The usernames and passwords that are used by individuals for financial Web sites are among the most valuable pieces of information that Internet users possess. Yet according to a new study from security firm Trusteer, they’re also not treated by users with the confidentiality and respect they deserve.
The company’s twelve-month study surveyed over 4 million people and found that many customers of online banks or Web financial sites — 73 percent — reuse their passwords on non-financial Web sites.
“It means they used their online banking password (e.g. Bank of America) at another Web site (e.g. Facebook),” Trusteer CTO Amit Klein told InternetNews.com.
Going a step further, the study found that in total, 47 percent of online banking customers reused both their password and the same username on financial and non-financial Web sites.
The methods by which the financial Web site assigns users their ID information is also a key factor in how often the information is reused, according to Trusteer. When users choose their own ID on a financial Web site, Trusteer found that 65 percent reuse the password, in comparison to only 42 percent when the bank chooses the username for them.
The results of the study came as a surprise to Trusteer.
“We expected users to better guard their banking credentials, since these protect real, possibly large sums of money,” Klein said. “We did expect a portion of users to share their credentials with other sites, but not at this magnitude.”
Trusteer’s data came from an analysis of its Rapport services, which provides online security protection for users.
“Data is collected via Rapport’s antiphishing functionality, which monitors attempts by the protected user to submit their banking password to a non-banking site,” Klein said. “In such cases, the user is warned by Rapport that they are about to submit their banking password to a non-bank Web site, and should not do so. Rapport collects this event for statistics.”
But really, what’s the harm in reusing your financial credentials?
The risk, according to Trusteer, is that users are offering their banking login credentials to sites that may not be as secure as their financial institutions. As a result, if the non-financial Web site is compromised and hackers obtain the user’s information, there could be a risk.
That should be especially alarming considering that data breaches and information theft disclosures have become an almost daily occurrence. Just last week, the National Archives and Records Administration said it had been the victim of one such data breach.
Still, it’s not exactly a straight line for an attacker to get at a user’s bank account just because they have a user ID and password from a third-party site.
“It is trial and error, but considering additional information about the user (such as geography, employment, etc.), the list of candidate banks and credential sets can be reduced to a small list of possible values by an attacker,” Klein said.
The new study of password habits is the not first time that Trusteer has found a potentially gaping hole in Internet security practices. The company has previously discovered that the majority of their users were not running up-to-date versions of Adobe’s Flash — a popular target for hackers.
“Passwords are not necessarily the weakest link,” Klein said. “However, the practices around credentials — sharing them with less-secure sites (or indeed choosing weak passwords) can weaken the authentication scheme below the minimal security threshold.”