WhatsApp, FB Messenger, Viber expose users to hacks: study

Researchers at Brigham Young University found most users are vulnerable to attacks because they don't know about, or aren't using, the proper security features. Just 14 percent were found to do so.

Users of popular messaging apps WhatsApp, Facebook Messenger, and Viber are unknowingly leaving themselves exposed to fraud and hacking, according to a new study. 

Researchers found the majority of users are vulnerable to malicious attacks because they either don't know about or aren't using the proper security features. 

In a study, only 14 percent of participants successfully enabled the full security function that would protect their messages.

Scroll down for video 

Users  WhatsApp, Facebook Messenger, and Viber are unknowingly leaving themselves exposed to fraud and hacking, according to a new study. Researchers found the majority of users either don't know about or aren't using the proper security features

Users  WhatsApp, Facebook Messenger, and Viber are unknowingly leaving themselves exposed to fraud and hacking, according to a new study. Researchers found the majority of users either don't know about or aren't using the proper security features

THE FINDINGS 

In the study's first phase, only 14 percent of users, however, managed to successfully complete the authentication ceremony.

In the second phase, in which they were explicitly told about the thread and advised to complete an authentication ceremony, 79 percent were able to successfully authenticate the other party.

The percentage for phase two varied from 63 to 96 percent from app to app, with participants finding the most success with Viber and less with Facebook Messenger and WhatsApp.

However, researchers discovered it took those participants an average of 11 minutes to do so. 

'It is possible that a malicious third party or man-in-the middle attacker can eavesdrop on their conversations,' said Brigham Young University computer science PhD student Elham Vaziripour, who led the recent study.

Facebook messenger doesn't offer automatic encryption but allows users to set it up themselves. 

WhatsApp and Viber, however, both tout their end-to-end encryption is automatic and makes it so even they can't access your messages, which leads many users to believe their conversations are secure.

But that's not the case - to truly encrypt messages, all three apps require what's called an 'authentication ceremony.'

The process allows users to confirm the identify of their intended conversation partner and makes sure no other third party can trick you into revealing the contents of your messages.

Without doing so, Daniel Zappala, a computer science professor who worked on the study, told DailyMail.com that 'a clever hacker could make you think that you are encrypting your messages to your partner (let's call her Alice), when in reality, you are encrypting your messages for an intruder (let's call her Trudy).'

Authentication ceremonies for WhatsApp, Viber and Facebook Messenger

Authentication ceremonies for WhatsApp, Viber and Facebook Messenger

'Trudy decrypts your messages, so she can read them, and then re-encrypts the messages to send them to Alice.'

'Alice thinks she got the messages directly from you, when in reality, Trudy was in the middle of the conversation and able to read it all.'

'This could be done by the service provider or by a hacker who is able to get into the middle of your conversation (such as at a wireless hotspot) and is known as a "man-in-the-middle" attack in the security community.'

When users perform the authentication ceremony, they are essentially comparing 'keys' to see the secured conversation to make sure they match.

Yet most users are completely unaware such action is necessary to keep their messages private, as the manual process is 'somewhat hidden behind a few clicks in the user interface,' according to Zappala. 

While explicit instructions regarding the authentication ceremony caused a drastic increase in the number of users completing it, researchers discovered it took those participants an average of 11 minutes to do so, revealing how confusing the process is

While explicit instructions regarding the authentication ceremony caused a drastic increase in the number of users completing it, researchers discovered it took those participants an average of 11 minutes to do so, revealing how confusing the process is

'The effective security provided by secure messaging applications depends heavily on users completing an authentication ceremony—a sequence of manual operations enabling users to verify they are indeed communicating with one another,' reads the paper, which was presented at Thirteenth Symposium on Usable Privacy and Security.

'Unfortunately, evidence to date suggests users are unable to do this.' 

