More than 50% of consumers say they've been victimized by bad apps
Two-factor authentication could bolster security, but many don't know what it is or resist using it
By John P. Mello Jr.
June 28, 2013 — CSO — More than half of consumers have been victimized by malware or a computer virus and more than a third have been targeted by phishing emails.
Those were two of the findings in a survey released Thursday by Impermium, a maker of cloud security software.
Some 56% of more than 2,000 adult consumers told Impermium that they'd been a victim of a malware or virus attacks on a computer, while 37% said they'd been targeted in a phishing attack and 20% revealed they'd been in the cross-hairs of social media phishers.
More than a quarter of the consumers (26%) said they'd had an online account compromised -- hacked, breached or passwords stolen.
Although many consumers have personally felt the pain of online threats, they remain reluctant to embrace two-factor authentication (2FA) to help secure their accounts, the researchers discovered. As commonly implemented by online service providers, 2FA requires the use of a code -- sent via SMS message or automated voice call -- in addition to a user name and password to access an account in certain circumstances.
Three quarters of the those surveyed by Impermium said they'd never used 2FA. In addition, more than a quarter (27%) said they'd shied away from a website offering 2FA because they didn't want to disclose their mobile number or the process was inconvenient.
"Two-factor authentication has been held up as this magic panacea over the last few months and yet, it doesn't solve the problem, in part, because the adoption rates are so abysmally low," Impermium CEO and former Yahoo spam czar Mark Risher said in an interview.
The convenience factor is a big barrier to adoption, Risher added. "It's a real hassle. It's a real usability pain."
2FA's appeal might be improved by offering methods for delivering codes other than SMS messages, but that can have additional security consequences. "More choices would increase adoption," Risher said, "but choices, too, can be a hassle for innocent users and can be circumvented by the bad guys."
What's more, he added, "The more choices, the more options the bad guys have."
Both human nature and commercial concerns are currently working against broad adoption of 2FA. "[H]umans seem to have a tendency to do minimal work," AlienVault lab manager Jaime Blasco said in an email. "That means if they have to perform two different tasks to login to a site, they probably won't."
Meanwhile, online vendors are concerned that boosting authentication requirements will lead to abandoned shopping carts and lost purchases. "Vendors want a seamless purchasing experience," Eset senior researcher Cameron Camp explained in an interview.
"If a one-click experience becomes one-click plus something else plus something else, it can affect impulse purchases," Camp observed. For example, you might go to Amazon to buy a book and leave with a book, a CD and gym shoes. That might not be the case if additional authentication were required for each purchase.
A deeper issue uncovered by the Impermium survey that could affect any online authentication scheme going forward is trust. In addition to not trusting online sites with their cell phone numbers, 39% of the participants in the poll blame websites for account compromises.
"Four out 10 people are saying we don't trust people doing things the right way from a back-end systems standpoint," Phil Dunkelberger, CEO of Nok Nok Labs, said in an interview.
Meanwhile, another 37% of the respondents tagged weak passwords and consumer gullibility as the primary cause of account breaches. "There's plenty of blame to go around," Dunkelberger said. "One area that can be blamed is the addiction to user names and passwords. They don't work for people, especially in mobile cases."
Moreover, consumers are becoming more skeptical of what online services are doing with their data, even when they say they need it for security reasons. "Users are beginning to push back against e-marketers and this, unfortunately, is a symptom of that," James Fenton, CSO of OneID, said in an interview.
Consumer attitudes toward trust and convenience will rapidly change as cyber criminals step up their game, contends Berk Veral, senior marketing manager for fraud action and cyber crime intelligence for RSA, the security division of EMC.
"It will reach a point, as consumers face sophisticated malware attacks, that giving up a mobile number to protect your email account isn't going to be an issue," Veral said in an interview. "It's going to be a no-brainer."
That can already be seen in one highly targeted area: mobile gaming. The makers of World of Warcraft have had "incredible success" converting users to 2FA, noted Richard Henderson, a researcher at Fortiguard Labs.
Not only is a free mobile app used for 2FA, but a paid hardware token is also offered. "In fact," Henderson said, "the paid hardware token has been very successful. People have shown a willingness to pay for that kind of solution."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.