Man clicking on virtual padlock icon showing the disconnect between trusted authentication methods and fear of cyber threats amid COVID-19

Authentication Disconnect Between Sloppy Security and COVID-19 Fears

People don’t walk the walk according to new surveys

The COVID-19 pandemic outbreak has seen a huge uptick in cyber threats. But widespread lockdowns to combat the spread of the virus have simultaneously led to a massive increase in ecommerce. So what sort of security measures are everyday users prepared to trust, and are they right? Two recent surveys highlight a huge disconnect between the public’s authentication fears and their actions.

41% of Europeans were already concerned about the security of online payments according to a Eurobarometer survey (Europeans’ attitudes towards cyber security – January 2020) before the pandemic. Their fears will not have been allayed by news from the National Cyber Security Centre (NCSC) part of QVHQ in the UK, that cyber attacks are increasing.

“We know that cyber criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the Coronavirus outbreak,” explained Paul Chichester, Director of Operations at NCSC.

A new survey from Specops Software attempted to find out what form of authentication is most trusted by the public. The clear message is that people don’t trust biometrics for their day-to-day ecommerce and digital services interactions.

78% of those surveyed feel most comfortable using traditional passwords. Just 11% are comfortable about using iris recognition or retina scan. Only 42% of respondents were keen on fingerprint recognition, and surprisingly, just 31% comfortable with facial recognition.

With facial recognition use increasing dramatically it is worth noting how many of those surveyed would prefer another method of authentication. The European Digital Rights group, EDRi, advises people to “ask the right questions about facial recognition.”

“Do you trust the owners of facial recognition systems (or indeed other types of biometric recognition and surveillance) whether public or private, to keep your data safe and to use it only for specific, legitimate and justifiable purposes?” suggests the NGO.

Using biometrics for authentication may well make life easier, and as it is contactless, potentially safer in a post-pandemic world, but users need to understand their options.

Millions are happy to use automated border control (ABC) systems or ePassport gates.  These terminals use facial recognition to authenticate travellers’ identity against their passport rather than a central database.

Yet nearly one in six people in the UK have attempted to spoof facial recognition systems themselves, according to new research published by iProov. This may be partly why those taking part in the Specops survey consider facial cognition to be untrustworthy.

The iProov figures show that 17% have attempted to access another person’s account or device by tricking the biometric facial recognition system with a photo or video of the owner. Younger people are more likely to attempt this – 32% of people aged 18-24 have tried. Men are also more likely to do this: 22% have done so, compared to 12% of women.

The report also highlights the big disconnect between fears and behaviour. The survey reveals that although many users are feeling more vulnerable to cyber threats as a result of the pandemic, they are not using secure authentication techniques. 82% of respondents said they fear the number of threats is increasing.

Despite this, 59% of respondents reuse their passwords across multiple websites and 10% use the same password for everything!

Other unsettling figures include: 50% of 18-24-year-olds share their passwords with others; 78% of 18-24s have used someone else’s password, 15% without permission; and 41% of people have shared their phone passwords with partners or family members.

Despite poor password security practices, people still prefer them to other methods. 26% of people said that ReCAPTCHA photo squares of bridges and traffic lights are most annoying. However, younger people were more likely to prefer ReCAPTCHA photos to letters and numbers. Other options included ticking to prove you are not a robot, one time passcode via text message and callback with a codeword. Only 12% thought no authentication would be annoying!

Businesses are apparently taking matters more seriously. Verification-as-a-Service provider, IDNow, has reported a dramatic increase in the total number of verification requests – up 26.8% since Europe started adopting social distancing measures at the end of February.

“The increasing demand for digital alternatives in the current situation are no surprise: When people do not have the possibility to visit a bank branch, digital solutions are needed more than ever,” said the company.

Meanwhile, the EU Agency for Cybersecurity, ENISA issued advice for citizens to stay secure when buying online during the COVID-19 pandemic, which included: “If you need to set up an account with a supplier, use strong passwords that cannot easily be predicted and use a password manager. Avoid sharing personal information with persons you do not know on social media. Consider using privacy tools, such as anti-tracking and secure messaging tools, for your online and mobile protection.”

Other sensible advice includes:

  • Pay attention to the security seal of each website that you are browsing by looking for the green padlock in the address bar. This means in general that your connection is established over a secure channel.
  • Be suspicious of any e-mails asking to check or renew your credentials even if it seems to come from a trusted source. In all cases, try to verify the authenticity of the request through other means, do not click on suspicious links or open any suspicious attachments.
  • Check your online accounts and your bank statements regularly and report any suspicious activity to your bank. If you think you have been a victim of an attack, contact your bank.
  • If possible, activate two-factor authentication for payments.

ENISA’s advice may fall on deaf ears. If 41% of people really are sharing their passwords with others, how likely are they to set up 2-factor authentication? Plus ca change.