In the first part of the two-phase experiment - which was funded in part by more than $1 million in grants from the National Science Foundation and Department of Homeland Security - the research team prompted study participants to share a credit card number with a friend they brought with them for the experiment.

The researchers also warned the participants about potential threats and encouraged them to make sure their messages were confidential.

Only 14 percent of users, however, managed to successfully complete the authentication ceremony.

Timing for finding and using the authentication ceremony in the second phase. Lighter shades indicate the time taken to find the ceremony and the full bar indicates time taken for completing the ceremony

Timing for finding and using the authentication ceremony in the second phase. Lighter shades indicate the time taken to find the ceremony and the full bar indicates time taken for completing the ceremony

Others made misguided attempts to verify the recipient was the correct person by assuming it was so because they recognized their picture or by asking for details about a shared experience, not realizing this would not secure the information from hackers.

'These answers show the participants understood how to verify that they are talking to the right person, but also show a lack of understanding that someone else could be intercepting and monitoring their phone call or text messages,' Zappala told DailyMail.com.

'We were hoping that a general awareness that they should be careful would lead them to find and use the ceremony, but this wasn't the case.'

In the second phase of the study, participants were again asked to share a credit card number, but in this round researchers explained what man-in-the-middle attacks are and emphasized the importance of authentication ceremonies. 

With that prompting, an average of 79 percent of users were able to successfully authenticate the other party.

Facebook Messenger proved the most difficult with only a 63 percent success rate, while WhatsApp and Viber fared better with 79 and 96 percent success rates respectively.

The researchers say it's difficult to make a case for users going through such hurdles to enable proper security because they never experience hacking. But they say that because there's always a risk, it shouldn't be that way and that the process needs to be 'much easier to do'

The researchers say it's difficult to make a case for users going through such hurdles to enable proper security because they never experience hacking. But they say that because there's always a risk, it shouldn't be that way and that the process needs to be 'much easier to do'

While explicit instructions regarding the authentication ceremony caused a drastic increase in the number of users completing it, researchers discovered it took those participants an average of 11 minutes to do so.

'Once we told people about the authentication ceremonies, most people could do it, but it was not simple, people were frustrated and it took them too long,' Daniel Zappala, a computer science professor who worked on the study, said. 

The researchers say it's difficult to make a case for users going through such hurdles to enable proper security because they never experience hacking.

But they say that because there's always a risk, that shouldn't be the thinking and that the process needs to be 'much easier to do.'

'Security researchers often build systems without finding out what people need and want,' said Kent Seamons, another computer science researcher on the project.

Zappala emphasized this, telling DailyMail.com: 'We'd much rather that people don't need to understand a lot about security in order to use secure messaging applications.' 

The researchers are recommending the process be made automatic.

Participant ratings of trust for each application for both phases of the study

Participant ratings of trust for each application for both phases of the study

'If we can perform the authentication ceremony behind the scenes for users automatically or effortlessly, we can address these problems without necessitating user education,' said Vaziripour.  

'The goal in our labs is to design technology that's simple and usable enough for anyone to use.' 

DailyMail.com has reached out to all three companies to ask why they haven't made the process simpler and if they have any plans to in the future.

The professors' are researching how to do just that in their labs.

Zappala pointed to the integration of a new system called COINKS - which could monitor these messaging services to make sure they are not giving different keys to different people - as a possible method.

'They should always give out my key when they ask for the key associated with my phone number, for example,' he said. 

Another possible method he spoke of is social authentication, in which a user would essentially post a public key associated with their identity on all their social networks.

'As for why this hasn't happened already? Having a global system to match an identity (your phone number or your email address) to an encryption key is a very hard problem,' Zappala told DailyMail.com.

'Even if you get that problem right, it raises a bunch of other hard problems: For every public key that you advertise with your identity, there is a matching private key you have to keep secret -- how do we help people make sure they keep those secret? What if they lose it or it is stolen? How do they move these between devices they own safely? How do we help people use this technology so it is all easy for them?'