Online security measures must keep pace with user expectation
09 September, 2016
category: Biometrics, Corporate, Digital ID, Financial
Neil Costigan, CEO BehavioSec
This year, for the first time, the annual Crime Survey of England and Wales has addressed the question of online fraud and cyber offenses. This acknowledges the scale of the problem, and records harmful attacks such as phishing, identity theft, hacking and online harassment alongside criminal damage such as burglaries, violence and theft. The figures show that fraud has now even overtaken more “traditional” crimes, to become the most prevalent offense in the country, with nearly 6 million fraud and cybercrimes committed last year.
While it’s easy to see why and how we should protect our physical belongings – closing windows and double locking doors before we leave the house, keeping valuables tucked into zipped bags in busy crowds – protecting ourselves against online fraud can feel a little less tangible.
There is of no shortage of guidance when it comes to best practice password management and online security – we should avoid re-using them, steer clear of basing them on personal information, and change them regularly. The problem with this is that they can become near impossible to remember. The average user has an estimated average of 90 accounts! With so much to remember, we have a tendency to write them down, and stick them on post-its on our screen, or in our wallets – even worse. From a security standpoint, the password is not the problem. It’s the reliance on a single point of verification that is only as strong as the user’s ability to remember, and desire to safeguard, that information.
The quest for convenience is another major factor in how we behave online with regards to security. The Internet enables us to access goods and services from across the globe, at the touch or swipe of a button. We are an “on the go” society, demanding instant and streamlined access to the sites that let us shop, date, network, and view content online.
In a recent survey looking into the behavior of 2,000 consumers, we found that 37% have shared online login details with a friend or partner. Data we are likely to share includes email passwords, mobile PINs, social media login details, digital media account log-ins such as for Netflix or Spotify, and even online banking details. Of this group, 16% say they shared this information as it was more convenient than inputting the data themselves at the time. This figure rises to 35% for the “on demand” generation of 18-24 year olds. Meanwhile, just 29% of us always choose to log out when given the option to ‘stay logged-in’ online.
It’s not that we don’t value our online identities. According to our research, 90% of us say we would feel “upset” if a stranger gained access to our digital data. This stems beyond the fear and practical implications of losing money, to fear of personal embarrassment if our social selves are hacked or invaded. However, when it comes to convenience versus security, convenience is often the winner. We’re not prepared to jump multiple authentication hurdles at the expense of a streamlined user experience – particularly if these hurdles seem disproportionate to the level of risk at stake.
With this in mind, it’s no longer practical to place the burden of responsibility on the consumer when it comes to safeguarding our online identities. Strong security should not rely on introducing an extra layer of complexity, specific expertise, or access to certain software.
One of the solutions we have seen to address the need for seamless user interactions is using social media providers as identity providers – for example, Log-in with Facebook. This meets the immediate need for convenience, though brings additional security considerations. Passwords and credentials are nearly always cached, and are often as simple as users can get away with. Security barriers must be appropriate for the level of risk at stake. A login and password might be considered appropriate to access a profile, but it’s not necessarily appropriate to use the same level of security to authorize a payment.
This new landscape, and increasingly sophisticated hackers, highlights the need for a new approach to authentication. Rather than putting the onus on consumers to safeguard their authentication details, digital services need to keep pace with the way that people really use their devices. If service providers are selling consumers convenience and always-on availability, then they need to take on the bulk of the security burden themselves.
Behavioral biometrics is an example of new era security, which fits into the reality of how we operate online. Analyzing our unique behavior, including the angle at which we hold our devices, our typing speed and pressure, this technology is able to identify whether the person is who they say they are not just at point of login, but throughout the duration of the session. An outsider may have the authentication details of the legitimate user, but the machine-learning algorithm has the intelligence to identify that they display different behavior – marking them as an imposter. Rather than continually citing consumers as part of the problem, it’s time to make our unique online behavior part of the solution.