Protecting Account Takeover at Social Media Platforms – Is it Time for the Platforms to Embrace Strong Authentication?

Most people utilize social media for easier access to communication, information, entertainment, and e-commerce. A 2020 report from We Are Social, in partnership with Hootsuite, showed that more than 3.8 billion people are already using social media, with about 60% of the world’s population already online.

This increasing digital activity, however, is seen by criminals as an easy opportunity to commit fraudulent acts and other illegal schemes. RSA Security’s 2019 report showed a 43% increase in social media fraud over the past year. Moreover, McAfee’s recent report revealed that about 22% of online accounts had been hacked at least once, while about 14% of online accounts experienced a higher hacking frequency.

These incidents can destroy social media platforms’ reputation and result in distrust among consumers. Hence, they must employ stronger security measures to keep online accounts secure and mitigate threats.

 

Two Major Social Media Account Takeovers of the Year

Twitter and Reddit rank among the top 20 most used social media sites based on the number of active users globally. In mid-2020, these platforms suffered account takeover frauds used to spread disinformation.

On July 15, verified Twitter accounts of numerous public figures were reported to have been breached, linking them to cryptocurrency scams. Investigations on the incident suggested that the attackers used social engineering to infiltrate these accounts and post on their behalf. Hacked accounts can have their security settings, passwords, emails, and mobile numbers reset and replaced.

About three weeks later, Reddit was compromised by a similar account takeover tactic, which affected several subcommunities on the social media site.

Social networks that allow the creation of groups or subcommunities in their platform like Reddit do not provide administrators or moderators the ability to conduct deeper identity verification methods before accepting users into their groups. Administrators or moderators usually filter out users based on their ability to conform to their group’s rules.

In the Reddit takeover incident, hackers reportedly broke into subreddit moderators’ accounts and used the channels to spread pro-Trump messages across the platform. Fortunately, the issue was addressed quickly, and access by the rightful moderators to the affected subreddits was restored.

In August, Twitter experienced another fraud case. This incident tarnished the World Health Organization (WHO) when a verified account impersonating one of their top officials posted disinformation to worsen racism and vaccine issues in the U.S. The imposter account was denounced by the organization and has since been suspended by the social network.

Attackers circumvented the two social media sites’ current security measures to proliferate disinformation and conduct illicit activities via the platforms. With these major account takeover incidents, it is evident that social networks need to improve their security and identity authentication processes in order to maintain high trust in their platforms.

 

Current Social Media Authentication Processes

Social media sites have implemented some security measures to curb fraud and hacking incidents.

These networks often implement two-factor authentication (2FA) for account access, which typically uses a knowledge factor such as a password, coupled with a possession factor such as a code sent to the linked mobile number or registered email of the account.

These authentication factors, however, are weak on their own and not much better when combined. Further, they do not verify the person’s identity trying to access the account and can often be intercepted or stolen. If an account is compromised, hackers can carry out illicit activities on the platform on behalf of the real identity owner.

Sites also may employ some levels of account verification, especially for prominent figures, to mitigate impersonators spreading disinformation. A verified account may have a checkmark badge beside the username.

When users want to get verified on Twitter, they need to accomplish certain requirements, provide necessary credentials, and fill out a provided form. Verified accounts can be duped, especially with stolen data, and little may be done to confirm the user presenting those credentials is the rightful owner.

With these lapses in current social media authentication processes, the need for stronger identity verification and authentication methods becomes more imperative.

 

The Need for Stronger Identity Verification and Authentication

Mobile facial biometric identity verification combined with Multi-factor authentication (MFA) processes are ideal methods to ensure security on social media platforms.

By asking a new user to scan their identity credentials on their mobile phone and then matching those credentials to the user by comparing their selfie to the photo on the identity document can quickly increase certainty that the person is who they say they are. Automatic authentication of the identity document through third-party sources and algorithms can create an even higher trust that the rightful owner is signing up for a new account. By then binding that biometric identity with strong multi-factor authentication creates the highest level of accuracy and trust for a social media platform.

Adding a biometric third authentication factor to passwords as a replacement for verification codes that can easily be stolen creates an extra barrier against criminals trying to access social media accounts. Moreover, biometrics offer an authentication factor that also is convenient to use, and difficult to steal.

Inherence factors like facial biometrics can help social media networks mitigate fraud and account takeovers on their platforms while providing users a seamless authentication experience.

Implementing facial biometrics on account resets, account verification, and other social media activities can help these platforms determine the legitimacy of the identity trying to use these social media features. If the user is proven fraudulent, they will not be granted access to the social media account.

Moreover, mobile facial biometric authentication methods implement additional procedures such as active liveness detection to prevent cheating. Users may be asked to perform gestures only known at the time of authentication, like blinking or smiling. These steps only take a few seconds thus making identity authentication convenient.

 

Conclusion

Social media utility will keep increasing as more users become active on these platforms. However, criminals also are growing their fraudulent activities and often take advantage of social networks’ weaknesses.

Hackers can bypass poor security measures implemented by social media sites and conduct malicious activities under existing users’ identities.

Social networks can better secure their platforms to create greater consumer trust and improve their reputation by leveraging technology. MFA provides better security than 2FA, especially with a reliable and efficient solution like mobile facial biometrics.

Ipsidy’s ProofTM and Verified™ solutions provide facial biometric identity verification and multi-factor authentication with security features that efficiently verify an identity’s legitimacy across online and mobile platforms. With solutions like Proof and Verified, social media sites can mitigate identity impersonation and reduce account takeover frauds.

 

Schedule a demo with Ipsidy

Ipsidy Inc. is a provider of an Identity as a Service (IDaaS) platform that delivers a suite of secure, mobile, biometric identity solutions, available to any vertical, anywhere. With Ipsidy’s solutions, social media platforms can improve their authentication processes to curb data breach and account takeover. Contact Ipsidy today at +1 516 274 8700 or click here to schedule a demo.

 

 

Sources:

https://www.forbes.com/sites/louiscolumbus/2020/03/08/why-your-biometrics-are-your-best-password/#63cb0e4c6c01

https://searchsecurity.techtarget.com/feature/5-common-authentication-factors-to-know