Brits happy to hand over password details for £5 gift voucher
UK consumers have rather glaring double standards when it comes to information security risks, according to a new survey by Symantec. Although the majority (60 percent) of 207 London residents were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher, the …
Hands up who wouldn't make up a password in exchange for a £5 voucher ?
Namely that people aren't willing to lie about something that cannot be verified in order to get a free lunch.
I'd have no compunction whatsoever in taking an M&S voucher in return for spuriously made-up-on-the-spot nonsense. I mean, were these people really expecting to be told the truth?
Either that, or this is a cunning IRL phishing trip...
Why on Earth are people still doing these studies? What has been proved - conclusively - by several studies before is that people will quite happily tell a researcher a word that may or may not be their actual password in exchange for a reward.
Hell, I'd be more than happy to tell a researcher that my password was "scr3wball" in return for £5 worth of loot. It's not, of course, but how exactly are they going to know that?
... the flaw with these surveys -
Q) Can I give you a voucher to give me your password.
A) OK. Its err Lamppostboxnatwest.
Recieve £5 for making up a word, pass go, do not go directly to jail.
If someone comes to me in the street and asks for my password for a gift voucher or even a choc bar then I will give them a word or phrase
How do they know if it is or isn't my password ?
Do they check every reply given to them
Another useless survey just so someone can crunch a few numbers
I use my local train station as one password: Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch
I use my favourite colour as another: Five.
I use my favourite football team as a third: Gordon Brown.
Spot the pattern yet? If you offer me a voucher for 5 quid, I'll tell you a load of random passwords... And may even throw in a random username too.
(Bet I'm not the only one that's making this point - but none visible yet)
is always the md5 of the site name prepended with P45sw0rd.
Can I have my £5 voucher / chocolate bar please...
Anyone test any of the passwords they got?
Not so sure this counts as double standards. We can be as careless with our personal details as we want - it might not be very clever, but they're ours after all. When other people are careless with our details, that's a different matter though.
It's the same as with money; if we want to spend our hard earned on trivialities like gambling or booze, fair enough. If some one else is careless with it, extreme displeasure and/or court cases.
"Although the majority (60 percent) of 207 London residents were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher..."
In other words, the remaining 40% were witless enough to not give fake password data in exchange for a gift voucher.
So you're saying that 40% of those surveyed are too dim to make up a fake password for a £5 voucher? These alleged surveys keep coming up and the same claims are made, without anyone (from the people doing the survey to the journalists who uncritically reproduce the results) apparently considering that 56.98% of people[1] will tell porkies to get free stuff.
Offer me money/vouchers/chocolate/booze and I'll happily give you lots of passwords. I can't promise that any of them will get you anywhere, but they will be passwords...
Of course, it's quite possible that 78.21%[2] of those handing over passwords were completely silly, and gave real ones, but there's no real way of telling, is there?
[1] I'm sure that figure is right. Somebody did a survey....
[2] There was a survey about that, too. Probably
Yes, I phone up companies and tell them the numbers on this card thing in my wallet, in return they send me free stuff, works everytime.
Right, must rush. I have an appointment with my bank manager at lunch, something about an account being massively overdrawn, whatever that means.
Anonymous Coward:
"Another useless survey just so someone can crunch a few numbers"
Actually it's a cunning plan by Marks and Spencer's to get the newspapers to namecheck them in "serious and hard-hitting" news articles.
See, Reg, they'd stop if you called it a "high street shopping voucher" or something. If they want to advertise here, make them pay *you*, not some spotty student with a clipboard.
Even if lots of people do make up stuff to get the voucher, surely statistically (and i normally hate stats like this), some people WILL give their real details.
Either way, its difficult to find out whether people really would or would not do this, so lets conclude that ALL users are not to be trusted in a companies network. Then provide users with access only where necessary. ... oh wait thats the idea behind network security.
So basically since user x SAYS they will give their password away for a fiver, then you have to assume they would and treat them as such.
... because, frankly, a £5 M&S voucher is damn all use.
Now if it was a bar of chocolate, I'd be happy to give you all the passwords you want.
(Of course whether they're actually the real ones is another matter...)
What is the world coming to? For one thing, it seems every commenter on this site is willing to tell a barefaced lie for a very small benefit, and with no regard to the resulting skewed socialogical and scientific data.
I am even more shocked by the apparent lack of shame regarding this dishonest activity. It is one thing to be dishonest, it is another to brag about it on a public forum and with your real name. Mr. Graham Wood, I hope you are ashamed of yourself.
what makes symantec think that online shops are more likley to take all your presonal data and lose it than hi street shops?
I have been using the net since 1994, and paying for stuff online since that time. I have never had my identity stolen. I have however had money stolen, and not because someone cracked a dbase containing my card number. The money was stolen by an EMPLOYEE of the company I had ordered from, using my card details to finance their fun.
The same happened to family members, and they never use the computer. Ever give your details over the phone ? Then you're just as much at risk as from any online phishing scam.
