Site icon Sophos News

Most Americans don’t have a clue what https:// means

55% of US adults couldn’t identify an example of 2FA, and only 30% knew that starting a URL with https:// means that the information sent to that site is encrypted.

… and the Pew Research Center discovered plenty of other sobering facts about what Americans know and don’t know about cybersecurity and privacy.

The survey

The Pew Research Center conducted a survey which tested Americans and their digital knowledge, asking 4,272 adults in the US a series of 10 questions about a range of digital topics, such as cybersecurity or who the bearded guy in the photo was (answer: Twitter co-founder Jack Dorsey. Only 15% got that one right, but how that fits into cybersecurity and privacy concerns is a question that Pew didn’t address.)

How well the respondents did depended a great deal on what the topic, term or concept was, as well as how old they were and what their level of educational attainment was. Young people, you did better. College-educated people, you did better, too.

Respondents did A+ work when it came to identifying where you can get phished, for example. In an email? On social media? In a text message? On a website? Or how about the correct answer: “all of the above?” Ding-ding-ding, we have a winner! 67% of Americans knew that you can get phished all over the place.

Respondents aced the question about what cookies are, as well – 62% correctly said that websites that use cookies can track your visits and activity on the site.

Where we fall flat on our 2FA faces

Here’s where we aren’t so smart: only 28% of adults could identify an example of 2FA, which is one of the most important ways that people can protect their personal information on sensitive accounts.

To be fair, the question tossed a number of images of security strategies together: if you go to pages 14-15 of the survey, which you can download here, you’ll see that respondents were asked to pick the image that represented 2FA.

In the mix were a reCAPTCHA image with wavy words you need to type in to prove you’re not a bot; a customer login asking for a username, password, and a six-digit code (the correct choice); a request to confirm a security image (pretty flowers!) and keyword before entering your password; one of those security questions prompts that wants you to fill in your “who was your childhood best friend” type questions (the answers for which, all too often, can be easily mined from social media, unless you do the smart thing and answer with Goobledygook Galore); “all of the above” or “Not sure.”

Forty-two percent said “all of the above.” Only 28% spotted the request for a code and knew that it, and it alone, was indicative of 2FA.

What is this https:// of which you speak?

Only 30% knew that starting a URL with https:// means that the information sent to that site is encrypted. 53% weren’t sure, but at least they didn’t choose some of the incorrect guesses: that the content on the site is safe for children (wrong, and, thankfully enough, chosen by only 1% of respondents), that the site is only accessible to people in certain countries (wrong, and chosen by only 2%), or that the site has been verified as trustworthy (wrong, and chosen by 12%).

HTTPS sites are more secure because they use Transport Layer Security (TLS), which establishes an encrypted link between the browser and the web server before any HTTP requests are sent. As we’ve explained, TLS protects your HTTP traffic from eavesdropping and manipulation as it moves over a network, between you and the site you’re using. It doesn’t say anything about the security or legitimacy of the site itself, though.

Unfortunately, the padlock symbol that your browser displays when you’re using HTTPS can fool users into thinking it does. Many assume (not least because security professionals spent years telling them to) that the padlock means the website they’re looking at must be the real thing, rather than a fake.

The FBI recently warned that phishing sites are preying on this misunderstanding and using TLS to appear more legitimate to victims.

More takeaways

These are some of the other subjects the Pew Research Center quizzed Americans on, along with the results:

A brief explanation of 2FA

So, about that 2FA question that so many of us got wrong: If you want a technical deep-dive into what 2FA is, please do check out Chester Wisniewski’s 2FA article here. If you’re feeling TL;DR, check out Maria Varmazis’s 2FA article, which breaks it down into simple but helpful terms.

In essence, 2FA is when you prove who you are to a website or service using two out of these three things:

As Maria explains, many of us who’ve worked in the corporate world at some point have carried a small key fob or token with us, and typed in the displayed numbers when logging in to a core work system. That’s one example of a 2FA factor: that code is something you have.

Similarly, if your favorite shopping or banking website has been asking you to verify your identity by typing in a numerical code texted to you, that’s also 2FA at work.

2FA works as an additional layer of security on top of things like passwords, which are all too frequently stolen by hackers or exposed in databases left unprotected, without a password, online.

If you’re offered a chance to secure an account with 2FA, we think it’s a smart idea to do so. It’s a good security technique to recognize and to get to know better if you aren’t sure just exactly what it is and isn’t.

Exit mobile version