Most consumers reuse banking passwords on other sites
Password recycle fail leaves consumers ripe for harvesting
The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity.
Online security firm Trusteer reports that 73 per cent of bank customers use their online account password to access at least one other, less sensitive website. Even worse, around half (47 per cent) use the same online banking username and password for other website logins.
This dismal password security practice means that if cybercrooks trick a user into giving away his login credentials for a social networking site, for example, they stand a very good chance of getting into webmail and online banking accounts for the same person, potentially bringing about crippling financial losses as a result.
Trusteer's findings are pulled from a sample of users of its Rapport browser security service. This is offered through online banks in Europe and North America to their customers as a defence against phishing attacks. Web users outfitted with Trusteer's Rapport browser security plug-in are prevented from sending login details to fraudsters, even if they visit and attempt to enter data into a known phishing site.
The survey (PDF) also found that when a bank permits users to pick their own user ID, 65 per cent will re-use this username with a non-financial website, a figure that drops to 45 per cent even if a bank chooses the user ID for its customers.
Trusteer expressed surprise that consumers were so lax on password security, even when it comes to online banking websites. Here at El Reg, we'd be surprised if anyone produced a survey or research indicating that password security among consumers and enterprise users was anything better than dreadful.
"Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users re-purpose their financial service usernames and passwords," explained Amit Klein, CTO of Trusteer. "Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites."
Trusteer advised consumers to keep at least three sets of credentials: one that's only used with financial websites, the second for websites that hold information about a user's identity, and the third set for other less sensitive websites. That's certainly a start, but web users also need to think about using hard-to-guess passwords able to withstand brute force dictionary password cracking attacks commonly used by even minimally-skilled cybercroooks.
if only David Lightman had known...
Greetings Professor Falken.
Would you like to transfer some money?
Back in the days when they implemented PINs for cash cards, I believe they spent quite some time analysing how the hell to make it secure ish. They ended up punting for a self identifying card, and a 4 digit code - presumably they reckoned most people were too dizzy to remember anything more complex.
Then along comes a bunch of programmer geeks and everything gets over complicated, then same start complaining that noone can keep up.
Unless they come up with something more usable the internet will be dead for commerce within a few years.
So let me get this right, a "trusted" 3rd party company, meant to be about security for online banking harvested data from users, without their consent and analysed not only on-site bank passwords (as might be agreed to by users installing the software) - but off-site passwords from other sites, without the user's implicit consent?
Shades of Phorm here. And a great precedent to tell your bank to take a hike if they ever start to insist on people installing software like this.