Pendantic
"...dramatic and persistant spike in account takeovers"
How can a spike be persistant...? Wouldn't it be a plateau?
I'll see myself out.
A group of 41 US state attorneys general, tired of serving as a customer complaint clearinghouse for Facebook and Instagram users, have sent a letter to Meta asking it to figure out how to reduce a "dramatic and persistent spike" in account takeovers. In a letter [PDF] dated March 5, the AGs said their offices have received …
...because all that is needed is to make account take overs unprofitable for Antisocial Networks. That might be a step towards turning them into Social Networks again. However, as long they can make money the easy way and avoid all obligation of protecting the people they use on a daily basis this will continue to happen. At this rate we'll be lucky if ever gets upgraded to a game of whack-a-mole.
FailBook and the other big ASNs are powerful enough not to need to give a toss. They don't care about users and accounts the same way powerful regimes don't have to care about human rights or international law.
Both WasteBook and the Xitter are plagued with rampant spammers and scammers so obvious that I could probably bash out some code in qBasic to flag at least half of it, even after 20 years away from coding. Their systems are perfectly capable of recognising the crud; they have no trouble "de-boosting" user content that displeases The Party™. Likewise they could flag accounts that have been taken over. For instance when a ton of content gets deleted, completely new person in the profile pic, change in writing style, and pictures that are obviously screencaps from grumble vids or show up on Google reverse image search and/or TinEye.
It's happened to several pages I follow. They were taken over by people who, for some reason would just spam it with garbage "viral" videos until it died, meanwhile Facebook support is saying "huh, this WWII history page is suddenly posting dashcam videos. Well, I don't see a problem here, ticket closed."
Moving one's cell number when one changes providers is trivial in the US. Very few people change numbers to avoid a harasser. Most change numbers because they didn't pay their phone for some period of time, or are trying to avoid bill collectors, or some other dumb ass reason.
It would not be an undue burden on cell phone companies to require numbers be deactivated for some amount of time, measured in years, before being recycled. These days, in the US, area codes are meaningless so phone numbers really are 10 digits (not counting the 11th US country code digit which is optional inside the US), so roughly 10 billion possible numeric combinations most of which work as phone numbers. Mandatory retarding the recycling of phone numbers would benefit a lot more important things that Farcebook, like 2FA of bank accounts and such.
Or you could just 2FA using a 2FA app…
SMS isn’t secure. And there are some companies (Uber as an example) which you can log in completely just using an SMS OTP - which has my credit card on it…
The point being, multi layer security is supposed to be implemented with thought, not just to tick a tickbox.
Just to play devil's advocate for a minute here, what do the AGs want Facebook to do? If the account has its phone number reassigned and/or suffers from a credential stuffing attack, then what's happening is that the attacker is logging in using the valid user's password and with their 2FA code. How are they supposed to know that this isn't the user?
I'm sure they want Facebook to "find a solution", but aside from forcing mass adoption of Passkeys, I'm not sure what Facebook can do? (And then we get into the problems of re-educating the tech-illiterate masses as to what a passkey is and locking them into their current tech ecosystem...)
"I'm sure they want Facebook to "find a solution", but aside from forcing mass adoption of Passkeys, I'm not sure what Facebook can do? (And then we get into the problems of re-educating the tech-illiterate masses as to what a passkey is and locking them into their current tech ecosystem...)"
Systems to detect multiple changes to an account, changes in style, frequency of posting, etc. Then they'd need enough staff to review the borderline cases manually, and to deal with people contacting them where the changes were genuine. None of this is impossible, but it costs.