- It’s often said users are the weakest link in the security chain
- How true is this, who are *we* designing for?
- Human factors influence security
- Passwords are broken, each accounts requires a human remembers
- username
- password
- was the password reset recently
- what are the rules are the password
- For things for an account is easy to remember
- Each email is associated with, on average, 130 accounts.
- These four things are not easy to remember, 130 times.
- Users make it easy to remember
- This makes it easy for users to hack accounts.
- Hackers will cycle email addresses against common passwords (this also gets around lock-outs from excessive attempts)
- Two factor auth improves security for user, smart-phones make it 2FA easier than other physical tokens
- Security needs to be easier to deal with but not too easy
- SSL locks (or triangles or warnings) are not helping, users have tunnel vision and block the URL bar from the page.
- The security information should be timely, clear and relevant
- Chrome 36 and back had a timely and relevant SSL certificate warning that 63% of users would ignore and proceed to the untrusted sites, against the advice.
- Chrome’s team decided they needed to redesign the page, hide the option to proceed to the warning page
- The redesigned warning page reduced the number of people proceeding to 37%.
- The redesign made the secure course of action clear.
- 11% of people click through to 419 scams, they don’t know what they don’t know
- People don’t look for what they are not expecting.
- Some FT users fell for a phishing attempt
- The IT dept sent a link to users requesting they reset passwords.
- The emails were seen by the phishers, who sent their own version.
- The FT now uses 2FA globally. Savvy users fall for phishing too.
- Phishing can include paper, urgent invoices.
- Warnings aren’t a great help, people don’t notice the absence of warning.
Leave a Reply