User experience and security risks |
|
User experience and security risks We, as users, share the values of usability, and as professionals, we can't help but think about security. In this article, from the point of view of security, we will consider some of the chips that are added to products and services for our convenience. They allow you to remember registration data and user settings so as not to force you to enter your username and password, as well as configure everything again every time you log in to the site. Cookies remember the language, theme, volume level, preferred player size and much more. With their help, online stores save goods left in the basket, and services add interesting articles, movies and music to recommendations. Of course, cookies are also used for other purposes, including web analytics and relevant advertising. How are things with security? Cookies themselves are safe, but the information they store may be of interest to intruders. For example, information about login and password, IP and location, OS version and browser. It is unlikely that you will be harmed by cookies alone, but it is possible to intercept cookies and extract data from them that is potentially useful for the development of an attack. Should I end up deleting cookies every day? Unlikely. But for privacy reasons, it's definitely worth cleaning cookies or using incognito mode if you log into your account from someone else's device. SSO Single You likely use it every day, if you have a Google or Yandex. For example, easily switch from Google drive to Google calendar or go to "Kinopoisk" logged in Yandex.By mail. When you are offered to log in somewhere using a Facebook account, Twitter, Public Services — it's all the same technology in action. Single sign-on is really convenient for the user. Here are the main advantages: Fast authentication Using SSO entails some security risks. The most significant for the user is that it is enough for a hacker to hack one account to gain access to all the systems associated with it. If it is possible to set up multi-factor authentication to protect your key account, we recommend doing this. Autofill in the browser How are things with security? Leaving information about ourselves on the Internet, we always risk losing it. With autofill, craftsmen can pull off the following trick: add hidden fields to the form. They will not be visible when filling out the form, but your data saved in the browser will be automatically pulled up in them. This will not affect passwords (they are stored elsewhere), but your address, phone number and passport data - quite. Everyone decides for himself how critical this information is for him, and what is more important: convenience or additional caution. Autofill can be disabled in the browser settings. For example, in Chome, this option looks like this:
How are things with security? The risk associated with this technology is negligible. Your biometric data is stored not by the bank, but by the device itself, and the legitimacy of the application entry is requested each time from your gadget. Thus, if an outsider gets hold of the phone and the password code from it, he will be able to reconfigure biometrics and gain access to your banking applications. Difficult, but possible. Some banks have provided for this risk and after changing the biometrics, they do not let you into the application without a password from it. Exported activity Let's say you received a document by email and open it on your phone. The mail client sends this document to the editor you are using (the application on your phone) just using the exported activity. Another example is deeplink. Do you remember links like: tg://socks during the period of active locks? They allowed you to install a socks proxy in Telegram in one click. This is also an exported activity that takes data from the outside, processes it and changes something in the operation of the application. The main advantages for the user: Seamless use of the system. You do not have to perform unnecessary actions: open a file, save it, open it through another application. Or manually enter hosts and passwords, as in the case of a proxy in Telegram. It all depends on what functionality is rendered as an exported activity. This may be a harmless opening of a document, and it happens (and in our practice this has happened) that using deeplink it is possible to bypass the PIN code entry and thereby gain unauthorized access inside the application. All responsibility for security in this case is in the direct hands of developers. Chatbots How are things with security? Like any third-party component, in order to be secure, a chatbot must be well implemented. Unfortunately, in our practice we have seen enough "leaky" bots. If an attacker gets access to such a bot, he can get hold of your personal information: phone number, email, and in the worst case - bank card number, passport data. Try not to tell chatbots important information. SIM card PIN code How are things with security? We link a lot of important things to the phone number: mail, accounts, bank notifications. If your phone was stolen, a SIM card was taken out and easily moved to another phone, it's not good enough. Even worse (for obvious reasons), if both the SIM and the bank card were in the wrong hands. Here is an interesting case on this topic. So, if you are not too lazy to remember the PIN code from the SIM card, it is better to install it. Conclusion The main responsibility in matters of information security lies with the developers, but something also depends on the users themselves - a careful attitude to their personal data. We hope that it was interesting and useful for you to look at usability from the other side Go back |
| 13-03-2022, 13:20 |