Consumers are regularly painted as the ‘weak link’ in online security. Common areas for criticism include an inability to remember our password (or change it regularly), failure to spot potential phishing scams, and tendency to skip optional security barriers.
Nottingham Trent University conducted a study last year, revealing that the average UK consumer now picks up their mobile phone eighty five times per day. We are mobile, we are connected, and we are impatient. We have become accustomed to being able to shop, bank, and contact friends on the move, and at the touch of a button. This expectation of convenience and instant gratification has an impact on our attitude towards online security. When it comes down to a tie between ease of use and safety, convenience often triumphs.
However, recent research we commissioned suggests that it’s not just laziness, or even that we don’t care about the risks associated with operating online that lead to this attitude. Working with web psychologist Nathalie Nahai, we uncovered some interesting discrepancies between our perceptions of what we’re doing to protect ourselves online, and the reality of the risks created by our always-connected lifestyles.
This quest for convenience is evident in the responses we see throughout the research. It reveals that just 29% of us choose to log out of a service when given the option to ‘stay logged-in’ online. This is particularly true amongst the 18-24 age group, with just 9% always choosing to log out. Meanwhile, 37% of us say we have shared login details with a friend or partner. In order of likelihood, these details include email passwords, mobile PINs, social media login details, digital media account login details (such as Netflix or Spotify), and even online banking details. Again, the convenience factor shines through most strongly in this younger age bracket, with 35% reporting that it was easier to give this data to someone else than for them to log in themselves at the time.
However, the data uncovers that 90% of us say we would feel ‘upset’ if a stranger gained access to our digital data, including online banking details and social media details. In fact, our attachment to our digital social identities is at times stronger than more practical personal online data – 10% of people say they would be more upset if a stranger gained access to their social media or online shopping accounts than if they were to gain access to their banking log-in details. From a psychological standpoint, our online social profiles have developed into an extension of ourselves. An invasion of these carefully cultivated versions of our lives has the potential to cause embarrassment and emotional damage – a loss of ‘social currency’ that perhaps feels more threatening than concrete financial loss.
However, there are much greater risks associated with the vulnerability of this personal data. These details might seem harmless on a standalone basis, but this information can be pieced together by sophisticated hackers to build up a detailed profile of an individual. This has the potential to lead to more specific identity theft or phishing attacks.. Passwords, PINs and login details are all put in place to prevent outsiders from gaining access to our personal data, yet 12% of us believe this data would ‘not be valuable’ to anyone else. More than one in ten of us has taken a peek at our friends’ ‘logged-in’ online accounts, including email, Facebook and WhatsApp – without our friend’s permission. This might seem a small percentage, but it is this minority that helps to create security holes. Although we may trust that our close friend or relative would not launch a malicious attack on our digital identities, the more we share our authentication data, the more we leave ourselves vulnerable to hackers.
There is a clear flaw in the security processes involved with a number of our daily digital interactions. If the legitimate user has confirmed that they are who they say they are at point of login, imposters (friendly or otherwise) are able to pretend to be the legitimate user by gaining access during the session.
The ‘password’ problem isn’t that the security mechanism is broken. There are two key issues at stake. The first of these is that we are humans, and not encryption machines. We can only remember a certain number of letter and number combinations, so we repeat them, irrespective of whether in a personal or business context. And secondly, as our research highlights, the way we use our devices and services isn’t always compatible with security best practice.
We know that sharing passwords is bad practice, but when we’re logging onto our laptop to watch TV, trying to transfer funds to a friend via online banking, and update our Facebook status, , our focus on security tends to slip. Digital service providers selling convenience and always-on availability must reassess their security practices, and be willing to take on more of the security burden themselves.
Behavioural biometrics is an example of ‘new era’ security, which fits around the reality of how we operate online. We choose to take security risks online, in spite of cyber security education and guidelines, not because there is a lack of it. By analysing our unique behaviour, including the angle at which we hold our devices, our typing speed and pressure, this technology is able to identify whether the person is who they say they are throughout the duration of the session, not just at point of login. “A hacker may have the correct authentication details, but the technology makes it possible to use the gesture-based and behavioural measurements to determine that this may be a suspicious user, and generate an alert. This extra, transparent security layer allows service providers to use our unique behaviors to make security into a continuous process, while maintaining the continuous access our always-on lifestyles now demand.
Dr. Neil Costigan, CEO BehavioSec