chat to 30 countries. The rollout has been very gradual, Gleicher says, so Meta can fine-tune the system and reduce the chance that attackers can exploit it to social engineer, or trick, agents into granting improper access to accounts.