The problem with our grasp of cybersecurity isn’t so much that we remain dangerously illiterate — it’s that we think we know what we’re doing anyway.
The Pew Research Center was a little more diplomatic than that, though, in characterizing the findings of a new survey of Americans’ understanding of online security.
“Many Americans are unclear about some key cybersecurity topics, terms and concepts,” wrote Kenneth Olmstead and Aaron Smith in their introduction to “What the Public Knows About Cybersecurity.” But it’s that thinking that probably leads many internet users to make choices that they think make them more secure, but, in reality, leave them as exposed as ever.
Passwords and privacy
The Pew report, based on an online survey done from June 17 to June 27 of 1,055 U.S. internet users aged 18 and up, found respondents were overwhelmingly in the know on just two points.
One is passwords. A full 75% correctly identified the most secure password out of four listed (“WTh!5Z”), while 17% said they weren’t sure if that was more resistant to being cracked or guessed than “into*48,” “Boat123” or that old favorite “123456.”
The survey did not, however, assess whether respondents actually refrained from using “123456” for any significant accounts.
The majority of survey respondents also knew about the security risks posed by public WiFi: 73% agreed that just having a network password-protected doesn’t make it safe for sensitive activities like online banking.
Unfortunately, only 33% knew that a web address beginning with “https” means that site encrypts data going between it and your computer, which should prevent people on the same network from spying on your traffic. And only 13% knew that virtual-private-network services, which route all of your internet traffic over an encrypted link, further improve your security on public WiFi.
Trouble with key concepts
The bad news continues throughout the survey. Only 54% correctly identified all three descriptions of a phishing attack designed to get you to enter your username and password at a phony site, and just 52% said disabling a smartphone’s GPS won’t stop tracking of its location, which is true.
Only 48% knew the definition of “ransomware,” malware that encrypts your data until you pay up to get it unlocked, while 46% knew that email isn’t encrypted by default (although an increasing number of mail services now employ “TLS” encryption to secure messages as they cross the internet) and 45% knew that not all wireless routers encrypt WiFi traffic by default.
The relative upside of those three findings? Correct answers still, barely, outnumbered “Not sure.” You can’t say that for the remaining survey questions.
For example, 39% of respondents knew that a browser’s “private browsing” mode doesn’t stop your internet provider from tracking your activity, while 49% weren’t sure and 12% thought it did.
That matters when the Federal Communications Commission just voted to block broadband-privacy regulations crafted under the Obama administration to stop internet providers from selling your browsing data to advertisers without your permission — and Republican senators are readying a bill to hit the “undo” button on that privacy rule.
The Pew study netted a majority of incorrect answers to only one question: 71% didn’t identify the one screenshot out of four showing two-step verification, also called “two-factor authentication.”
Only one in 10 respondents correctly chose the image showing a site requesting a one-time code sent to you to verify a login. The others thought an image of a CAPTCHA test (where you type in scrambled words to prove you’re not a robot), a security question or a previously-chosen security image represented two-step verification at work.
It also exhibits a dangerous lack of comprehension — for which much of the blame has to go to companies that have advertised these other things as two-step verification. United Airlines (UAL), for instance, described last year’s addition of security questions to its login routine as “two-factor authentication.”
Setting up real two-step verification does involve a little work upfront (and can entail extra labor if you change phones or reset yours), but it’s the single best thing you can do to upgrade your security because it means an attacker with your password still can’t get into your accounts. Will you please enable that now for your email and Facebook (FB) accounts?
Looking in the mirror
It would be tempting to look over these sorry results — and what I’m afraid will be equally dismaying responses to the quiz Pew has set up to accompany this survey — and scoff at people who talk about “the cyber.”
But if people remain confused about basic ideas, it may be because glib and inaccurate news reports haven’t made them any smarter. Or technically accurate coverage hasn’t spelled out those core principles with sufficient clarity and instead left readers in the weeds.
I’d like to think that I haven’t been a part of the first problem, but I know that I have contributed to the second. I’ll try to do better.
More from Rob: