The majority of online banking customers reuse their login ID and or password on other non-financial and possibly less secure websites, a study has revealed.
When a bank chooses the user ID for customers, 42% share this ID with at least one other website, statistics from Trusteer's Rapport browser security service show.
Overall, 47% of users share both their user ID and password with at least one other website and 73% share their online banking password with at least one other site.
This widespread use of online banking credentials is being exploited by criminals who harvest credentials from less secure sites, such as social networking sites, and then test them on financial services sites to commit fraud, the report said.
"The study shows that consumers are not aware of the security implications of reusing their banking credentials on multiple websites or are choosing to ignore them," said Amit Kein, chief technology officer at Trusteer.
Internet users should have three sets of credentials, he said. One set for financial sites, a set for non-financial sites that hold personal information, and a set for other websites that do not involve personal information.
Online banking customers must be aware that once an identity is compromised in one place, it is compromised elsewhere, said Mick Paisley, head of information security at Santander.
The bank has adopted a dual-pronged approach aimed at keeping online banking customers safe, he said.
Santander continually provides information to help customers make good decisions when they are banking or shopping online, and has made the Rapport service available free of charge to protect customers' identities, said Paisley.
"The most effective approach is combination of technological controls and customer awareness," he said.
But Stephen Howes, chief executive at security firm GrIDsure, said although the report offers practical suggestions on improving password security, these suggestions are trying to making the best of a system that is inherently flawed.
"To genuinely improve security, customers need organisations to abandon login systems based on fixed passwords and PINs and replace this flawed method of authentication with a one-time passcode method," he said.
|Security tips for financial institutions|