Most online bankers re-use their log in credentials on other Web sites, opening themselves up to particularly vulnerable avenues of cyber attack.
That's according to Trusteer, a customer protection company for online businesses, which said it believes about three-fourths of users share passwords they use for online banking with at least one nonfinancial Web site, and 47% share both user name and password.
New York-based Trusteer based its conclusions on data collected during a year of Internet browsing by more than 4 million users of its Rapport browser security service, including many of whom are customers of large North American and European banks.
Re-using banking user names and passwords at less-secure Web mail and social networking sites allow criminals to acquire personal information they then test on financial services Web sites, the company said.
Trusteer said its sampling also found that bank customers are more likely to share their user ID with non-financial Web sites when they choose their own (65%) than when they are using an ID chosen by the bank (42%).
"Using stolen credentials remains the easiest way for criminals to bypass security measures," said Amit Klein, Trusteer's chief technology officer. "Our findings were very surprising and reveal that consumers are not aware of, or are choosing to ignore, the security implications of re-using their banking credentials on multiple Web sites."
Trusteer recommended that financial institutions educate consumers about the risk and that consumers themselves maintain at least three sets of credentials? for financial Web sites, nonfinancial Web sites that hold identifying information, and nonsensitive Web sites that do not keep confidential information about the user.