The Register® — Biting the hand that feeds IT

Feeds

Most consumers reuse banking passwords on other sites

Password recycle fail leaves consumers ripe for harvesting

By John Leyden, 2nd February 2010
  • print
  • alert

Cloud based data management

The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity.

Online security firm Trusteer reports that 73 per cent of bank customers use their online account password to access at least one other, less sensitive website. Even worse, around half (47 per cent) use the same online banking username and password for other website logins.

This dismal password security practice means that if cybercrooks trick a user into giving away his login credentials for a social networking site, for example, they stand a very good chance of getting into webmail and online banking accounts for the same person, potentially bringing about crippling financial losses as a result.

Trusteer's findings are pulled from a sample of users of its Rapport browser security service. This is offered through online banks in Europe and North America to their customers as a defence against phishing attacks. Web users outfitted with Trusteer's Rapport browser security plug-in are prevented from sending login details to fraudsters, even if they visit and attempt to enter data into a known phishing site.

The survey (PDF) also found that when a bank permits users to pick their own user ID, 65 per cent will re-use this username with a non-financial website, a figure that drops to 45 per cent even if a bank chooses the user ID for its customers.

Trusteer expressed surprise that consumers were so lax on password security, even when it comes to online banking websites. Here at El Reg, we'd be surprised if anyone produced a survey or research indicating that password security among consumers and enterprise users was anything better than dreadful.

"Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users re-purpose their financial service usernames and passwords," explained Amit Klein, CTO of Trusteer. "Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites."

Trusteer advised consumers to keep at least three sets of credentials: one that's only used with financial websites, the second for websites that hold information about a user's identity, and the third set for other less sensitive websites. That's certainly a start, but web users also need to think about using hard-to-guess passwords able to withstand brute force dictionary password cracking attacks commonly used by even minimally-skilled cybercroooks.

Top tips from Microsoft (here) and Sophos (here) outline tactics for coming up with hard-to-break but straightforward enough to remember website login credentials. ®

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

COMMENTS

House Rules Send Corrections
All Reader Comments (39)
Highly Rated
Anonymous Coward
Anonymous Coward

if only David Lightman had known...

Greetings Professor Falken.

Would you like to transfer some money?

4
0
RichardB

duh

Back in the days when they implemented PINs for cash cards, I believe they spent quite some time analysing how the hell to make it secure ish. They ended up punting for a self identifying card, and a 4 digit code - presumably they reckoned most people were too dizzy to remember anything more complex.

Then along comes a bunch of programmer geeks and everything gets over complicated, then same start complaining that noone can keep up.

Unless they come up with something more usable the internet will be dead for commerce within a few years.

3
0
Adam 19

Harvesting passwords?

So let me get this right, a "trusted" 3rd party company, meant to be about security for online banking harvested data from users, without their consent and analysed not only on-site bank passwords (as might be agreed to by users installing the software) - but off-site passwords from other sites, without the user's implicit consent?

Shades of Phorm here. And a great precedent to tell your bank to take a hike if they ever start to insist on people installing software like this.

2
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
61
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17