User experience and security risks

[Nulled] » Information security » User experience and security risks

User experience and security risks
Every second Thursday in November, World Usability Day is celebrated. This holiday was established in 2005 by the Association of Professionals in the Field of User Experience to promote the practicality, convenience and ease of use of digital products and services.

We, as users, share the values of usability, and as professionals, we can't help but think about security. In this article, from the point of view of security, we will consider some of the chips that are added to products and services for our convenience.
"We use cookies"
If you omit conspiracy theory and forget about the all-seeing eye of marketers, cookies really help simplify life on the Internet.

They allow you to remember registration data and user settings so as not to force you to enter your username and password, as well as configure everything again every time you log in to the site. Cookies remember the language, theme, volume level, preferred player size and much more.

With their help, online stores save goods left in the basket, and services add interesting articles, movies and music to recommendations. Of course, cookies are also used for other purposes, including web analytics and relevant advertising.

How are things with security?

Cookies themselves are safe, but the information they store may be of interest to intruders. For example, information about login and password, IP and location, OS version and browser. It is unlikely that you will be harmed by cookies alone, but it is possible to intercept cookies and extract data from them that is potentially useful for the development of an attack.

Should I end up deleting cookies every day? Unlikely. But for privacy reasons, it's definitely worth cleaning cookies or using incognito mode if you log into your account from someone else's device.

SSO Single
Sign-On technology is a user authentication technology that allows you to switch from one system to another without re-entering your username and password or other data.

You likely use it every day, if you have a Google or Yandex. For example, easily switch from Google drive to Google calendar or go to "Kinopoisk" logged in Yandex.By mail. When you are offered to log in somewhere using a Facebook account, Twitter, Public Services — it's all the same technology in action.

Single sign-on is really convenient for the user. Here are the main advantages:

Fast authentication
No need to remember and store a lot of passwords
The system works faster (performance increases due to fewer requests)
How are things with security?

Using SSO entails some security risks. The most significant for the user is that it is enough for a hacker to hack one account to gain access to all the systems associated with it.

If it is possible to set up multi-factor authentication to protect your key account, we recommend doing this.

Autofill in the browser
It's nice if tedious tasks are automated for us. For example, you make a delivery, and a long address with an index is inserted into the window itself. Or you buy a burning ticket on sale, and passport data is entered in a second. Autofill helps the user when it is impossible to avoid filling out large and detailed forms.

How are things with security?

Leaving information about ourselves on the Internet, we always risk losing it. With autofill, craftsmen can pull off the following trick: add hidden fields to the form. They will not be visible when filling out the form, but your data saved in the browser will be automatically pulled up in them. This will not affect passwords (they are stored elsewhere), but your address, phone number and passport data - quite.

Everyone decides for himself how critical this information is for him, and what is more important: convenience or additional caution.

Autofill can be disabled in the browser settings. For example, in Chome, this option looks like this:

Login to the banking application using biometrics
Developers of banking applications strive to make customers' lives easier and, to give them their due, they succeed. We can pay bills, open deposits, exchange currency, divide the bill in a cafe in a matter of seconds directly from the smartphone screen. Another convenient option is to log in to the app using Face or Touch ID.

How are things with security?

The risk associated with this technology is negligible. Your biometric data is stored not by the bank, but by the device itself, and the legitimacy of the application entry is requested each time from your gadget. Thus, if an outsider gets hold of the phone and the password code from it, he will be able to reconfigure biometrics and gain access to your banking applications. Difficult, but possible. Some banks have provided for this risk and after changing the biometrics, they do not let you into the application without a password from it.

Exported activity
This is another convenient feature of mobile applications. A few words about what an activity is and why it should be exported.
The mobile application consists of many "screens" that the user navigates through. Each such "screen" is called an "activity". It can be compared to a website page on the Internet.

Let's say you received a document by email and open it on your phone. The mail client sends this document to the editor you are using (the application on your phone) just using the exported activity.

Another example is deeplink. Do you remember links like: tg://socks during the period of active locks? They allowed you to install a socks proxy in Telegram in one click. This is also an exported activity that takes data from the outside, processes it and changes something in the operation of the application.

The main advantages for the user:

Seamless use of the system. You do not have to perform unnecessary actions: open a file, save it, open it through another application. Or manually enter hosts and passwords, as in the case of a proxy in Telegram.
The system redirects you directly to the desired part of the application. Whether it's paying or going to your shopping list.
How are things with security?

It all depends on what functionality is rendered as an exported activity. This may be a harmless opening of a document, and it happens (and in our practice this has happened) that using deeplink it is possible to bypass the PIN code entry and thereby gain unauthorized access inside the application.

All responsibility for security in this case is in the direct hands of developers.

Chatbots
According to the idea, chatbots are friendly assistants who improve the quality of service. Thanks to chatbots, you don't wait on the support line until the operator is free, but you can immediately solve a simple task or get an answer to a question.

How are things with security?

Like any third-party component, in order to be secure, a chatbot must be well implemented. Unfortunately, in our practice we have seen enough "leaky" bots. If an attacker gets access to such a bot, he can get hold of your personal information: phone number, email, and in the worst case - bank card number, passport data. Try not to tell chatbots important information.

