Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/2/2013
02:31 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Turns Friends Into IT Support

Facebook's new Trusted Contacts option lets friends assist with account recovery, so Facebook personnel don't have to.

Microsoft Surface: Round Two
10 Ways Microsoft Could Improve Surface Tablet
(click image for larger view and for slideshow)
Just as companies have warmed to the financial benefits of employee-supplied devices and have embraced the rent savings of offices that are open but smaller under the pretense of promoting interaction, Facebook has recognized the economic and security promise of deputizing users to provide customer support.

The social network, ever keen to increase user engagement, wants you to designate friends as Trusted Contacts who can restore access to your Facebook account "if you ever have trouble logging in." Don't call us, call a friend.

Why might you have trouble logging in? Facebook doesn't say. A hacked account is one possibility, but presumably anyone who hijacks your account could alter your Trusted Contact list. And Facebook maintains a separate account reset process for hacked accounts, at facebook.com/hacked.

[ Wondering what it's like to wear Google's new high-tech glasses? Read Google Glass: First Impressions. ]

The most common scenario for resorting to Trusted Contacts is a forgotten password. This could be a relatively frequent occurrence, given that Facebook tends to keep users logged in, thereby obviating the need to type one's password and making it easier to forget.

Account recovery processes, however, have a long history of insecurity. For example, in 2008, the Yahoo Mail account of then vice presidential candidate Sarah Palin was hacked when a University of Tennessee student reset the account password by answering what turned out to be obvious password recovery questions. The following year, Yahoo Mail's account recovery process was abused again to gain control over a Twitter administrative account.

A Facebook spokeswoman in an email said that there are also occasions when users lose access to the email account through which they log in to Facebook.

Facebook in a blog post suggests that the Trusted Contact account recovery process represents an improvement on answering security questions. "With trusted contacts, there's no need to worry about remembering the answer to your security question or filling out long web forms to prove who you are," the company says. "You can recover your account with help from your friends."

There's another security benefit too: Account compromises often occur as a result of social engineering attacks. While customer service personnel can be tricked into revealing personal information by people posing as account holders, friends presumably are less likely to be duped by an imposter soliciting sensitive data.

With Trusted Contacts, Facebook support personnel can expect fewer emails from users who can't log in to get their their social fix. What's more, Trusted Contacts could create a user retention halo effect: Users will probably be less likely to drift away from Facebook when their friends have entrusted them with the keys to their accounts.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
5/6/2013 | 12:41:24 PM
re: Facebook Turns Friends Into IT Support
It sounds like a manipulative trick Facebook is playing if the company really is thinking that Trusted Contacts would create a scenario in which users would be "less likely to drift away
from Facebook when their friends have entrusted them with the keys to
their account."

Then again, I think most users would be wary of providing even their "trusted contacts" with access to their accounts. On a small level, think of the possibility of someone posting an obscene status update on your behalf. On a larger level, it could possibly tie you to the site for a long time.

My reaction is to avoid it. I have survived many years without needing to add Trusted Contacts to my account, so I think I will do without them in the future.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...