People who think they’re tech-savvy are just kidding themselves: they’re actually 18% more likely to be hit by identity theft, according to a new study.
The study, from the online IT training company CBT Nuggets, derived its conclusions from a survey of 2,039 people after testing their knowledge about online information security.
Our attitudes to security practices matter if we want to keep from becoming a statistic. Unfortunately, at least in the US, our attitude toward infosec often amounts to “Pardon me, I really need to take a nap right now.”
When asked why they didn’t follow basic security recommendations, 40% of respondents said they were too lazy, found it to be too inconvenient, or they didn’t really care. In fact, only a smidgen of respondents – 3.7% – said they follow all of the basic security requirements…
…Which is weird, given that 65.9% said that having their personal information compromised is a medium or huge risk.
What are the basic security requirements that all these people are rolling over and playing dead about? For one, the study found, most people use public WiFi – an inherently risky thing to do unless you use a Virtual Private Network (VPN).
We’ve listed some of the risks of free, open Wi-Fi before, and they’re worth repeating here:
- The hotspot could be run by anyone, and there’s almost no way of telling who that might be.
- Anyone in the vicinity, whether they’re on the network or not, can “sniff” (eavesdrop on) and record all your network traffic.
- Your DNS requests, which turn server names into network numbers, are visible to anyone, so even if you subsequently use secure HTTPS connections only, the services you’re using are nevertheless revealed.
- The hotspot can send you bogus DNS replies, redirecting you to imposter servers, blocking your access to security updates, and more.
In addition, free hotspots often rely on a login page, rather tellingly known as a captive portal, where you have to first sign up for the service, even if your plan once online is to hop onto your own VPN to keep your network traffic secure.
Basically, a VPN encrypts all your network data before it leaves your phone or laptop, sending the scrambled stream of data back to your own network and decrypting it there before it gets sent to the internet.
The study found that many people also procrastinate when it comes to updating their computers or their mobile phones. Well, that’s nothing new. A study done five years ago for International Technology Upgrade Week – yup, that was really a thing, for at least one year! – found that 40% of users don’t upgrade when they probably should.
The other basic security practice cited by the study’s authors as being a snooze-fest: the lazy habit of keeping private passwords somewhere on the computer. In fact, over half of survey respondents kept those keys to the kingdom tucked somewhere on their computers.
Unique passwords is another good habit: one that Naked Security cites when we list basic security steps. In the CBT Nuggets survey, people who self-identify as tech-savvy are just a wee bit more likely to use unique passwords: just over 6% more likely, in fact. Why didn’t that keep them from having a higher incidence of identity theft? The study doesn’t say, but it does a lot more slicing and dicing of demographics more likely to suffer ID theft.
For example, when it comes to age, Generation Xers – those born between 1965 and 1980 – are the most likely to have been victims of ID theft. Millennials – those born between 1981 and 1997 – are the least likely. That could be due to the fact that Millennials have simply spent fewer years in the online trenches, of course.
More interesting factoids about the people who are more likely to use unique passwords:
- Android users were almost 11% more likely than iPhone users to have unique passwords. That could be one reason why they’re less likely to get hacked.
- Windows users were over 12% more likely than those on a Mac to use unique passwords. Apple users were 22% more likely than Windows users to be victims of ID theft, as well.
- Women were slightly more likely than men to use unique passwords.
Using more unique passwords doesn’t necessarily keep a given demographic from getting hacked more often, though. For example, women use 2.9% more passwords than men, but they get hit with ID theft 14% more often than men. The authors didn’t explain that discrepancy, though it could well amount to the fact that using “more” passwords doesn’t mean the same thing as “using unique passwords for every site”.
More factoids:
- The curse of the egghead: PhDs are the most likely to be hacked out of any education level. High school diploma holders are the lowest. One imagines that could have to do with PhDs spending a whole lot more time online, of course.
- PhDs are the least likely education level to use unique passwords.
- The laziest people – or, well, those more likely to say they’re lazy or that security is inconvenient – work in the religious and legal industries.
- Overall, 40% of respondents are too lazy, think it’s inconvenient, or just don’t care about using security best practices.
At Naked Security, we feel your pain. Sure, it can be inconvenient to use best practices to secure your online information. There was a whole lot of head-desk banging when I lost my phone recently and suddenly felt how very tight my security straitjacket is, with all those unique passwords locked away in a password manager I couldn’t get to without the two-factor authentication (2FA) Google Authenticator app (which was on my phone!) allowing me to get to them online.
But we believe in that armor. Common sense dictates that unique passwords keep thieves who’ve stolen your credentials for one site from reusing them to hijack all your accounts, be they your bank accounts, your social media accounts or anything and everything else.
We believe that multifactor authentication (MFA) is worth using, too. It’s a good stumbling block for identity thieves. To read more about the hows and whys of 2FA, check out our Power of Two post.
And some of us believe that if we can’t handle the concept of one unique, strong password for every site, then we can rely on a password manager to keep track of them for us.
If you’ve read this far, we know you’re likely not too lazy to use good security practices. That means we’re preaching to the choir. Your assignment: go preach to your friends and family who can’t be bothered, before their personal details get vacuumed up in the ever-expanding list of breaches.