.You might think you’re secure online, yet chances are you’re really not.
The problem with our grasp of cybersecurity isn’t so much that we remain dangerously illiterate — it’s that we think we know what we’re doing anyway.
The Pew Research Center was a little more diplomatic than that though in characterizing the findings of a new survey of Americans’ understanding of online security.
“Many Americans are unclear approximately some key cybersecurity topics, terms & concepts,” wrote Kenneth Olmstead & Aaron Smith in their introduction to “What the Public Knows About Cybersecurity.” But it’s that thinking that probably leads many internet users to make choices that they think make them more secure, but, in reality, leave them as exposed as ever.
Passwords & privacy
The Pew report, based on an online survey done from June 17 to June 27 of 1,055 U.S. internet users aged 18 & up, found respondents were overwhelmingly in the know on just two points.
One is passwords. A full 75% correctly identified the most secure password out of four listed (“WTh!5Z”), while 17% said they weren’t sure if that was more resistant to being cracked or guessed than “into*48,” “Boat123” or that old favorite “123456.”
The survey did not, however, assess whether respondents actually refrained from using “123456” for any significant accounts.
The majority of survey respondents were moreover knew about the security risks posed by public WiFi: 73% agreed that just having a network password-protected doesn’t make it safe for sensitive activities like online banking.
Unfortunately, only 33% knew that a web address beginning with “https” means that site encrypts data going between it & your computer, which should prevent people on the same network from spying on your traffic. And only 13% knew that virtual-private-network services, which route all of your internet traffic over an encrypted link, further improve your security on public WiFi.
Trouble with key concepts
The offensive news continues throughout the survey. Only 54% correctly identified all three descriptions of a phishing attack designed to obtain you to enter your username & password at a phony site, & just 52% said disabling a smartphone’s GPS won’t stop tracking of its location, which is true.
Only 48% knew the definition of “ransomware,” malware that encrypts your data until you pay up to obtain it unlocked, while 46% knew that email isn’t encrypted by default (although an increasing number of mail services now employ “TLS” encryption to secure messages as they cross the internet) & 45% knew that not all wireless routers encrypt WiFi traffic by default.
The relative upside of those three findings? Correct answers still, barely, outnumbered “Not sure.” You can’t say that for the remaining survey questions.
For example, 39% of respondents knew that a browser’s “private browsing” mode doesn’t stop your internet provider from tracking your activity, while 49% weren’t sure & 12% thought it did.
That matters when the Federal Communications Commission just voted to block broadband-privacy regulations crafted under the Obama administration to stop internet providers from selling your browsing data to advertisers without your permission — & Republican senators are readying a bill to hit the “undo” button on that privacy rule.
The Pew study netted a majority of incorrect answers to only one question: 71% didn’t identify the one screenshot out of four showing two-step verification, moreover called “two-factor authentication.”
Only one in 10 respondents correctly chose the image showing a site requesting a one-time code sent to you to verify a login. The others thought an image of a CAPTCHA test (where you type in scrambled words to prove you’re not a robot), a security question or a previously-chosen security image represented two-step verification at work.
That explains why 52% of respondents in a previous Pew survey reported that they used two-step verification, a figure I found implausibly high at the time: They didn’t know what it was.
It moreover exhibits a dangerous lack of comprehension — for which much of the blame has to go to companies that have advertised these other things as two-step verification. United Airlines (UAL), for instance, described last year’s addition of security questions to its login routine as “two-factor authentication.”
Setting up real two-step verification does involve a little work upfront (and can entail extra labor if you alter phones or reset yours), yet it’s the single best thing you can do to upgrade your security because it means an attacker with your password still can’t obtain into your accounts. Will you please enable that now for your email & Facebook (FB) accounts?
Looking in the mirror
It would be tempting to look over these sorry results — & what I’m afraid will be equally dismaying responses to the quiz Pew has set up to accompany this survey — & scoff at people who talk approximately “the cyber.”
But if people remain confused approximately basic ideas, it may be because glib & inaccurate news reports haven’t made them any smarter. Or technically accurate coverage hasn’t spelled out those core principles with sufficient clarity & instead left readers in the weeds.
I’d like to think that I haven’t been a part of the first problem, yet I know that I have contributed to the second. I’ll try to do better.
More from Rob:
Two fake news writers reveal how they ply their trade Google’s chief internet evangelist seems nervous approximately Trump’s tech policy Venture investor on Trump: ‘We are in an absolute unmitigated crisis’ The real lesson of Wikileaks’ massive document dump — encryption works
Email Rob at firstname.lastname@example.org; follow him on Twitter at @robpegoraro.
Technology & ElectronicsInternet & Networking TechnologyPew Research Center