Cracking the Code: Uncovering Varied User Perspectives on Account Security
Biplab Roy
Senior Cyber Security Engineer @ IKEA | CISSP | Cybersecurity Consulting | Security Architect | Security Operations/Engineering | Cloud Security | GRC | 10 years of experience leading high-impact IT Security engagements.
This article discusses the perception gap between users' perceived most valuable accounts (email and social networks) and the ones they believe require the highest level of protection (online banking). This disconnect in perception is concerning, as it could result in users allocating their limited security resources towards the wrong type of accounts. In the long run, this perception gap could also impede the development of standardized two-factor technologies, given that most online banking services currently depend on proprietary two-factor systems.
Understanding how users perceive account value and security is a complex issue that requires extensive research. To begin exploring this topic, this post examines the outcomes of two consumer surveys conducted in the past few months, providing initial insights into the following three key questions:
Before answering these questions, it is crucial to briefly examine the present state of two-factor authentication to understand why a perception gap is not only harmful to users but also to the long-term sustainability of the account security ecosystem. For those interested in exploring this topic further, I have provided a comprehensive analysis of the current state of two-factor authentication.
?
?Enabling two-factor authentication to enhance online account security comes with increased friction and higher costs. For instance, using an SMS message or OTP as the second factor necessitates checking one's phone before being able to log in. On the other hand, security keys are still relatively expensive and are yet to be widely adopted. Consequently, it is unsurprising that users are hesitant to go through the additional steps and often forego using two-factor authentication. As evidence of this reluctance, less than 10% of active Gmail users had enabled two-factor authentication.
?Until standard second-factor solutions become ubiquitous, the competition between online services that use custom solutions and those that use standard solutions for user security willingness budget creates a zero-sum game. To ensure that online account security is heading in the right direction, it is important to understand user perceptions and dispel any potential misunderstandings in the tech community.
This post will focus on measuring user perceptions and highlighting the disconnect that exists between which accounts users deem important and those they think they should protect. Unfortunately, as we will see, there is a significant disconnect between what users value and what they believe they should protect.
By helping users focus on protecting their most important accounts, we can also push towards standardization, as most services that offer what users consider their most valuable accounts already use second-factor standards. This long-term benefit is also a spoiler alert.
?
To establish a baseline for which types of online accounts users should secure first, it's important to consider the potential impact of a hack on a user's life. Email accounts are widely considered to be the most valuable online accounts, as they are used to exchange sensitive information with banks, healthcare providers, and various online services. Additionally, email accounts are often used as recovery mechanisms for other online accounts, so if an email account is compromised, other accounts can fall like domino's.
?There have been several high-profile cases that underscore the importance of securing email accounts. For example, in 2014, it was revealed during a trial that Hunter Moore contracted hackers to break into email accounts and post private nude photos on his infamous revenge porn site, IsAnyoneUP. In 2016, Russian hackers were able to break into the Democratic Party's email accounts, leading to one of the most disruptive events of the US election campaign when WikiLeaks released the hacked emails.
领英推荐
?Furthermore, email accounts are now more valuable than ever, as they are often the gateway to additional services used to store personal information, such as Apple iCloud, Microsoft, and Google accounts. The 2014 iCloud hack, known as the Fappening, had significant consequences for the celebrities whose intimate videos and photos were leaked online. Despite the eventual backlash against the over-mediatization of the hack, the damage had already been done.
The chart above reveals some interesting findings. A significant 37.8% of US internet users value their email accounts the most, followed by 28.5% who prioritize online banking accounts. Surprisingly, only 18.5% find social network accounts the most valuable. The remaining ~15% consider online store, gaming, and other accounts as their top priority.
These results are promising, with 66.3% correctly identifying their most valuable accounts. The higher emphasis on online bank accounts may be attributed to intensive marketing efforts by banks to promote account security.
Protecting social media accounts is crucial, as they often contain sensitive information, including photos and private messages, similar to email accounts. However, what sets them apart is the risk of hackers weaponizing them to spread fake news and cause public embarrassment by posting on behalf of the hacked user.
?The consequences of social media account compromise can be severe. In 2013, the Associated Press's Twitter account was hacked, resulting in false news being spread that the White House had been bombed and Obama injured. This caused a panic and brief stock market plunge, wiping off $136.5bn off stocks, according to Reuters.
?
?While protection of banking, online shopping, and gaming accounts is still necessary, these accounts pose less of a security threat compared to email or social media accounts when hacked because of the limited personal information stored in them and the possibility of reverting most electronic transactions without consequences. For more information on the risks of having one's bank account hacked, the Consumerism Commentary provides a comprehensive article.
Users' perception of the most valuable accounts generally matches reality. However, when it comes to deciding which accounts should receive the highest level of protection, their judgment is way off. As depicted in the chart above, a large number of users feel that their online bank accounts require the most protection. This disconnect between the accounts that should be most secure and the accounts with the highest value is a cause for concern. It implies that people may be putting their security efforts into the wrong types of accounts.
This post highlights the disparity between users' perceptions of the value and security of their accounts and the actual level of protection required. It is crucial for us as a community to identify the root causes of this discrepancy and take steps to minimize it, encouraging users to prioritize securing their most important accounts. One way to begin this process is by promoting the use of standardized two-factor authentication and security keys when discussing account security. Thank you for reading this blog post. Please share it with your friends and colleagues to help spread awareness about account security.