Usability and Trust in Information Systems

The need for people to protect themselves and their assets is as old as humankind. People's physical safety and their possessions have always been at risk from deliberate attack or accidental damage. The advance of information technology means that many individuals, as well as corporations, have an additional range of physical (equipment) and electronic (data) assets that are at risk. Furthermore, the increased number and types of interactions in cyberspace has enabled new forms of attack on people and their possessions. Consider grooming of minors in chat-rooms, or Nigerian email cons: minors were targeted by paedophiles before the creation of chat-rooms, and Nigerian criminals sent the same letters by physical mail or fax before there was email. But the technology has decreased the cost of many types of attacks, or the degree of risk for the attackers. At the same time, cyberspace is still new to many people, which means they do not understand risks, or recognise the signs of an attack, as readily as they might in the physical world. The IT industry has developed a plethora of security mechanisms, which could be used to mitigate risks or make attacks significantly more difficult. Currently, many people are either not aware of these mechanisms, or are unable or unwilling or to use them. Security experts have taken to portraying people as "the weakest link" in their efforts to deploy effective security [e.g. Schneier, 2000]. However, recent research has revealed at least some of the problem may be that security mechanisms are hard to use, or be ineffective. The review summarises current research on the usability of security mechanisms, and discusses options for increasing their usability and effectiveness

Reporting on insights gained into UK citizens\u27 perceptions of contactless card risks

Contactless debit cards are widely used in the UK, slowly becoming popular in other countries as well. The feature that distinguishes these cards from regular ones is that they can be used without entering a PIN if the transaction amount is below a predetermined limit. This is undeniably convenient, but introduces a risk: cards could be lost or stolen, and the new holder could make purchases without providing a PIN. European banking regulations (PSD2) mandate that customers be fully refunded by their banks in these cases (as long as no negligence can be proven). While the law is clear regarding liability and citizens’ actual contactless card risks, we wanted to explore UK citizens’ perceptions in this respect. We conducted an online survey, specifically exploring the perceptions of liability, severity and likelihood of contactless card fraud. We discovered that participants’ risk perceptions were not aligned with their actual risk. In particular, most participants assumed that they themselves would be liable for any contested transactions. There are clear lessons to be learned – also valid for other EU countries – emphasising the need to ensure that consumers are aware of their rights in this respect

Considerations Regarding the Security and Protection of E-Banking Services Consumers’ Interests

A significant number of breaches in the security of electronic banking (e-Banking) system is reported each year, drawing attention to the need to protect and inform customers about the risk of exposure to malicious actions initiated by cyber-criminals. Financial institutions and consumers recognize the fact that attacks and financial frauds are becoming more complex and are perpetrated by a different class of criminal. This class is increasingly sophisticated and uses technology as part of their strategy. Furthermore, the specialists forecast that the current global recession is likely to increase the frequency of internal fraud and security breaches. The present research tries: (1) to analyze the potential dangers threatening the security of e- Banking services through a comprehensive investigation of the relevant literature; (2) to identify the tools and methods that can ensure the consumers’ protection in E-Banking, (3) to present the results of a pilot study regarding the Romanian consumer perception on the protection and security related to E-Banking servicesE-Banking services, security, consumer protection, cyber-attack

Psychological needs as motivators for security and privacy actions on smartphones

Much work has been conducted to investigate the obstacles that keep users from using mitigations against security and privacy threats on smartphones. By contrast, we conducted in-depth interviews (N = 19) to explore users’ motivations for voluntarily applying security and privacy actions on smartphones. Our work focuses on analyzing intrinsic motivation in terms of psychological need fulfillment. The findings from the interview study provide first insights on the salience of basic psychological needs in the context of smartphone security and privacy. They illustrate how security and privacy actions on smartphones are motivated by a variety of psychological needs, only one of them being the need for Security. We further conducted an online survey (N = 70) in which we used questionnaires on psychological need fulfillment from the literature. The online survey is a first attempt to quantify psychological need fulfillment for security and privacy actions on smartphones. Whereas the results of the interview study indicate that Security and other needs play a role as motivators for employing security and privacy actions on smartphones, the online study does not support the need for Security as an outstanding motivator. Instead, in the online study, other needs such as Keeping the meaningful, Stimulation, Autonomy, and Competence show to be rather salient as motivators for security and privacy actions. Furthermore, the mean need fulfillment for security and privacy actions is in general rather low in the online survey. We conclude that there is scope for improvement to maximize psychological need fulfillment with security and privacy actions. In order to achieve a positive user experience with security and privacy technologies on smartphones, we suggest addressing additional psychological needs, beyond the need for Security, in the design of such technologies

Password-less two-factor authentication using scannable barcodes on a mobile device

