Some 40% of UK adults have received phishing messages claiming to come from HMRC, yet almost a half are unconcerned about the risk of losing personal information ahead of the January tax deadline, according to new research from Miracl.
The multi-factor authentication firm polled 1,000 UK consumers to better understand attitudes to online security.
It found that a worryingly high 20% had been a victim of data theft or identity fraud, or knew a close friend or family member that had.
But despite these stats—and the large volume of HMRC phishing spam circulating at this time of year—there was widespread ignorance about the potential risks.
Some 48% said they weren’t worried about losing personal and financial information.
In fact, e-commerce sites made the largest number of respondents nervous (51%), followed by online banking (36%) and, far behind, online government services (14%).
Miracl CEO, Brian Spector, warned that this apparent confidence is misplaced given the volume and scope of personal and financial data that could be stolen by an authentic looking HMRC phishing email.
Unsurprisingly, given the nature of the company, Miracl argued that password-based log-in systems for government services are to blame for the complacency. Users believe that by creating strong passwords they are safe, but of course this doesn’t protect them from phishing.
Historically, organizations have been slow to roll-out these more secure authentication systems.
“It’s because multi-factor solutions are either too hard to use, too expensive/hard to scale, or not secure in that the technology can be brute forced or has a single point of compromise,” CEO Brian Spector told Infosecurity by email.
“In addition, the ‘authentication as a service’ tech companies require too much information sharing which make the service unusable for high assurance environments.”
In spring, the UK government is rolling out a new Verify service which will allow Brits to use multi-factor authentication to log-in to their Gov.uk profiles.
Miracl’s M-Pin system has been chosen alongside others to support the program – using a five-digit PIN alongside a software token installed in the desktop browser or mobile device to authenticate.
“M-Pin is resistant to MITM because the M-Pin Protocol is cryptographically designed to be MITM resistant,” Spector explained.
“The difference with M-Pin is that it is an ‘authenticated key agreement’ protocol. These are cryptographic protocols that have been powering VPN and SSL security for decades.”
Tax agencies around the world usually report an increase in phishing and other scam attacks in the run up to reporting deadlines.
Last year at this time, Get Safe Online was forced to run an awareness-raising campaign, claiming that nearly 25,000 phishing emails were reported to HMRC and 611 scam sites shut down in the run up to the previous tax credit renewal deadline.
Photo © Looker_Studio