Let's talk about UX and security - those two may not seem to go hand-in-hand. Some services encourage users to enable additional protection, some have it enabled by default and some have these options hidden deep in the menu. I will compare security features available for users in multiple services including telecommunication providers, online banking and cryptocurrency exchanges across Poland, Australia and USA: - PINs, passwords and authentication in mobile apps - fine-grained payment limits for cards and wire transfers - 2-factor authentication - geolocation security - biometric authentication - process authorisation How to introduce security features to make users adopt them easily? How to educate users by allowing them to set up additional security mechanisms?

1. www.securing.pl
Jakub Kaluzny
SECURITY EDUCATION
VIA
SECURITY FEATURES

2. www.securing.pl
Story time

3. www.securing.pl
who
JAKUB KALUZNY
• 10 years in IT & Security
• Threat modeling, DevSecOps,
penetration tests
• Poland, Spain, Australia
• banking, fintech, law, airline,
entertainment, e-commerce
• Speaker at BlackHat,
HackInTheBox, ZeroNights

4. www.securing.pl
why
The bigger picture
Types of security features
Successful and failed implementations

5. www.securing.pl
what
Security features as a way to educate users
Default vs opt-in integration
Costs of risk management
How to marry security with UX

6. www.securing.plwww.securing.pl
SECURITY EXPERIENCE (SX)

7. www.securing.pl
Let’s set up a bank account - passwords
password
P4SSW0
P4$$w0rd
Q)2O$Ft*pwORyA!
P4SSW0
D4FB6A
👍
👎

8. www.securing.plwww.securing.pl
- How often are you made to change your password?
PASSWORD CHANGE POLICY

9. www.securing.pl
Let’s sign in!
• How to not store
plaintext?
• Does it protect against
phishing?
• Can you use password
manager?
👎

10. www.securing.pl
Let’s link a mobile app
Separate authentication for web and mobile channel
👍👎 👍

11. www.securing.pl
Let’s get a SIM card - PIN
• Europe
Usually lock turned on by default
Random PIN
• USA, Australia
Opt-in lock
Default PIN (0000 or 1234)
👍
👎

12. www.securing.pl
Let’s switch a telco provider
👎 👎 👎👎 👎

13. www.securing.pl
Mitigations
• Require strong authentication
Physical ID check
• Notifications
To both new existing services / devices
• One crypto currency exchange in US:
Delay when changing key account data

14. www.securing.pl
Other authentication methods
• Fingerprint – what can go wrong?
• Voice authentication
• Apple FaceID
👍
👎

15. www.securing.pl
2-factor authentication
👍
👍
👎
👎
👎

16. www.securing.plwww.securing.pl
LIMITS, AUTHORISATION,
NOTIFICATIONS

17. www.securing.pl
Transaction limits – more Security Experience (SX)
👍
👎
👍

18. www.securing.pl
Other security features
👍 👍👍

19. www.securing.pl
Default vs opt-in
👍👎 https://github.com/securing/IOSSecuritySuite

20. www.securing.pl
Behavioral security features
Golden Banker Report – Security
https://www.securing.pl/raport-zloty-bankier-2019

21. www.securing.pl
Do not be paranoid
• Some time ago I published “security health check”
https://goo.gl/BSZ4mN
• What is the name of your first dog?
Co76WB/1Xd8zF90Lyi

22. www.securing.plwww.securing.pl
SUMMARY

23. www.securing.pl
• Award users for setting security features:
One Polish bank moving away from TAN / scratch cards
Cheaper car insurance
• Got back-end? Got User Experience? Go for Security Experience as well!
Ideas
👍

24. www.securing.pl
• Threat modeling
• Consult before implementation
• Allow using password managers
• Introduce 2-FA wherever possible
• Turn on limits, notifications and other security features by default
• “SECURE BY DEFAULT”
• “Every software engineer is now a security engineer” – Jim Manico
Best practices

25. www.securing.pl
Materials
•Golden Banker Report: Security - https://www.securing.pl/raport-zloty-bankier-2019
•Hacking Voice Biometrics - https://www.slideshare.net/JakubKaluzny/kaluzny-
pentesting-voicebiometricsauscert2017
•iOS Security Suite – https://github.com/securing/IOSSecuritySuite
•Security health check - https://goo.gl/BSZ4mN

26. www.securing.pl
Thank you!
Jakub.Kaluzny@securing.pl
@j_kaluzny
• Golden Banker Report: Security - https://www.securing.pl/raport-zloty-bankier-2019
• Hacking Voice Biometrics - https://www.slideshare.net/JakubKaluzny/kaluzny-
pentesting-voicebiometricsauscert2017
• iOS Security Suite – https://github.com/securing/IOSSecuritySuite
• Security health check - https://goo.gl/BSZ4mN