Two-thirds of internet users reuse their online banking credentials on other websites.
A report found that 73 per cent of bank customers use their online account password to access other websites, and that 47 per cent use both their online banking user ID and password to login elsewhere on the internet.
The findings by Trusteer claimed that the widespread reuse of online banking credentials is being exploited by criminals who have devised various methods to harvest login credentials from less secure sources, such as web mail and social network websites. Once acquired, these usernames and passwords are tested on financial services sites to commit fraud.
The report said that as each of these websites require registration and the use of login credentials, usually in the form of a username and password, a typical user needs to manage several and sometimes dozens of usernames and passwords.
It said that some websites enforce rules regarding the use of usernames and passwords. For example, some financial institutions choose usernames for their users; they do not allow users to choose their own usernames, while some websites force users to change their passwords every few months.
It said: “To handle this requirement, many users have a set of between three and five passwords that they use in rotation between all the different websites to which they subscribe.
“Meanwhile, some users use password managers – tools that automatically fill out the correct username and password for each website. However, a tool that manages all of the usernames and passwords for an individual is a potential security threat.”
Amit Klein, CTO of Trusteer and head of the company's research organisation, said: “Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords.”
Andrew Clarke, vice president and managing director EMEA at e-DMZ Security, said: “In the UK, internet banking does not require a full password to be entered, just selected characters, so not really applicable to a UK community.
“Also, many banks have or will be introducing two-factor authentication for their customers which place the emphasis on something you have as well as something you know - so again, a stronger security approach that means the reuse of personalised passwords is mitigated.”
Stephen Howes, CEO/CTO of GrIDsure, said: “This report offers helpful and practical suggestions on improving password security and reducing the risk of data loss and identity theft.
“However, these suggestions are fundamentally trying to make the best of a system that is inherently flawed, so the advice it offers is comparable to describing how to arrange the deckchairs on the Titanic as it sails full-steam towards the iceberg.
“Every day millions of people log in to a variety of internet sites, from banks and social networks to online shopping portals, using a username and password combination. The owners of these sites have chosen this method of authentication in the misguided view that it is cheap and offers a good level of security. In reality, it is neither.”
He further claimed that the use of long strings of upper and lower case letters combined with numbers usually results in the user forgetting them, and subsequently writing them down.
“Passwords can be compromised through various forms of attack, including shoulder-surfing, keylogging and screen-scraping. Cheap and secure? I don't think so,” said Howes.
“In order to genuinely improve security, customers need organisations to abandon login systems based on fixed passwords and PINs and replace this flawed method of authentication with a one-time passcode method such as GrIDsure.”