Let's talk about UX and security - those two may not seem to go hand-in-hand. Some services encourage users to enable additional protection, some have it enabled by default and some have these options hidden deep in the menu.
I will compare security features available for users in multiple services including telecommunication providers, online banking and cryptocurrency exchanges across Poland, Australia and USA:
- PINs, passwords and authentication in mobile apps
- fine-grained payment limits for cards and wire transfers
- 2-factor authentication
- geolocation security
- biometric authentication
- process authorisation
How to introduce security features to make users adopt them easily? How to educate users by allowing them to set up additional security mechanisms?
3. www.securing.pl
who
JAKUB KALUZNY
• 10 years in IT & Security
• Threat modeling, DevSecOps,
penetration tests
• Poland, Spain, Australia
• banking, fintech, law, airline,
entertainment, e-commerce
• Speaker at BlackHat,
HackInTheBox, ZeroNights
11. www.securing.pl
Let’s get a SIM card - PIN
• Europe
Usually lock turned on by default
Random PIN
• USA, Australia
Opt-in lock
Default PIN (0000 or 1234)
👍
👎
13. www.securing.pl
Mitigations
• Require strong authentication
Physical ID check
• Notifications
To both new existing services / devices
• One crypto currency exchange in US:
Delay when changing key account data
21. www.securing.pl
Do not be paranoid
• Some time ago I published “security health check”
https://goo.gl/BSZ4mN
• What is the name of your first dog?
Co76WB/1Xd8zF90Lyi
23. www.securing.pl
• Award users for setting security features:
One Polish bank moving away from TAN / scratch cards
Cheaper car insurance
• Got back-end? Got User Experience? Go for Security Experience as well!
Ideas
👍
24. www.securing.pl
• Threat modeling
• Consult before implementation
• Allow using password managers
• Introduce 2-FA wherever possible
• Turn on limits, notifications and other security features by default
• “SECURE BY DEFAULT”
• “Every software engineer is now a security engineer” – Jim Manico
Best practices