Skip to content
Skip to main content

About this free course

Become an OU student

Download this course

Share this free course

The psychology of cybercrime
The psychology of cybercrime

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

2.3 Hacking

In the previous section, you have learned that private images are sometimes accessed by hacking the accounts of other users. The term hacking might make you think of computer geniuses cracking complex codes, and therefore that increasingly sophisticated computer security is the solution to the problem; in reality, while hacking can sometimes require advanced skills, many instances require little technological expertise on the part of the hacker. For example, in 2014, a number of former employees of the now defunct News of the World were convicted on phone hacking charges, having accessed messages belonging to both celebrities and crime victims to provide material for the newspaper (BBC News, 2014). In many cases they had been able to gain access to voicemail messages quite easily, by exploiting the fact that users had not reset the default voicemail PIN code. Phone service providers have since made changes to their systems so that default PIN codes no longer exist, but many users still use meaningful information such as their birthdates as PIN codes, making them easy to guess (BBC News, 2011). This highlights the importance of considering both technological and human aspects when developing security measures.

As explained above, gaining access to other people’s accounts can sometimes be accomplished very simply because people choose simple passwords such as ‘123456’ and ‘password’ (Morgan, 2017). The reason why people choose simple passwords or reuse across sites is due to a poor fit between system and user (Conklin et al., 2004). When password authentication was introduced as a security measure online, there were only a limited number of systems and users, and it was effective in that context. However, this approach is less effective in the current situation with millions of systems and many millions of users. Indeed, designers did not take into account that users now have multiple usernames and passwords to remember. This means that users have been left to develop their own individual strategies to manage their various online accounts, and sometimes these strategies (e.g. writing down passwords, reusing details) can compromise security.

An image of a person in a dark room looking at a laptop.

Another possible explanation could be that people don’t know what constitutes good password security. However, in a survey by Tam et al. (2009), respondents showed an ability to distinguish between strong and weak passwords, and an understanding of poor password management behaviours, but there was a trade-off between convenience and security. People were more willing to engage in password management practices that were inconvenient, but which increased security, for accounts where they could foresee an immediate negative consequence for themselves should security be breached (e.g. a bank account), and less willing to do so for accounts where they could not (e.g. email). However, a hacker with access to an email account can use this to reset passwords and learn other personal information that could facilitate access to other user accounts, including bank accounts, so this approach may be short-sighted.

Attempts to alter user behaviour at a system level, by introducing mandatory rules for the creation of passwords (e.g. forcing account holders to use a combination of letters, numbers and punctuation), reduce vulnerability by making it less likely that a stranger could guess the password. However, they simultaneously increase the likelihood that the genuine account holder will forget their password, thereby increasing the use of memory strategies which introduce other sources of vulnerability (Gehringer, 2002; Conklin et al, 2004). Therefore, it is important that security systems are carefully designed to take into account the human behaviour of the people who use them, as well as the ingenuity of those who wish to hack them.