Tuesday, February 2, 2010

Trusteer Says 73% of Online Banking Customers Stupid

According to Trusteer, the vast majority of online banking customers are just plain stupid.   What other explanation can there be for the fact that almost 75% of online banking customers reuse their online banking password to gain access to non-financial institution websites like Facebook or Twitter?   I guess I could give them the benefit of the doubt...they might just be "unaware."



Well, at least now we have identified HALF the problem, let's address the "OTHER" more significant half.  The banks...



The fact that banks tell us to "TYPE" our online banking usernames and passwords into boxes in the first place leaves questions about their intelligence.  Because intelligence I've gathered says that banking malware programs, phishing, keystroke logging and myriad other threats all point to the fact that  "Typing is the cause of the problem."  



Thus...if 73% of online banking customers are "stupid" maybe it's because banks are not the brightest teachers.    After all...every online bank touts the security of its online platform... just prior to asking you to "type" your username and password into a box on a website protected by httbs:// security.    So I don't blame the consumers, I blame the banks.  Remember, just a week ago, 80% of consumers were smart...according to a recent RBS study,

80% Want Better Online Banking Security than a "Username and Password"

Read more: http://pindebit.blogspot.com/2010/01/80-want-better-online-banking-security.html#ixzz0eO63X8Fn

Don't Type...Swipe...it's Smarter! 



Trusteer Finds that Two Thirds of Internet Users Reuse their Online Banking Credentials on Other Websites

 73 Percent Share Online Banking Password with Non-Financial Applications 

47 Percent Use Both their Online Banking User ID and Password




The report's key findings include:

  • 73% of users share the passwords which they use for online banking, with at least one nonfinancial website

  • 47% of users share both their user ID and password with at least one nonfinancial website

  • When a bank allows users to choose their own user ID, 65% of users share this ID with nonfinancial websites

  • When a bank chooses the user ID for its customers, 42% use the bank issued user ID with at least one other website.

Here's the official press release:



Image representing Trusteer as depicted in Cru...


NEW YORK--(BUSINESS WIRE)--Trusteer, the customer protection company for online businesses, reported today that the vast majority of online banking customers reuse their login credentials to access non-financial and much less secure websites. Trusteer found that 73 percent of bank customers use their online account password to access other websites, and that 47 percent use both their online banking user ID and password to login elsewhere on the Internet. These findings are based on a sample of more than 4 million users of the Rapport browser security service, many of whom are customers of leading North American and European banks.

“Our findings were very surprising, and reveal that consumers are not aware, (a nice way of saying they are just plain stupid) or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites.”


This widespread reuse of online banking credentials is being exploited by criminals who have devised various methods to harvest login credentials from less secure sources, such as webmail and social network websites. Once acquired, these usernames and passwords are tested on financial services sites to commit fraud.

Trusteer based its research on data collected over a 12 month period from millions of Rapport users in North America and Europe. Rapport protects online banking credentials, recognizes when users attempt to submit them to other websites, and warns them not to do so. The report’s key findings include:

  • 73% of users share the passwords which they use for online banking, with at least one nonfinancial website

  • 47% of users share both their user ID and password with at least one nonfinancial website

  • When a bank allows users to choose their own user ID, 65% of users share this ID with nonfinancial websites

  • When a bank chooses the user ID for its customers, 42% use the bank issued user ID with at least one other website

The full report is available at http://www.trusteer.com/sites/default/files/cross-logins-advisory.pdf



“Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords,” said Amit Klein, CTO of Trusteer and head of the company’s research organization. “Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites.”



Recommendations:  First Mine:  Stop being stupid...Get Smart... call your customers, and tell them to you are moving to a more secure platform which will require users to access their online banking activities  by swiping their card and entering their PIN,  just as they do at the ATM.   



For consumers: 

  • Maintain at least three sets of credentials: the first set to be used only with financial websites; the second set to be used with nonfinancial sensitive websites that hold information about your identity; the third set to be used with non-sensitive websites that do not maintain confidential information about the user. Memorizing three sets of credentials is not difficult, yet significantly improves a user’s level of security. (got all that?)

For financial institutions:

  • Identify customers who use their bank login information on nonfinancial websites and:  (What????  I ask you...how the hell would they be able to do that other than hiring a hacker, or at least a  keystroke logger?) 





    • Educate them to avoid this risk

    • Set your risk engine to higher sensitivity for these customers


About Rapport

Rapport from Trusteer is a lightweight browser plug-in plus security service that prevents criminals from tampering with a user’s browser and protects against man-in-the-browser, man-in-the-middle, and phishing attacks. When users browse to sensitive websites such as internet banking, Webmail, or online payment pages, the Rapport plug-in immediately locks down the browser and prevents any unauthorized access to web pages and confidential information that flow through the browser. Trusteer also offers in-the-cloud reporting services. When unauthorized access attempts are detected by Rapport, these are analyzed by fraud experts who provide actionable intelligence to financial institutions.



About Trusteer

Trusteer enables online businesses to secure communications with their customers over the Internet and protect personally identifiable information (PII) from a user's keyboard into the company's Web site. Trusteer's flagship product, Rapport, allows online banks, brokerages, healthcare providers, and retailers to protect their customers from identity theft and financial fraud. Unlike conventional approaches to Web security, Rapport protects users' PII even if their computer is infected with malware including Trojans and keyloggers, or is victimized by pharming or phishing attacks. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit www.trusteer.com.







Posted by at

Disqus for ePayment News