The maker of a piece of software that claims to help web users increase their security has analysed the activity of four million users of its Rapport software. It found that 73% of those users use one password for online banking and other non-financial websites and that 47% reuse both their online banking username and password for other sites.
The company behind Rapport, Trusteer, said that this was dangerous because criminals could obtain usernames and passwords more easily from less secure non-banking sites and attempt to use them at financial services sites to potentially devastating effect.
"Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords,” said Trusteer chief technology officer Amit Klein. “Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites.”
Trusteer has produced a report on the problem. "Internet users are required to memorize multiple login credentials to access different web services," said the report. "As a result, many decide to use the same login credentials for multiple websites. This practice can be dangerous when sharing login credentials used for online financial services applications with less secure websites."
"Criminals have devised various methods to steal login credentials from less secure websites, which they then test them out on financial services websites. As a result, users are exposed to account hijacking risks which can lead to fraud," it said.
Trusteer was able to detect when people re-used banking passwords at other sites because its anti-fraud Rapport software, which sits on a user's computer, monitors traffic to sensitive sites and warns users not to re-use banking details when they attempt to do so.
The company said that web users should ensure that the details they use for online activities are appropriate for the amount of security needed for that activity.
"[Users should] maintain at least three sets of credentials: the first set to be used only with financial websites; the second set to be used with nonfinancial sensitive websites that hold information about your identity; the third set to be used with non-sensitive websites that do not maintain confidential information about the user," said a Trusteer statement. "Memorizing three sets of credentials is not difficult, yet significantly improves a user’s level of security."
The company's report said that banks themselves can help to cut down on the number of their customers exposing themselves to danger.
"When a bank allows users to choose their own user ID, 65% share their banking username with nonfinancial websites," it said. "When a bank enforces a unique user ID convention and chooses the user ID for the customer, 42% use the bank issued user ID with at least one other website."