SIM card PIN code
Yes, this is something from the 2000s, and the main convenience of the SIM card PIN code today is its absence. It is enough that we remember the password code from the phone.

How are things with security?

We link a lot of important things to the phone number: mail, accounts, bank notifications. If your phone was stolen, a SIM card was taken out and easily moved to another phone, it's not good enough. Even worse (for obvious reasons), if both the SIM and the bank card were in the wrong hands. Here is an interesting case on this topic.

So, if you are not too lazy to remember the PIN code from the SIM card, it is better to install it.

Conclusion
Sometimes convenience and security can argue with each other. Although this, of course, is not a reason to abandon the first one: we all enthusiastically perceive new features that can simplify our lives.

The main responsibility in matters of information security lies with the developers, but something also depends on the users themselves - a careful attitude to their personal data. We hope that it was interesting and useful for you to look at usability from the other side

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

2 0

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

Author of the publication: hackweb
Date of publication: 13 March 2022 13:20
Publication category(s): Information security
Number of views of the publication: 222
Number of comments to the publication: 0

Site Search

Site Menu

☑ Scripts Software

Casinos and Sports betting

Casino Scripts

Sports betting Scripts

HTML5 Games casino

Poker Scripts

Roulettes, cases Scripts

Bitcoin casino scripts

Scripts Cryptocurrencies

Bitcoin scripts

Altcoins scripts

Mining scripts

Trading scripts

Currency exchange scripts

Exchanger script

Nulled exchanger script

PHP Scripts

Gambling Software

PHP Scripts

Scripts HYIP

Economic Games HYIP

Buks scripts

Doubler Scripts HYIP

Roulette Scripts HYIP

Advertising scripts

Rating Scripts

Scripts of social networks

Online stores Scripts

Scripts Bulletin boards

Link Shortening script

Telegram script

Web Templates

HTML Templates website

HTML Control panels

Email Templates

PSD Templates

CMS Internet shop Scripts

Magento script

Modules Magento

Templates Magento

Releases Magento

PrestaShop script

Modules PrestaShop

Templates PrestaShop

Releases PrestaShop

OpenCart script

Releases OpenCart

OpenCart templates

OpenCart modules

Shop-Script(Webasyst)

Plugins Shop-Script

Templates Shop-Script

Releases Shop-Script

SimplaCMS script

Modules SimplaCMS

Templates SimplaCMS

Releases SimplaCMS

OkayCMS script

OkayCMS Releases

Modules OkayCMS

Templates OkayCMS

CS-Cart script

Releases CS-Cart

Modules CS-Cart

Templates CS-Cart

ImageCMS script

Releases ImageCMS

ImageCMS modules

ImageCMS templates

Bulletin Board scripts

Osclass script

Plugins Osclass

Revision of the themes of Osclass

General questions of Osclass

Unisite-Board script

Themes Unisite-Board

Plugins Unisite-Board

Modification Unisite-Board

General questions Unisite-Board

Forums scripts

Discuz! script

Releases Discuz!

Modules Discuz!

Templates Discuz!

Script mybb

Releases mybb

Modules mybb

Templates mybb

VBulletin

vBulletin Skins

Mods for vBulletin

vbulletin Releases

Hacks VBulletin

Forums Invision Community

Releases Invision Community

Plugins Invision Community

Styles Invision Community

Modifications Invision Community

Transfers Invision Community

General questions

XenForo forum platform

XenForo Releases

XenForo Styles

Modules XenForo

Transfers XenForo

CMS (Site management systems)

WordPress

WordPress Themes

WordPress Plugins

Joomla

Joomla Templates

Joomla modifications

Joomla components

DataLife Engine

DLE Releases

DLE templates

DLE modules

DLE hacks

1С-Bitrix

Releases 1c-bitrix

Templates 1c-bitrix

Modules 1c-bitrix

General questions 1c-bitrix

WHMCS Web Hosting Billing

Releases WHMCS

Modules WHMCS

Templates WHMCS

Email Script

Interspire Email Script

Releases Interspire

Modules Interspire

MailWizz Email Script

Releases MailWizz

Modules MailWizz

Mumara Email Script

Releases Mumara

Modules Mumara

PowerMTA Email Script

Releases PowerMTA

Modules PowerMTA

Social Networks scripts

InstantCMS script

Components InstantCMS

Widgets InstantCMS

Templates InstantCMS

LiveStreet script

Plugins LiveStreet

Templates LiveStreet

Dating scripts

skadate Х Dating script

OXWALL Dating script

Readymade PHP Scripts

Clone Scripts

Accounting Software

Banking Software

Calculators

Classified Script

CRM Application

Cryptocurrency Script

Directory Script

Ecommerce Website

Educational Software

Enterprise Application

Hospital Software

Hotel Booking Script

Job portal Script

Marketplace Scripts

MLM Application HYPE

Mobile App Codes

Online Booking Script

Point Of Sale Software Scripts

Realestate Script

Restaurant Management

Retail Management

GPS Tracking System

Calendar

« May 2024 »
Mon	Tue	Wed	Thu	Fri	Sat	Sun
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Survey on the website

Evaluate the work of the site

Statistics

+6 Total articles 5578
+14 Comments 3149
+31 Users : 4130

Full statistics

Contacts

Moderator

Channel

Google

RSS