- Iranians holding Ashura mourning for Imam Hussein
- Third step: Iran officially informs EU of plan to expand nuclear R&D
- Iran expands nuclear R&D program: Rouhani
- Iran goes ahead in space tech, despite US sanctions: ISA
- Resistance Front undermining Israeli regime power: Top commander
- Iran: 7 crew members of detained UK ship freed
- US addiction to sanction threaten its power: Iran’s Zarif
- Dutch role in 2007 Stuxnet attack on Iran’s nuclear site under scrutiny: Iraian FM Spox.
- Iran: ‘Sustainable Security 2019’ kicks off in Caspian Sea
- Iran’s Zarif leaves Tehran for Moscow
- Shiraz University ranked 1st in liver transplantation: Iranian health official
- Japan’s Abe to meet Iran’s president to discuss easing tension in region
- Downing of US spy drone shattered war threats against Iran: Top IRGC commander
- IAEO head reports development of first ion-therapy hospital in west of Asia
- Iranian Taekwondo team wins 2019 World Cup championship
- US sanctions failed to force Iran to buckle: Report
- Crew fixing Iran oil tanker broken down in Red Sea
- As Iranians hold nerves, US seeks to scare off trade
- Leader expresses concern about Kashmir, urges India to follow fair policy toward Muslim-majority region
- Iran saffron exports down due to smuggling, government restrictions: Exporter
- Iran FM warns US against ‘serious miscalculation’ in Persian Gulf
- Iran’s resistance policy led to release of oil tanker: MP
- Iran in reverse brain drain as top students come home in rising numbers
- Iran official calls for compensation for tanker seizure
- Iran hails N Korea for standing against ‘unilateral’ US demands
- Shia Muslims celebrate Eid Al-Ghadir
- North Korea praises Iran’s anti-US struggle
- Zarif says to meet French president Friday
- Iranian court hearing case of UK oil tanker
- Over half of Japanese voters oppose joining US-led anti-Iran coalition in Persian Gulf: Poll
- IME trade ups by 21 percent in July
- Finland backs INSTEX in defiance of US
- US anti-Iran policy in high seas harms Europeans: LA Times
- Iran, China confer on Syria
- Iran, Finland share views on Persian Gulf dialogue forum: Zarif
- Iran warns US against seizure of oil tanker
- Iraq eager to benefit from Iranian Police’s experience
- Iran planning 3rd step to reduce nuclear commitments: Spokesman
- Leader grants clemency to over 1,000 Iranian inmates
- Registration for Arbaeen Pilgrimage to begin in Iran on Friday
- Iran, Iraq agree to reopen Khosravi border crossing
- Iran deplores suicide attack at Kabul wedding hall
- Iran to hold int'l hand-woven carpets expo
- Zarif meets with Iran-Kuwait Friendship Group members
- Adrian Darya oil tanker not under any sanctions, says Iran envoy
- ‘Iran to stay in nuclear deal as long as its interests are met’
- India envoy happy with positive trend of trade with Iran
- Iran’s annual export of white meat tops 2.5m tons: Minister
- Iranian scientist discovers new state of matter
- Iran, Japan diplomats discuss bilateral ties
- Iran, Ansarullah, European representatives Yemen developments
- ‘Iran to become self-sufficient in producing aircraft engines'
- US issues seizure warrant for Iranian supertanker 'Grace 1'
- Neanderthal tooth unearthed near Iran’s Zagros mountain
- Iran’s Zarif due in Kuwait on Saturday
- US faces humiliating defeat after Gibraltar releases Iranian tanker: Envoy
- Spokesman rejects claim on Iran’s commitment in exchange for tanker release
- Zarif reacts to release of Iranian tanker in Gibraltar
- Israel, UAE engaged in secret talks on Iran arranged by US: Report
- US threatens visa ban as Iranian-operated tanker sets to sail from Gibraltar
- Enemies must factor Iran's global power in their calculations: IRGC's chief commander
- Trump’s administration conflicting messages to Iran baffle go-betweens: Report
- Gibraltar releases Iran-operated tanker despite US pressure
TEHRAN, August 26, YJC - An Iranian researcher Elham Vaziripour has found out that users of popular messaging apps WhatsApp, Facebook Messenger, and Viber are unknowingly leaving themselves exposed to fraud and hacking.
TEHRAN, Young Journalists Club (YJC) - Vaziripour and her colleagues found the majority of users are vulnerable to malicious attacks because they either don’t know about or aren’t using the proper security features.
In a study, only 14 percent of participants successfully enabled the full security function that would protect their messages.
Users WhatsApp, Facebook Messenger, and Viber are unknowingly leaving themselves exposed to fraud and hacking, according to a new study. Researchers found the majority of users either don’t know about or aren’t using the proper security features
THE FINDINGS
In the study’s first phase, only 14 percent of users, however, managed to successfully complete the authentication ceremony.
In the second phase, in which they were explicitly told about the thread and advised to complete an authentication ceremony, 79 percent were able to successfully authenticate the other party.
