Password reuse threatens online banking security

A report into the security of internet banking systems has found that one of the biggest problems is the reuse of log-in passwords on multiple sites.

Online security firm Trusteer monitored over four million computers for a year, and found that 73 per cent of internet banking customers used the same password for their online banking services as they did for other, less secure, sites.

"Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service user names and passwords," said Amit Klein, chief technical officer at Trusteer, and head of the company's research organisation.

"Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple web sites."

The Reused Login Credentials report (PDF) found that part of the blame lies with banking web sites that allow users to choose their own IDs, as almost two thirds of customers use the same ID for other sites. This figure falls to less than half when users are allocated an ID by the bank.

The research also found that nearly half of banking customers use their ID and password for a non-financial web site.

The use of the same password for multiple sites raises serious security risks. If a hacker can get one password from a less secure web site by a 'brute force' dictionary attack, for example, there is a good chance that it can be used on other sites.