Cross-cultural examination finds new secondary authentication methods needed

Internet users are starting to wake up to digital security threats, but how they respond when their data is put at risk is largely unknown outside of theoretical scenarios.

The majority of users, according to Elissa Redmiles, a researcher who wants to know what users feel when faced with online malevolence, continue to lack confidence in being able to tell when a security incident has actually occurred.

“I don’t think we give users enough information,” Redmiles told The Daily Swig. “If they are unsure of what has happened, they’re unlikely to take defensive action.”

Redmiles has tried to peel back the process behind how users react to security incidents by looking at what actions they take when suspicious activity is flagged on their Facebook accounts.

If an account is thought to have been subject to a fraudulent login attempt, Facebook will prompt a user to enter a second form of authentication in order to regain access. This might involve clicking on a link sent to a pre-registered email address or similar.

“What do [users] think led up to that [incident], why do they think they saw it, and then what did they do afterwards?” Redmiles asked during her presentation at this week’s IEEE Symposium in San Francisco.

“People spend a lot of time trying to figure out what has happened.”

Cross-cultural responses to security incidents

Users living in India, Brazil, China, Vietnam, and the US who had experienced a suspicious login attempt were interviewed for the study in order to gain insight into cultural differences.

Factors such as internet penetration rate, privacy awareness, and online censorship were expected to play roles in how users reacted to being asked to establish their bona fides.

“One big difference between the countries was in information seeking,” Redmiles said.

“Non-western countries tended to seek out information from people that they knew, as opposed to turning to ‘help’ pages or a Google search to find out more about the security incident.”

For example, consumers in countries like Germany and the US searched the internet to figure out what might have happened on their own initiative. They were more willing to consider the possibility of a false alarm or the system being overly cautious because they’d logged in from a new location.

On the other hand, users in other countries were more inclined to think that they’d been hacked by the government or snooped on by a partner.

“People in Vietnam, for example, often said that the security incident was probably someone trying to hack into the account to get data that they could sell to the government,” Redmiles said.

Understanding attacker threat models as seen from the differing perspective of people hailing from distinct cultures is important so that appropriate defense measures can be developed – particularly regarding the way in which users are meant to regain entry into accounts.

“In countries like Brazil and Vietnam, people were talking about someone they know trying to get in to their accounts,” Redmiles said.

“And that’s not something that the threat models we talk about in research, or even the way we defend in industry, usually accommodates.”

Secondary authentication mechanisms that require a user to identify pictures of people they know to be able to log back into their accounts fail to provide defense against an abusive partner, for instance.

“Sometimes users brought up how they really liked that Facebook was looking out for them, but that it didn’t feel like the secondary authentication mechanisms really matched what they thought was going on,” Redmiles said.

A total of 67 people participated in the results of the final study. Demographics and digital skill level showed little variance cross-culturally, with users exhibiting certain cyber-savvy behaviors.

“Some participants actually went and checked that what they had received was a real notification of a suspicious login attempt,” Redmiles said.

“They were even suspicious of the notification itself and thought that it was possibly an [attempted] attack on their account.”

More research needed

The study calls for greater collaboration between platforms and users in order to develop customised models for account reauthentication.

“User education wise, I think there’s definitely room to put more information into these suspicious login flows,” Redmiles said.

“They [platforms] sort of tell you that there’s been a suspicious login, get you back in, and then that’s sort of the end of the story.”

The IEEE Symposium on Security and Privacy continues this week in San Francisco. The Daily Swig will be back with more coverage over the coming days.

RELATED Public inbox investigation shows email tracking is rife