The percentage for phase two varied from 63 to 96 percent from app to app, with participants finding the most success with Viber and less with Facebook Messenger and WhatsApp.
However, researchers discovered it took those participants an average of 11 minutes to do so.
‘It is possible that a malicious third party or man-in-the middle attacker can eavesdrop on their conversations,’ said Brigham Young University computer science PhD student Vaziripour, who led the recent study.
Facebook messenger doesn’t offer automatic encryption but allows users to set it up themselves.
WhatsApp and Viber, however, both tout their end-to-end encryption is automatic and makes it so even they can’t access your messages, which leads many users to believe their conversations are secure.
But that’s not the case – to truly encrypt messages, all three apps require what’s called an ‘authentication ceremony.’
The process allows users to confirm the identify of their intended conversation partner and makes sure no other third party can trick you into revealing the contents of your messages.
Without doing so, Daniel Zappala, a computer science professor who worked on the study, told DailyMail.com that ‘a clever hacker could make you think that you are encrypting your messages to your partner (let’s call her Alice), when in reality, you are encrypting your messages for an intruder (let’s call her Trudy).’
Authentication ceremonies for WhatsApp, Viber and Facebook Messenger
‘Trudy decrypts your messages, so she can read them, and then re-encrypts the messages to send them to Alice.’
‘Alice thinks she got the messages directly from you, when in reality, Trudy was in the middle of the conversation and able to read it all.’
‘This could be done by the service provider or by a hacker who is able to get into the middle of your conversation (such as at a wireless hotspot) and is known as a “man-in-the-middle” attack in the security community.’
When users perform the authentication ceremony, they are essentially comparing ‘keys’ to see the secured conversation to make sure they match.
Yet most users are completely unaware such action is necessary to keep their messages private, as the manual process is ‘somewhat hidden behind a few clicks in the user interface,’ according to Zappala.
While explicit instructions regarding the authentication ceremony caused a drastic increase in the number of users completing it, researchers discovered it took those participants an average of 11 minutes to do so, revealing how confusing the process is
‘The effective security provided by secure messaging applications depends heavily on users completing an authentication ceremony—a sequence of manual operations enabling users to verify they are indeed communicating with one another,’ reads the paper, which was presented at Thirteenth Symposium on Usable Privacy and Security.
‘Unfortunately, evidence to date suggests users are unable to do this.’
In the first part of the two-phase experiment, the research team prompted study participants to share a credit card number with a friend they brought with them for the experiment.
The researchers also warned the participants about potential threats and encouraged them to make sure their messages were confidential.
Only 14 percent of users, however, managed to successfully complete the authentication ceremony.
Timing for finding and using the authentication ceremony in the second phase. Lighter shades indicate the time taken to find the ceremony and the full bar indicates time taken for completing the ceremony
Others made misguided attempts to verify the recipient was the correct person by assuming it was so because they recognized their picture or by asking for details about a shared experience, not realizing this would not secure the information from hackers.
‘These answers show the participants understood how to verify that they are talking to the right person, but also show a lack of understanding that someone else could be intercepting and monitoring their phone call or text messages,’ Zappala said.
‘We were hoping that a general awareness that they should be careful would lead them to find and use the ceremony, but this wasn’t the case.’
In the second phase of the study, participants were again asked to share a credit card number, but in this round researchers explained what man-in-the-middle attacks are and emphasized the importance of authentication ceremonies.
With that prompting, an average of 79 percent of users were able to successfully authenticate the other party.
Facebook Messenger proved the most difficult with only a 63 percent success rate, while WhatsApp and Viber fared better with 79 and 96 percent success rates respectively.
The researchers say it’s difficult to make a case for users going through such hurdles to enable proper security because they never experience hacking. But they say that because there’s always a risk, it shouldn’t be that way and that the process needs to be ‘much easier to do’
While explicit instructions regarding the authentication ceremony caused a drastic increase in the number of users completing it, researchers discovered it took those participants an average of 11 minutes to do so.
‘Once we told people about the authentication ceremonies, most people could do it, but it was not simple, people were frustrated and it took them too long,’ Daniel Zappala, a computer science professor who worked on the study, said.
The researchers say it’s difficult to make a case for users going through such hurdles to enable proper security because they never experience hacking.
But they say that because there’s always a risk, that shouldn’t be the thinking and that the process needs to be ‘much easier to do.’
‘Security researchers often build systems without finding out what people need and want,’ said Kent Seamons, another computer science researcher on the project.
Zappala emphasized this, telling DailyMail.com: ‘We’d much rather that people don’t need to understand a lot about security in order to use secure messaging applications.’
The researchers are recommending the process be made automatic.
Participant ratings of trust for each application for both phases of the study
‘If we can perform the authentication ceremony behind the scenes for users automatically or effortlessly, we can address these problems without necessitating user education,’ said Vaziripour.
‘The goal in our labs is to design technology that’s simple and usable enough for anyone to use.’
Your Comment