Basic assumptions

The recent hacks into iCloud accounts indicate that it is difficult for people to keep their accounts secure. It is basically an unfair fight between professional hackers and people not exposed to IT security.

In my opinion, this can be addressed in two ways. First, introduce better procedures for security related stuff. For example, make changes like password recovery harder. This is the track Apple is currently working on. Second, teach the people about security.

I believe that banks and online platforms are not very strong in teaching security to their users. Their teaching strategy looks like old style school teaching 50 years, with the teacher presenting the information from the front. It is not a learning experience. Companies like large online platforms and banks should provide their user with an easy way to learn about security. It must be easy enough to allow everybody in your family from children to grandparents what to do. The content of the training should be focused on the target audience. As teenagers you do things, you would not do at age of 40 and the other way around as well.

A sketch of an online training

Learn about security for non security nerds

The user is offered an online training, when they setup an account. Motivate the user for example by the possibility to reach points, spending money to social organizations, if the training goal is reached.

Goal: Reach level 7 as security expert

Level 1

Goal: User should learn about, what the company does not send by email.

Explain phishing. Send the user one real email asking him to react to something and two phishing email trying to convince him to do something like “changing his password on a fake website”. Send him real emails, provide him with a real experience. The user gets all the points, if he sorts the emails correctly into fishing.

Level 2

Goal: Gain experience with content of phishing emails.

Put the user in the role of a hacker. Let him choose amongst some text the most promising phishing email for various scenarios.

Scenarios:

- Security alert change your password
- Enter multiple banking tans
- Attract user to log in on a fake website

Level 3

Goal: Understanding HTTPS and when it is very relevant

Explain why password changes and logins should be done on encrypted connections. Explain how to identify an HTTPS connection and how a browser warns him of bad certificates.

Exercise: Send the user to different websites asking him to login. The user get all points, if he correctly sorts the pages into secure and unsecure.

Level 4

Goal: Identify website forgery

Explain ways to fake websites and how to identify them by the certificate of the HTTPS connection. Explain not to follow links but to enter the URL.

Send the user emails inviting him to fake and real websites. The user gets all points, if he correctly identifies them.

Level 5

Goal: Provide user with procedures if he is in doubt that a received email is correct.

Explain who he can contact and which information to provide.

Level 6

Goal: Learn about good passwords

Introduce methods to pick a good password. Let the user sort different passwords into categories like weak, average, strong

Level 7

Goal: Learn about how easy it is to loose passwords

Explain scenarios like: taking notes of passwords, enter password on a fake browser in an Internet Cafe, cameras recording entering of passwords.

Ask the user to identify micro cameras on various pictures.

Let users choose the security he needs

A procedure like changing a password can be made more secure, by adding additional verification steps, time delays or notifications. But every measure makes using the system harder. The need of security might be different for somebody posting stuff to the public and a film star sharing private pictures with his or her lover.

In my opinion, users of online platform should be allowed to choose between the level of security. Apart from being able to choose, it makes them aware of the security measures. Here is an example:

a) Base Level

You can change your password online and you can recover your password with a predefined security question. You will be notified every time by email.

b) Medium Level

Your password must be at least 6 characters including a special character, you need to define your own security questions to recover your password. Password recovery and change is delayed by 6 hours.

c)

In addition to b) you can only login or change your password, if you provide a password and a changing transaction number.

Summary

In this article, I shared my vision of a learning experience about security. I hope you enjoyed it.

Sebastian Hennebrueder