Posted March 18, 2010 by Simon in News

Trusteer survey reports 60% of users re-use online banking credentials on other websites

A survey published by Trusteer earlier this month has highlighted that a large number of internet users are re-using online usernames and passwords between financial and non financial web services.

73% of users are sharing passwords from their online banking site with at least one non-financial website, and 47% are re-using their banking username.  This is exposing users to a higher risk of fraud, as it is quite common practice for criminals to steal account details from less secure sites and then attempt to use them on banking sites.

Gone are the days when you just had the odd one or two logins for websites, instead users are required to memorize a multitude of login credentials as more and more companies offer to mange your account with them online.  This is not only the banks and utility companies, but most non-financial sites now require you to register in order to fully access the site.

As the number of website accounts increases, managing user-names and passwords becomes an issue, so the common approach is to re-use ones you have used before, as this make easier to remember.  Some websites enforce rules on the user-names you have to use, though we’ve found that many allow you to select your own.

Another issue is password expiry.  Whilst it is good practice to force users to change the passwords periodically, the downside is that you have to come up with yet another password, and it’s likely you will just recycle one from another site.

Password manager tools and websites (e.g. Keepass, Lastpass) provide some breather my managing your accounts for you, though adds an additional risk by keeping all of your account details in one place.  Its a hard balance to get right.

Criminals take advantage of you re-using your account details through several common attack methods:

Website & Database Hacking
Websites usually hold your login details in a database behind the site, so by hacking into this they can gain all the account information.  Whilst there will be security in place to prevent this, non-financial sites are less likely to have the same level of protection, thus providing an easier target.  Banking sites are very secure, and should also offer the guarantee that should their security be breached, you would be reimbursed of any financial loss.

Brute Force & Password Recovery
This is an older style of hacking, with the basic concept being to try thousands of combinations of passwords against your account to try and get lucky.  Banking and most other sites get around this attack by simply locking your account after 3 to 5 unsuccessful attempts, though there maybe some non-financial sites that don’t enforce this.

Resetting passwords with banks is now a complicated process, but this protection has been put in place to protect users from criminals attempting to get their password through this method.

These are essentially spam e-mails into your mail account, with the difference being that they pretend to be sent from a bank or other reputable organisation.  A lot of these are logged as spam, but the ones that do get through aren’t always obvious that they are fake.  If you do click on links on these e-mails, they will redirect you to sites that look like banking sites, but will essentially record your login details when you try and logon.

To ensure that you aren’t caught out by these, the simpliest rule to follow is that any reputable bank will not send you e-mails requesting you login or asking for account information.

Identity theft has become more popular and lucrative avenue, so phishing for your personal information in order to take out credit under your name is a lot more commonplace.  With the emergence of Facebook, Twitter and other social networking sites, users are encouraged to store personaal information about themselves, which potentially could be used by fraudsters should they manage to get hold of this information from the website.

One good form of protection against malware and phishing attacks is to install Rapport.  This web browser plugin checks websites you’re visiting and confirms if they are valid or not.  It’s become a popular tool for banks online banking services, and most of the big banks now encourage you to install this free level of protection.

Source : “Reused Login Credentials”, Security Advisory Report, Trusteer, 2-Feb-2010