Posted by Lisa Hochgraf
I'm among the more protected but it's not because I knew better. By dumb luck, I use a different username and password on my login for my credit union's home banking than on any of my other Internet logins.
Turns out, that's the safe way to be, at least according to Trusteer, a customer protection company for online businesses. A press release I got from the company yesterday reported that the vast majority of online banking customers reuse their login credentials to access non-financial and much less secure Web sites.
More specifically, Trusteer's study found that 73 percent of bank customers use their online account password to access other Web sites, and that 47 percent use both their online banking user ID and password to login elsewhere on the Internet. (The findings are based on a sample of more than 4 million users of Trusteer's Rapport browser security service, many of whom are customers of leading North American and European banks.)
"This widespread reuse of online banking credentials is being exploited by criminals who have devised various methods to harvest login credentials from less secure sources, such as Web mail and social network Web sites," Trusteer's release asserts. "Once acquired, these usernames and passwords are tested on financial services sites to commit fraud."
Some key data points from the survey include:
• When a bank allows users to choose their own user ID, 65 percent of users share this ID with nonfinancial Web sites.
• When a bank chooses the user ID for its customers, 42 percent use the bank issued user ID with at least one other Web site.
"Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords," said Amit Klein, chief technology officer of Trusteer and head of the company’s research organization. "Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple Web sites."
Trusteer recommends that financial institutions:
- Educate customers to avoid this risk.
- Set their risk engines (in place to monitor use of home banking and detect possible fraud) to higher sensitivity for customers who might be facing this risk.
Trusteer says their risk engine can detect customers that use their online banking login credentials on other sites. Can your credit union do that? And in general, what do you do to educate members about password security? What measures can you take to raise security for members who display riskier online security behaviors?