I’ve often wondered how many people use the same username/passwords at their bank as they do at other random websites. I figured it was a substantial number, but never expected it to be as high as the 73% Trusteer cited in a recent white paper (note 1). That’s why most financial institutions have used “multi-factor authentication” for years.
One of the most common multi-factor techniques is to ask additional questions if the bank detects a login from an unknown computer. However, it’s possible that these same people are also using the same “secret question” answers at non-secure websites, defeating this multi-factor approach.
Luckily, it’s still relatively difficult to remove money from most U.S. consumer accounts because online interbank transfers are more tightly controlled, or simply not offered. However, if crooks are able to log in to online/mobile banking and determine the user’s account numbers (debit, credit, or checking), a number of more lucrative frauds can be engineered.
What’s a bank to do:
- Use secret questions that are not commonly used across the Web. Or allow users to create their own, but caution them not to use ones they see at other non-banking websites.
- Create an additional out-of-band authentication process (e.g., text message an approval code) for moving funds out of an account.
- Do not allow online banking users to see their own account numbers online
- Educate/encourage customers to use different username/password for online banking than for other non-financial sites
- Financial institutions using Trusteer’s Rapport service can identify which customers are sharing username/passwords at less-secure sites and ratchet up internal fraud control settings for these customers
And the most effective method, which we don’t recommend because it’s just too painful for the user experience:
- Force users to make more challenging usernames and/or password such as those with a capital letter, number and/or special character
Silicon Valley Bank (SVB) offers Trusteer’s Rapport (link, 2 Feb. 2010)
1. While 73% shared banking passwords with other sites, less than half the total, 47%, shared BOTH username and password. Two other data points:
– 65% of user-selected banking usernames were used elsewhere
– 42% of bank-selected banking usernames were used elsewhere
2. Trusteer’s data was compiled over 12 months using its plugin software running on more than 4 million computers (see previous post).
3. There’s still the issue of the easy-to-read account number on check images; it would be nice to mask it, but that’s probably not worth the expense)
4. For more info on Trusteer and other security topics, see our previous reports such as, Online Banking Report: New Security Techniques (Sep. 2008)