Many people who use popular messaging services like Facebook Messenger, What’sApp and Viber take for granted that their conversations are private because they are encrypted.
But a recent study from Brigham Young University shows that these messages are still vulnerable to hacking attempts because users don’t take advantage of other important security options. The researchers say that although these three messaging services encrypt messages by default, they also require an “authentication ceremony” to ensure that conversations stay private.
Ph. D. student Elham Vaziripour says that unfortunately many consumers aren’t aware of these ceremonies, which means that “a malicious party or man-in-the middle attacker can eavesdrop on their conversations.”
In basic terms, an authentication ceremony allows users to confirm the identity of the person they’re communicating with on one of these messaging services. Those who take advantage of this security option guarantee that no other party – not even the company providing the messaging application – can intercept the messages.
To see which steps typical users took to protect their privacy, the researchers asked a group of people to participate in a multi-phase experiment. In the first phase, the participants were asked to share a credit card number with another person in the study while keeping in mind that information should be kept confidential.
The results showed that only 14% of users successfully authenticated the recipient of the messages, with most resorting to ad-hoc security measures like asking the recipient to reiterate details of a shared experience.
In the second phase, participants were once again asked to share a credit card number, but this time the researchers accentuated how important authentication ceremonies were for maintaining privacy. The results showed that this extra direction led to 79% of participants authenticating their partner. However, the researchers found that completing this extra security step tended to take some time – around 11 minutes on average.
While the study shows that many users are able to conduct authentication ceremonies to maintain privacy, it is not necessarily at the forefront of their mind when using these messaging apps. The researchers hope that these services will adapt to make authentication ceremonies more automatic so that consumers don’t leave themselves exposed.
"If we can perform the authentication ceremony behind the scenes for users automatically or effortlessly, we can address these problems without necessitating user education," said Vaziripour.
"Security researchers often build systems without finding out what people need and want," added researcher and professor Kent Seamons. "The goal in our labs is to design technology that's simple and usable enough for anyone to use."