Tom Kemp, CEO for Centrify told SCMagazine UK.com: “It's shocking that 25 percent of respondents have been victims of identity theft - but both the UK and US surveys showed the same levels. When we look for reasons why this may be, then we'd highlight the finding that 38 percent of users don't use a PIN number on their phone and 25 percent of users use the same password across all devices.
“But the reality is that a lot of us don't know whether we've been hacked. There's the ‘Have I been Pwned? website where users can type in their email and find out if it's on hacker databases now in the public domain, where people can find out, as they may not have been notified that their details have been stolen. And the root cause is often the weakness of passwords.”
Unsurprisingly those most likely to say they have been victims of identity theft are those that probably best understand and notice the signs of identity theft: IT workers, online shoppers, higher-salary workers, the tech-savvy, and those with a high digital footprint.
Kemp suggests the solution is a multi-factor approach, with policies to determine when the multi-factor access needs to be used, so that it is only deployed when necessary, such as if you are outside the corporate network trying to access Salesforce.
Although the survey was of the general population, the majority use their phone within a work situation, so while Centrify concentrates on enterprises, the survey aims to provide a better picture of the failings of passwords in general, and personal mobiles as a vulnerability due to weak passwords.
Kemp adds: “It's good to know that 81 percent are concerned about the prospect of identity theft, and so awareness is increasing, but this is not being translated into action, with issues like the level of shared password use remaining high. Organisations need to force things such as password changing, and using technology to improve security.”
Bob Tarzey an analyst and director with Quocirca, the business analysis house noted that one of the limitations of the survey findings was that it was conducted among the general public, commenting, “What companies do and what people do personally is different. Most people's phones won't be hacked – it's only really celebrities or those who have come into the public eye, such as being a victim of crime.”
However he acknowledged, “Using the same password for registering to a web site and for banking transactions would be stupid. But using the same password for low level purposes – such as registering for websites – makes a lot of sense for an individual. So blanket advice is not always so helpful.”
The survey also showed that those who spend more time online are less concerned about their identity being stolen, with 62 percent of those very concerned about id theft having a medium digital footprint, 46 percent low, and 26 percent high. Also, only 26 percent of those with a high digital footprint were concerned about having credit card information stolen via an online shopping website, or their email accounts being spammed.
Online purchases were the top reason that users thought they became victims of identity theft. Just 15 percent believed their passwords are very secure while those that do less online shopping (12 percent), those aged 50-64 (11 percent), and those with a medium digital footprint (11 percent) had the least confidence in the security of their passwords.
The survey ranks concerns as follows:
1) ID theft (81 percent)
2) Credit card information stolen online (79 percent)
3) Email spam (68 percent)
4) Social network privacy (59 percent)
5) Cyber-bullying (40 percent)