SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Is the internet getting safer?
Fri, 18th May 2018
FYI, this story is more than a year old

Connecting our human selves to our digital identities is hard. How does your bank know it's really you behind the browser opening a new account?

How does Facebook know the person logging in from a computer in Turkey is you on holiday, and not a cybercriminal?

We've been relying on online usernames and passwords to make the connection between people and their online identities for years.

However, with the constant barrage of websites being hacked, and data being stolen, it's clear that relying on this method is no longer enough to protect our information online.

Together, with the world's largest software registry, npm, we have combined data from the past 24 months to look at what security trends are emerging amongst application developers.

But to understand the trends we see in this data, we first have to understand the breaches taking place, and the level of awareness users have about online security.

Breaches galore

Online data breaches have come to be a regular occurrence.

From iCloud celebrity photo leaks, classified government data being exposed to the public to personal data lost from enormous credit company Equifax, not to mention Facebook's recent problems.

There is no doubt that there has been a massive increase in the number of breaches over the past two years.

According to Troy Hunt, Information Security Author - Instructor at Pluralsight, Microsoft regional director and founder of Have I Been Pwned, there were 2.9 million globally exposed user records due to data breaches over the past 24 months.

Locally, Australia certainly isn't immune to the cyber threats.

The Australian Defence force had data leaked which resulted in the loss of 30GB of “commercially sensitive” information, which included documents detailing classified projects and blueprints for planes and Australian navy ships leaked to the general public.

Consumers are doing something about it

Perhaps the most reliable method for consumers to secure their data is through two-factor authentication (2FA), which typically involves a one-time passcode being sent, via SMS to confirm your login.

This method is over 30 years old and is often seen as awkward, requiring a user to re-type a code sent to their phone. Push authentication has recently emerged as a much better way to authenticate users to their online accounts, by using apps on your smartphone to ask for an Approval of Denial to the request to access your account.

Having ownership of the device receiving the message ensures that hackers with your username and password now need to get your device as well before emptying your bank account, for example.

According to Google Trends, there has been a steady increase in the general population's interest of 2FA, with searches more than tripling in the last two years.

However, there is still a long way to go. A quick look at the website Two Factor Auth shows that only 50% of 1,000 popular websites offer any form of 2FA.

What this shows is that while consumers are becoming more aware of this practice, businesses need to be doing more to activate it and make it available to their customers.

After looking at our 2FA API, we tracked the trends for how our customers' users are enabling and using 2FA. Over the past 24 months, we saw a 538% increase of users logging in with 2FA enabled accounts.

Developers are taking action

It's pretty obvious that hackers are successfully exposing user data.

This has pushed developers to look for ways to improve the security of their apps. npm analysed the metadata of every security package on the Registry - a publicly-searchable collection of over 600,000 modules of reusable JavaScript code accessed by over 12 million developers per week - and uncovered some dramatic trends.

Downloads of the most popular security packages on the Registry have increased by 548% since January 2016 and popular packages for supporting 2FA have also grown in popularity, seeing a 320% increase in downloads over the last 24 months.

The massive increase in downloads of security tools highlights a growing pressure on developers to update their applications with better security. The whopping 320% increase in downloads of 2FA packages illustrates just how rapidly it is becoming a security standard across applications and industries.

Progress is being made

The conclusions that can be drawn from all this data is that, from an application perspective, it's clear that data breaches are not slowing down, which is leading developers and consumers to look to the open source community for solutions.

While data breaches are likely to continue, tools like 2FA give both developers and consumers the ability to secure their data.

But, is the internet getting any safer?

Enabling 2FA definitely ensures user accounts are a lot more secure than when protected just by passwords, and evidence shows its usage is significantly increasing - a sign that our online accounts are being better protected.

2FA is one of the best ways to protect online accounts against a takeover but it needs to become mainstream.

If applications adopt modern methods such as push authentication, not only will it improve the user experience, but it would also incline developers to make 2FA mandatory, therefore making strong security a default for all our online accounts.