New research from Intercede reveals interesting insights into the way consumers behave online and highlights the continuing need for security education and awareness on a mass scale.
In its research, labelled The Rise of the Identity Centric Economy, Intercede discovered that users were engaging in risky behaviours such as auto-logins to apps and websites, as well as sharing device PIN codes with friends, family and co-workers. Unsurprisingly, to me at least, the research also discovered that passwords were being routinely shared too.
The survey, which polled 2,000 consumers, discovered that around 75% of the social media-using respondents and email users left themselves logged into their mobile devices, potentially putting their data at risk should the device be stolen, or even just picked up and accessed for a short period of time. Mobile bankers and shoppers were alarmingly lax in their attitude to security too with 45% leaving themselves logged into bank accounts, 46% asking Amazon to remember them, and 54% perpetually signed into PayPal.
Richard Parris, CEO of Intercede said:
“Keeping your Facebook, Gmail, shopping and financial accounts automatically logged in might be convenient for consumers, but it’s leaving the back door wide open to hackers. Consumers are more wary about clicking ‘Remember me’ when it comes to online banking and financial apps, but cyber criminals don’t necessarily need access to your bank account or credit card details to commit identity theft.
There are plenty of rich pickings available in email and social media accounts too. Leaving yourself automatically logged in is like leaving the windows of your house wide open while you’re out – it’s time for a new generation of secure identity authentication.”
On the bright side, 53% of those questioned had protected their devices with a PIN but that of course means almost half had not which I find quite shocking. Of those who did employ a PIN, however, many were found to be sharing them, along with other passwords, with almost anyone in their circles it seems. Twenty-eight percent of the surveyed consumers admitted that they knew friend’s, family member’s or colleague’s mobile login credentials.
The surveyed also looked at the strength of the protection where it was used. The PIN numbers found on phones are inherently weak, being just 4 digits long, but passwords don’t appear to add much based on the findings here – 60% of the respondents said they avoided the classic security faux pas of writing their passwords down (what about the other 40%? Eek!) but they didn’t use password managers which may imply the widespread use of easy to remember gems such as “password1,” “password2,” et al.
Parris added that:
“As we live more and more of our lives online, all our various digital identities need to be effectively protected – worryingly, it appears that this is not the case at the moment. We need so many passwords today, for social networking, email, online banking and a whole host of other things, that it’s not surprising consumers are taking shortcuts with automatic log ins and easy to remember passwords. These solutions are increasingly not fit for purpose though – they do not offer proof of a person’s identity and are easily lost, stolen or hacked, leaving consumers at risk of identity theft. It’s time for stronger authentication and more sophisticated forms of identity.”
I guess the message to be taken from this survey is that the average consumer values convenience over security. Whilst those few seconds saved by not having to login to an account do mount up, and the use and sharing of simple passwords can make life a little easier, both would be blown into insignificance should the user ever find their accounts or devices compromised.
How can the security profession address such a mindset do you think?