US President Barack Obama has ordered better federal cooperation with private firms to fight hackers. Credit: Nicholas Kamm/AFP/Getty

It would be easy to blame the poor soul at Sony Pictures Entertainment who opened the door to one of the most disastrous hacks in history just by clicking an e-mail link. As US President Barack Obama pointed out during a visit to Stanford University in California on 13 February, user negligence is often the key to a successful cyberattack.

“It’s just too easy for hackers to figure out usernames and passwords, like ‘password’. Or 12345 … 7,” Obama said. But people do this kind of thing all the time, says Angela Sasse, head of information-security research at University College London. Researchers have found that after employees were asked to create long passwords according to strict rules, some of them wrote the password down in an easily accessible place, such as on a desk in plain sight. Other employees might choose to work outside a secured network because it runs too slowly (see also go.nature.com/buxsds).

Such measures confound security experts but are a logical response to the increasing security workload imposed on employees, Sasse says.“We want security that is effective but also allows us to get on with the job,” she adds. “A lot of smarter companies are realizing that some of these security measures are a bad productivity drain.” Cormac Herley, a security researcher at Microsoft Research in Redmond, Washington, has estimated that the world’s Internet users collectively spend the equivalent of 1,389 years every day entering passwords (C. Herley IEEE Secur. Priv. 12, 14–19; 2014).

Generally, the financial services industry is further ahead than others in dealing with the problem, because its business relies on ensuring that customers can easily access their funds while thieves are kept out. But a spectacular failure in its efforts was revealed on 16 February, when the Russian computer-security firm Kaspersky Lab described how hackers had managed to steal an estimated US$1 billion from financial institutions around the world by infiltrating a bank in Ukraine. As in the Sony case and many others, the fatal security flaw was an errant click on an e-mailed link.

In banking, authentication is the key step — verifying that someone trying to access funds in a customer’s name is the actual customer. This is increasingly done through layers of multiple passwords that must meet rules on length and complexity, making them hard to enter correctly on mobile devices, for example.

Some banks are experimenting with ways to jettison passwords altogether. In 2013, major German banks deployed a system called photoTAN that uses an application downloaded to a phone or desktop computer to ensure that only customers can see e-mailed account information and that hackers cannot send counterfeit e-mails. The system mathematically encodes transaction information into an image that looks to a hacker or any other observer like a meaningless jumble of coloured squares. But when a customer with the application snaps a photo of the image, it is decoded to reveal the transaction information.

A project by Google aims to revamp a system known as CAPTCHA, which distinguishes humans from programs called bots that can be used in various malicious ways, such as harvesting e-mail addresses. The existing CAPTCHA format asks a computer user to retype a line of distorted text to make the distinction, but as artificial intelligence has advanced, the text distortion has increased such that it often defies humans as well as machines. Google’s project aims to make this verification process less painful, and even invisible.

In December, Google deployed a system that, according to the company’s online-security blog, “considers a user’s entire engagement with the CAPTCHA — before, during, and after — to determine whether that user is a human”. Google has not specified what that means, but it is believed to involve tracking a person’s browser history and spotting distinctively human cues in how the cursor moves to the text box, for instance. In some cases, the program can verify that a user is human without the person even completing the task.

Another effort being spearheaded by Google, along with the file-hosting service Dropbox and the Open Technology Fund in Washington DC — an organization funded by the US government to foster free speech online — aims to improve user experience to make e-mail encryption easier. There are two existing programs, Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG), which are ‘open source’ and so can be used by anyone to make e-mail completely indecipherable to those who might intercept it. The systems are safe and effective: whistle-blower Edward Snowden specifically chose to leak US National Security Agency documents to documentary film-maker Laura Poitras because she uses encryption software. He knew that he could communicate with her without fear of anyone eavesdropping.

But these systems are difficult to use, so many people do not. That makes it much easier for cybercriminals to entice people to click on links, especially in the increasingly distracting online world. Google and its partners have helped to establish a non-profit online privacy consultancy called Simply Secure, which is now helping developers of such open-source programs to improve the experience for users. If the effort succeeds, the practice of using counterfeit e-mails to lure people into clicking malicious links could become much less prevalent.

But just as in conventional conflicts, the war against hackers is an arms race. “We design new defences, and then hackers and criminals design new ways to penetrate them,” Obama said at Stanford. “So we’ve got to be just as fast and flexible and nimble in constantly evolving our defences.”