Overall, I would rather have online payments handled by a third party rather than the company running the site itself, as the third party ensures the scallies working for the client company don't see my card details.
I missed out - if they asked me, I'd have said my password was tw@dangle !
Mine's the one without the £5 M&S voucher
Look at it another way: anyone who has worked desktop support knows that you can on a variety of server systems reset a user's password to enable the techie to login with their credentials. However, it's a lot easier if the techie simply asks for the user's password then logs in without changing it. Of course, they'll neglect to flag that the password should be changed afterwards...
So what's stopping these techies taking a poke at a little identity theft themselves? Only trust. With that fresh in your mind, ask yourself again: do you really credit over 60% of londoners surveyed with the grey matter to make it all up, or do you think it more likely that they simply were approached on the street and thought "no harm done" when they dished out their password?
I'm betting on an even 50/50 split myself.
if the "researchers" had managed to get the punters to show them their credit card numbers. Bloody sociologists.
"with no regard to the resulting skewed socialogical and scientific data."
And what exactly would the results tell us anyway, assuming everyone is honest? That people are morons? I could tell you that anyway, but I won't give you a M&S voucher for the privelege.
Grow a sense of humour ya boring old fart. Never heard of a bit of fun? Obviously the statistics will be skewed and the people conducting the survey aren't idiots. They'll know that people will just be making up a password when it begins with "err" or "erm". Whatever i'd definitely make on up. Nice one Graham Wood!
Honestly, it's completely worthless Symantec PR. Even Paris would no doubt give them a fake password, and surely they must realise that. What's actually strange is that 40% of people didn't bite and tell them a phony password. Here they can have my password - it's IJustMadeThisUpAndItWon'tWorkOnAnyOfMyAccountsOrFiles. Can I have my £5 M&S voucher then please?
The same has happened to me, but not from online purchases. From people simply getting hold of my card number and name and using them on a website which has no form of verification. Not even the simple three digit verification number. Why do the banks continue to do business with these websites?
Then again why are all transactions not handled on the banks' own servers? Presumably because then the blame for any fraud could be placed at the bank's doors.
Oh, and getting back to the story. Regardless of the fact that most people probably gave a false password, do the researchers not realize that this has been done countless times before and always with very similar results.
You may be surprised to know that M&S - prepare yourself for a shock here - actually sell chocolate bars, and even though it's Marks and Sparks prices you can get more than one for a fiver.
G
The survey is completely flawed of course.
But clearly, there are a lot of people willing to give their Yahoo! or Google password to facebook, in order for it to go and interrogate their address books. And so on for a dozen other social networking sltes. There are lot of very trusting people out there.
Yeah, but unless there's an M&S nearby, you have to spend time travelling to one, shopping for a chocolate bar etc wheras "Here's a choccy bar" gives instant gratification!
I would cheerfully tell someone a false password forming scheme in exchange for an M&S voucher. You can always exchange it for "not just" M&S chocolate and underwear for Paris Hilton.
Argh! Too many virtually identical and off-topic comments!
The real point in this article is the "double standards" issue. It's a point I put to several friends earlier in the year when cases of lost personal data were making the headlines: in general, the average person is careless about account security, whether through using easy passwords and PINs, sharing passwords, letting keyloggers etc. onto their computers (or using web cafés for banking and such), clicking links in phishing e-mails, and so on. Yet they expect to remain blameless for any consequences, or, furthermore, to be bailed out at the expense of their bank (or whoever) when someone steals their money/identity.
I can't believe anyone, even places like the Sun, would 'report' such blatant BS. So I am especially surprised at seeing it here.
Stories like these absolutely infuriate me. I think the only purpose is to give the public an ego boost as they spot the major problems with such a study ??
I agree with Andrew. That I find interesting..
"you can on a variety of server systems reset a user's password to enable the techie to login with their credentials. However, it's a lot easier if the techie simply asks for the user's password then logs in without changing it."
But any IT manager tolerating or encouraging their techies to work this way should be shot. It undermines the message to users: "You Do Not Give Your Password To Anyone, Not IT, Not Your Line Manager, And Not Julie In Accounts Who's Forgotten Hers Again And Doesn't Want To Wait For IT To Reset It".
When these companies do "surveys" in order to put out a press release and get their name in the paper, why not go through and change Symantec to "a data security company".
If all media did that, the firms would stop doing it and we'd get more real news.
You know he was using the "Joke Alert!" icon, right?
And would I give a fake password for £5? Sure, why not? They won't find out.
Keep it up, for the 20% that believe their own data is safe. We've all lost control of our data many times, from addresses or medical records to creditworthiness, and can only hope that those who collect it aren't sheep, black or any other colour.
The double standard observed in the survey is akin to the well documented one of risk-taking. Joe Public accepts high risks under his own control, such as smoking or driving motor cycles. Where he has no control, he objects to much smaller risks, like a vaccine campaign.
The great British public have a collective IQ equivalent to an empty can of salmon!
What more does one expect?
Sign up, sign up for The Register's weekly IT security newsletter - click here