Currently, passwords are the default method used to authenticate users. As hardware continues to advance in speed, breaking these passwords becomes easier. The traditional solution to this problem is ever increasing password complexity and two-factor authentication. However, users become strained under overly complex login systems and often circumvent them. Two-factor authentication also adds to this complexity and many forms of two-factor authentication are inherently insecure. In answer to these problems, this project proposes a password-less multi-factor authentication system, which leverages the tried-and-proven existing technologies, asymmetric cryptography, digital signatures, and biometric authentication. Simulated user testing shows promising results, suggesting that registration can be completed in just over thirty seconds, and authentication in just over two seconds. An analysis of this project’s possible attack vectors, preventative steps taken, and their solutions in potential future research are also discussed

Investigating User Authentication in the Context of Older Adults

Knowledge-based authentication is almost ubiquitous due to low cost and relatively straightforward implementation. Despite its popularity, there are some well-known problems associated with knowledge-based authentication, such as the cognitive load of memorising multiple codes. As people age and their memory declines, remembering multiple codes is even more challenging. Due to lack of objective evidence regarding the performance of older adults with existing knowledge-based systems, a study was carried out where younger and older participants were required to learn and remember multiple PIN codes and their performance was evaluated over a three-week period. The results from this PIN study demonstrated a clear age effect where younger participants performed significantly more accurately and faster than the older participants. These results reiterated the need for authentication systems that are inclusive of older users and provided a benchmark performance measure for future evaluations. In the next phase four graphical authentication systems (GAS) were evaluated with younger and older adults using the same methodology as the PIN study to determine whether any of them were an improvement. The first system, Tiles, was based on a single image and participants were required to recognise segments of their image from segments taken from other images and yielded disappointing results where overall performance was not an improvement over that of PINs. The second and third systems tested were picture-based and face-based recognition systems. The performance of older participants was promising, especially with the face-based system but the systems could be improved to be more suitable for older users. In the final study, the face-based system was improved by using old faces and ensuring that no two codes shared a face. The results from the final face-based system provide preliminary evidence that a graphical authentication system that is inclusive of older adults may be achievable if designed correctly

Account Recovery Methods for Two-Factor Authentication (2FA): An Exploratory Study

System administrators have started to adopt two-factor authentication (2FA) to increase user account resistance to cyber-attacks. Systems with 2FA require users to verify their identity using a password and a second-factor authentication device to gain account access. This research found that 60% of users only enroll one second-factor device to their account. If a user’s second factor becomes unavailable, systems are using different procedures to ensure its authorized owner recovers the account. Account recovery is essentially a bypass of the system’s main security protocols and needs to be handled as an alternative authentication process (Loveless, 2018). The current research aimed to evaluate users’ perceived security for four 2FA account recovery methods. Using Renaud’s (2007) opportunistic equation, the present study determined that a fallback phone number recovery method provides user accounts with the most cyber-attack resistance followed by system-generated recovery codes, a color grid pattern, and graphical passcode. This study surveyed 103 participants about authentication knowledge, general risk perception aptitude, ability to correctly rank the recovery methods in terms of their attackr esistance, and recovery method perceptions. Other survey inquires related to previous 2FA, account recovery, and cybersecurity training experiences. Participants generally performed poorly when asked to rank the recovery methods by security strength. Results suggested that neither risk numeracy, authentication knowledge, nor cybersecurity familiarity impacted users’ ability to rank recovery methods by security strength. However, the majority of participants ranked either generated recovery codes, 39%, or a fallback phone number, 25%, as being most secure. The majority of participants, 45%, preferred the fallback phone number for account recovery, 38% expect it will be the easiest to use, and 46% expect it to be the most memorable. However, user’s annotative descriptions for recovery method preferences revealed that users are likely to disregard the setup instructions and use their phone number instead of an emergency contact number. Overall, this exploratory study offers information that researchers and designers can deploy to improve user’s 2FA- and 2FA account recovery- experiences

Consumer-facing technology fraud : economics, attack methods and potential solutions

The emerging use of modern technologies has not only benefited society but also attracted fraudsters and criminals to misuse the technology for financial benefits. Fraud over the Internet has increased dramatically, resulting in an annual loss of billions of dollars to customers and service providers worldwide. Much of such fraud directly impacts individuals, both in the case of browser-based and mobile-based Internet services, as well as when using traditional telephony services, either through landline phones or mobiles. It is important that users of the technology should be both informed of fraud, as well as protected from frauds through fraud detection and prevention systems. In this paper, we present the anatomy of frauds for different consumer-facing technologies from three broad perspectives - we discuss Internet, mobile and traditional telecommunication, from the perspectives of losses through frauds over the technology, fraud attack mechanisms and systems used for detecting and preventing frauds. The paper also provides recommendations for securing emerging technologies from fraud and attacks