[ksk]

>Whenever you make the recovery process easier, you make it easier for attackers to "recover" victims' accounts.

Only if you define easier as 'badly designed process'.

> I had an attacker successfully social engineer a support person into changing the email associated with one of my videogame accounts which had some valuable items.

That is unfortunate, but why do you believe this will always be the case?

>So I prefer services to have difficult recovery.

Maybe this can be an opt-in for the more 'security-minded' minority. There is no reason to have the same process for every user. Both of the positions "Preventing attackers from getting my password is something I can do myself." and ". Preventing attackers from "recovering" my account is not something I can do myself." rely on humans not making mistakes. We can improve on both (service & user) sides to reduce mistakes.

[Buge]

>Only if you define easier as 'badly designed process'.

I'd be interested to know what a good process is.

>That is unfortunate, but why do you believe this will always be the case?

I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.

Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:

https://www.youtube.com/watch?v=SstZAIxl8wk

https://www.youtube.com/watch?v=lc7scxvKQOo

It just takes a single slip up and you lose. Whereas attackers can just keep trying.

>Maybe this can be an opt-in for the more 'security-minded' minority.

Yeah I agree it's a good idea. In fact that's what I've done on my primary google account

https://landing.google.com/advancedprotection/

But that implementation isn't perfect, it requires giving up some features and buying U2F keys. Preferably you could opt into exactly the protection you want, so you could get the recovery security without having to buy security keys for example.

I agree there could be better implementations, but they would cost more. I think it's a three way tradeoff between cost, easy recover, and security. When I hear someone advocating for easier recovery without advocating for higher cost, then I immediately think there will be a lowering of security.

[ksk]

>I'd be interested to know what a good process is.

IMHO, A good process would have several tiers, each being more manual, less automated, and more time consuming. The basic tier would be security questions, alternate email, SMS, 2FA, etc. The next tier could be establishing identity and would mean communicating with a real person. You can send a signed affidavit along with a government issued ID and the person would verify it. Then they would have to establish that the account itself belongs a specific person, and that that person is you. This can be done in various ways - billing address, CC info (if applicable to that service), etc, etc. A more real answer would be dependent on the actual service and what information the service captures at signup, etc.

>I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.

Well, then that is a different argument and I'd agree that it takes time and money to get a good process in place.

But if you think about it your logic can be applied to anything right?? I don't believe most (if any) software companies have enough profit motive to test their software for security bugs or hire people who have expertise in security.

>Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:

Yeah, that is an example of a bad process.

[Buge]

The cost of hiring security engineers and testing for security bugs is constant with regard to number of users. Whether you have 1000 users or 1 billion users, your service has the same security if you spend the same amount on testing an engineers.

But the cost of human intervention in recovery increases linearly with the number of users.

I agree with your ideas for automation. But human intervention has problems.

One solution for human intervention is to charge a non-refundable fee for recovery. This has the advantage of discouraging attackers from trying to recover. The problem is I think this would cause bad PR for the companies. Now instead of blog posts saying "Google locked me out of my account" there would be blog posts saying "Google is charging me $20 to access my own account" or "Google is holding my account hostage for cash".