Design account security across our apps

Design account security across our apps


3 months ago

By Nathaniel Gleicher, Head of Security Policy and Jimena Almendares, Head of Support and Customer Experience

As we wrap up this year, we’re sharing a series of updates on our work to protect people around the world from various threats.

We know account security and recovery are top of mind for people, so today we’re sharing a behind-the-scenes look at some of the tensions that companies like ours navigate when designing account security tools that help protect people while deterring bad actors. We also describe new security features we’ve rolled out this year and highlight why it’s critical for people to keep their contact points – such as email or phone numbers – secure and up-to-date to prevent one of the leading drivers of account compromise .

Using adversarial design on account security

Since sharing our plans last year to expand our support efforts, we’ve continued to stress test our account security and support systems to understand how bad actors might try to game them. This space is highly resilient, meaning we’re constantly thinking about how our products and support channels can be abused; we must continue to evolve our defenses and processes in response to malicious actors trying to circumvent them.

This is always a difficult balance, because if we tighten account security controls too much, innocent people will have a harder time accessing and recovering their accounts. If we are too loose with controls, it will be easier for bad actors to abuse our systems to compromise people. In fact, wI regularly see threat actors targeting the very systems we put in place to protect people, trying to get accounts removed.

See also  Iran's government gains access to the social media accounts of those it arrests. Tech companies seem ill-equipped to stop it

As an example of these types of checks in our account recovery support, we use a number of signals and verification challenges to help detect suspicious activity and validate legitimate access attempts. These challenges can range from requesting a copy of a person’s ID or verifying a code sent to a device that has previously logged into the account.

Take a closer look at touchpoints

Once an account recovery request is confirmed, platforms like ours rely on points of contact—such as an email address or phone number—listed in someone’s account settings as the primary channel for delivering support, such as password reset links. Our research shows that People are twice as likely to recover their Facebook account if their contact points are updated so we can reach them.

However, people may lose access to an old email inbox or they may change phone numbers – this is a challenge recognized in our industry. We’ve also seen threat actors target these touchpoints to gain broad access to someone’s online accounts using it to reset the passwords for other connected accounts – banking, social media and others. In fact, when we look at compromised Facebook accounts, we find that one in four started with someone’s point of contact being taken over.

Product and support updates

Our work to help people stay safe and in control of their accounts is twofold. First, to prevent account compromise, we build systems and help people learn to identify potentially suspicious activity on the Internet. Second, to help people experiencing access issues, we continue to improve our support offerings.

See also  "WhatsApp has been a surveillance tool for 13 years, it's best to stop using it," says Telegram founder Pavel Durov- Technology News, Firstpost

Contact Point Support

We’ve built more ways for people to get back into their accounts when they no longer have access to linked touchpoints. For example, in certain cases people can use recently removed contact points to restore access. As a result, this year we’ve helped eight times more people a day on average get back to their Facebook account than last year when they don’t have access to the contact points they listed. We’re also running global in-app messages on Facebook reminding people to verify their contact points and exploring alternative ways to verify people’s identities during the account recovery process on Instagram, including using their network of friends.

Protection against phishing and malware

To help people stay safe across our apps, we continue to roll out protections and educational initiatives:

  • Protection against malicious links: We know that threat actors often target groups such as journalists, activists, political campaigns and businesses (among others) by sending them phishing links or malware. One measure we’ve implemented to protect against this on Messenger is using our automated systems to redirect suspicious messages if they’re sent by offline users. As with many of our security measures, we will use what we learn to inform our wider strategy to protect people.
  • Instagram fraud alerts: We remove Instagram accounts that our automated systems find to be malicious, including those impersonating others. However, because bad actors may not immediately use accounts maliciously, we are now testing to send warnings if an account that we suspect may be impersonating someone asks to follow them. In the coming months, we will also send alerts if an account that may be impersonating a business sends you a direct message.
  • Increased Instagram Verified Brand Visibility: We’re also expanding where the verified badge appears on Instagram to make it visible in more places, including Stories and Direct Messages, to help people confirm that the accounts they’re interacting with are authentic and verified.
See also  This Week in Coins: FTX Breaks, Bitcoin Falls to Two-Year Low

Live Chat Support Test

While our scaled account recovery tools aim to support most account access issues, we know there are groups of people who could benefit from additional, human-powered support. This year we have carefully developed a small test of a live chat support feature on Facebook and we are starting to see positive results. For example, during the month of October we offered our live chat support option to over one million people in nine countries, and we now plan to expand this test to more than 30 countries around the world.

Support for accessing Instagram accounts

We have launched to help people report and resolve account access issues. We’ve also launched a way for people to do that ask their friends to verify their identity to help regain access to their Instagram account.

We welcome feedback from the research community and our industry colleagues as we all navigate and balance these various tensions to protect people and deter bad actors.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *