\n<\/p>\n
As we close out this year, we\u2019re sharing a number of updates<\/a> on our work to protect people around the world against various threats.<\/span><\/p>\n We know account security and recovery are top of mind for people, so today we are sharing a behind-the-scenes look at some of the tensions that companies like ours navigate in designing account security tools that help protect people while deterring bad actors. We\u2019re also detailing new security features we\u2019ve rolled out this year and highlighting why it\u2019s critical for people to keep their contact points \u2014 like their email or phone numbers \u2014 secure and up to date to prevent one of the leading drivers of account compromise.<\/span><\/p>\n Since sharing <\/span>our plans<\/span><\/a> last year to expand our support efforts, we\u2019ve continued to stress-test our account security and support systems to understand how bad actors might try to game them. This space is highly adversarial, which means we\u2019re constantly thinking about how our products and our support channels may get abused; we have to keep evolving our defenses and processes in response to malicious actors trying to work around them.<\/span><\/p>\n This is always a tricky balance because if we tighten account security controls too much, innocent people will have a harder time using and recovering their accounts. If we are too loose with controls, bad actors will have an easier time abusing our systems to compromise people. In fact, w<\/span>e regularly see threat actors target the very systems we put in place to protect people, trying to get accounts taken down.<\/span><\/p>\n As an example of these types of controls in our account recovery support, we use a variety of signals and verification challenges to help detect suspicious activity and validate legitimate access attempts. These challenges may range from requesting a copy of a person\u2019s ID or confirming a code sent to a device that has previously logged into the account.<\/span><\/p>\n Once an account recovery request is verified, platforms like ours rely on contact points \u2014 like an email address or phone number \u2014 listed in someone\u2019s account\u2019s settings as the primary channel to deliver support, like password reset links. Our research shows <\/span>that <\/span>people are two times more likely to recover their Facebook account if their contact points are up to date so we can reach them.<\/span><\/p>\n However, people might lose access to an old email inbox or they may switch phone numbers \u2014 this is a challenge that is recognized across our industry. We\u2019ve also seen threat actors target those contact points to gain broad access to someone\u2019s online accounts by using <\/span>it to reset the passwords for other connected accounts \u2013 banking, social media, and others. In fact, when looking at compromised Facebook accounts, we find that one in four began with a person\u2019s contact point being taken over.<\/span><\/p>\n Our work to help people stay safe and in control of their accounts is two-fold. First, to prevent account compromise, we build systems and help people learn how to identify potentially suspicious activity across the internet. Second, to help people who experience access issues, we continue to improve our support offerings.\u00a0<\/span><\/p>\n We\u2019ve built additional ways for people to get back into their accounts when they no longer have access to linked contact points. For instance, in certain cases, people can use recently removed contact points to recover access. As a result, this year we\u2019ve helped eight times more people a day on average get back into their Facebook account than last year when they don\u2019t have access to their listed contact points.\u00a0We\u2019re also running global in-app prompts across Facebook reminding people to confirm their contact points and exploring alternative ways to confirm people\u2019s identity during the account recovery process on Instagram, including\u00a0using their friend network.<\/p>\n To help people stay safe across our apps, we\u2019re continuing to roll out protections and educational initiatives:<\/span><\/p>\n While our scaled account recovery tools aim at supporting the majority of account access issues, we know that there are groups of people that could benefit from additional, human-driven support. This year, we\u2019ve carefully grown a small test of a live chat support feature on Facebook, and we\u2019re beginning to see positive results. <\/span>For example, during the month of October we offered our live chat support option to over a million people in nine countries and we\u2019re now planning to expand this test to more than 30 countries around the world.<\/span><\/p>\n We\u2019ve launched <\/span>instagram.com\/hacked<\/span><\/a> to help people to report and resolve account access issues. We\u2019ve also rolled out a way for people to <\/span>ask their friends to confirm their identity<\/span><\/a> in order to help regain access to their Instagram account.<\/span><\/p>\n We welcome feedback from the research community and our industry peers as we all navigate balancing these various tensions in protecting people and deterring bad actors.<\/span><\/p>\n<\/p><\/div>\nApplying Adversarial Design to Account Security<\/h2>\n
Taking a Closer Look at Contact Points<\/h2>\n
Product and Support Updates<\/h2>\n
Contact Point Support<\/h2>\n
Phishing and Malware Protection\u00a0<\/span><\/h2>\n
\n
Live Chat Support Test<\/h2>\n
Instagram Account Access Support<\/h2>\n