Users run security risk by re-using banking passwords

Nearly three-quarters of online banking users are putting thesecurity of their accounts at risk by re-using their passwords atother, less secure sites. Nearly half use both their usernames andpasswords at other sites, increasing the security risk.

The maker of a piece of software that claims to help web usersincrease their security has analysed the activity of four millionusers of its Rapport software. It found that 73% of those users useone password for online banking and other non-financial websitesand that 47% reuse both their online banking username and passwordfor other sites.

The company behind Rapport, Trusteer, said that this wasdangerous because criminals could obtain usernames and passwordsmore easily from less secure non-banking sites and attempt to usethem at financial services sites to potentially devastatingeffect.

"Using stolen credentials remains the easiest way for criminalsto bypass the security measures implemented by banks to protecttheir online applications, so we wanted to see how oftenusers  repurpose their financial service usernames andpasswords,” said Trusteer chief technology officer Amit Klein. “Ourfindings were very surprising, and reveal that consumers are notaware, or are choosing to ignore, the security implications ofreusing their banking credentials on multiple websites.”

Trusteer has produced a report on the problem. "Internet usersare required to memorize multiple login credentials to accessdifferent web services," said the report. "As a result, many decideto use the same login credentials for multiple websites. Thispractice can be dangerous when sharing login credentials used foronline financial services applications with less securewebsites."

"Criminals have devised various methods to steal logincredentials from less secure websites, which they then test themout on financial services websites. As a result, users are exposedto account hijacking risks which can lead to fraud," it said.

Trusteer was able to detect when people re-used bankingpasswords at other sites because its anti-fraud Rapport software,which sits on a user's computer, monitors traffic to sensitivesites and warns users not to re-use banking details when theyattempt to do so.

The company said that web users should ensure that the detailsthey use for online activities are appropriate for the amount ofsecurity needed for that activity.

"[Users should] maintain at least three sets of credentials: thefirst set to be used only with financial websites; the second setto be used with nonfinancial sensitive websites that holdinformation about your identity; the third set to be used withnon-sensitive websites that do not maintain confidentialinformation about the user," said a Trusteer statement. "Memorizingthree sets of credentials is not difficult, yet significantlyimproves a user’s level of security."

The company's report said that banks themselves can help to cutdown on the number of their customers exposing themselves todanger.

"When a bank allows users to choose their own user ID, 65% sharetheir banking username with nonfinancial websites," it said. "Whena bank enforces a unique user ID convention and chooses the user IDfor the customer, 42% use the bank issued user ID with at least oneother website."