It's time to stop blaming the user

Social engineering has become a huge ongoing problem and is the method behind many well-known attacks such as SIM swap, credential theft and phishing. With fraudsters now using many channels including phone calls, SMS and social media bots, social engineering is the technique that most quickly adapts and is currently the most effective. Most companies, by now, use sophisticated bot detection technology to catch automated bots posing as real people. The priority today is for companies to defend themselves from social engineering attacks by real people, that are well trained and can gain the trust of their customers.

Unfortunately, there is a history in the security industry of blaming the user for falling victim to social engineering attacks. Too often users are blamed for the growing volume of account takeovers and fraud losses by saying that users are to blame for giving their password to a fraudster, or because they didn't find a phone call or email suspicious. The user is blamed for helping the attacker.

This has to change! Users can’t be expected to be computer and security experts. The pandemic accelerated the adoption of internet services by people who were previously hesitant to manage their finances and shop online; in general, they are not computer experts but they are your customers. People use computers and mobile phones because they are convenient and make their life easier. The most successful companies of this time are the companies that provide users with devices and applications that made their lives easier. That's what the internet is for!

Yes, the internet made the lives easier for criminals too. Fraudsters are in business to scam people at scale, and buy and sell illegal products. In addition, they collaborate and share knowledge about attacks, which leads to well-trained and creative criminals that have a significant advantage over normal, everyday internet users.

Companies have been investing in education campaigns for their customers, but the reality is that most people don't have the time or interest to learn more. Unlike workforce authentication training, which is much easier to implement and measure, when it comes to consumer authentication, education investments are ineffective, especially if users are blamed when things don't go as expected.

So why don't we change our approach in the security industry and stop blaming the customer and start thinking about how they can be part of the solution? Smartphone manufacturers and software developers, led by Apple, have been changing the rules of the game by transforming data collection into an opt-in model, where users are choosing to be part of the equation. This certainly provides much more control to the users, who now can choose which data they will share for which purpose, instead of being forced to accept privacy terms they don't understand and don't want to read.

Up until now, when users are offered the option to add additional authentication factors, only a small minority opt-in. In 2018, less than 10% of Google's users had activated optional two-factor authentication (2FA), and, in 2020, less than 2.5% of Twitter users had one-time passwords (OTPs) activated. Most users selecting additional authentication options, choose OTP over SMS because it's more convenient, but SMS is far from being the most secure. The reality is that if people have to choose they will choose convenience over security, yet companies can now offer users the choice to have both.

A good example is what's happening in the mobile space. We have observed that more than 90% of the users opt-in i.e. choose to share location information when the use of the data is to both remove friction and increase security for their app experience. For instance, 94.5% of users at a major bank with more than 50 million users, 93% of users at a challenger bank with 2 million users and 92% of users of a food delivery app with 40 million users, opt-in to share their location.  

The difference is very clear: users will opt-in for more security when it is frictionless, and are happy to collaborate with their data if the App becomes more convenient and secure. In 12 months, after analyzing hundreds of millions of logins, zero users had their accounts taken over and avoided the associated financial losses and stress. A year after its first deployment, this technology authenticates more than 400 million people in more than 30 countries.

A new era of online security has started. We just have to stop blaming the user and make them part of the solution. Most users want to cooperate in securing their accounts since it is in their best interest, we just need to ask their permission to get their cooperation.