Popular messaging apps Facebook Messenger and WhatsApp leave people exposed to fraud or hacking because users do not know how to use important security options, scientists have warned. “We wanted to understand how typical users are protecting their privacy,” said Elham Vaziripour, a Ph.D. student at the Brigham Young University in the US. Even though WhatsApp and Viber encrypt messages by default, all three messaging apps also require an authentication ceremony to ensure true security.
However, since most users are unaware of the ceremony and its importance, “it is possible that a malicious third party or man-in-the middle attacker can eavesdrop on their conversations,” said Vaziripour. The authentication ceremony allows users to confirm the identity of their intended conversation partner, and makes sure no other person – even the company providing the messaging application – can intercept messages.
In the first phase of a two-phase experiment, the research team prompted study participants to share a credit card number with another participant. Participants were warned about potential threats and encouraged to make sure their messages were confidential. However, only 14 per cent of users in this phase managed to successfully authenticate their recipient. Others opted for ad-hoc security measures like asking their partners for details about a shared experience. In the second phase, participants were again asked to share a credit card number, but in this round, researchers emphasized the importance of authentication ceremonies. With that prompting, 79 per cent of users were able to successfully authenticate the other party.
Despite the drastic climb, however, researchers discovered another significant hurdle: participants averaged 11 minutes to authenticate their partners. “Once we told people about the authentication ceremonies, most people could do it, but it was not simple, people were frustrated and it took them too long,” said Daniel Zappala, professor at BYU. Since most people don’t experience significant security problems, it is hard to make a case for them investing the time and effort to understand and use security features that applications offer.