Many online banking customers reuse their banking login credentials to access other websites, putting themselves at risk of account hijacking and online banking fraud, according to a study by Trusteer Inc.
The New York-based online security vendor found that 73% of bank customers use their Internet banking password to access non-financial -- and less secure -- websites. Forty-seven percent use both their online banking user ID and password on other websites.
The practice puts online banking customers at risk because criminals are using a variety of methods -- including database hacks, brute forcing and phishing -- to harvest login credentials from non-financial websites, such as social networking sites and Web-based email services, according to Trusteer. Thieves can then test the credentials on financial-services sites to hijack accounts and commit online banking fraud.
The research was based on data collected over 12 months from more than 4 million users of Trusteer's Rapport browser security service.
The Rapport browser plug-in has a feature that warns users when they type their banking credentials into another website in order to block potential phishing attacks that try to trick users into using their credentials on phony banking websites. The feature also is intended to alert users about the risks associated with using online banking credentials on other websites.
Trusteer's study also found that when a bank allows users to create their own user ID, 65% of those customers share the ID with nonfinancial sites. When banks assign IDs to customers, the number that use the ID on other sites dropped to 42%.
In addition to using banking credentials across the Web, users also put themselves at risk by creating easy-to-guess passwords. A report released last month by Imperva Inc. showed that many users choose simple, short passwords that make them susceptible to brute force attacks. The database security vendor based the report on an analysis of 32 million passwords exposed in a breach late last year of Rockyou.com, a social networking application site.
Almost 50% of users had simple passwords made up of names, dictionary words, consecutive digits and adjacent keyboard keys, Imperva's analysis showed. The most common password is "123456," and other favorites include "password," "princess" and "abc123."
BITS, a division of the Financial Services Roundtable and the Identity Theft Assistance Center, an affiliate of the Financial Services Roundtable, issued an advisory last week about the need to boost password security.
"Virtually all financial websites rely on customers' passwords as a critical layer of protection for their personal and financial information," Paul Smocer, vice president for security at BITS said in a prepared statement. "We need to remember how critical it is to protect our online information, and unfortunately, to understand that there are those who want access to our information or funds."