Password online security 2009


Published on

As the number of cases of online identity theft rise we need to make sure we protect ourselves online. Find out what steps in take by reading more…

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Password online security 2009

  1. 1. PasswordOnline SecurityA CPP white paperSeptember 2009
  2. 2. Contents 1.1 Foreword 1. Industry Facts 1.3 Research methodology 1.4 Key Findings - Over 1.7 million people use the same password every time they go online - Only a few people have a unique password for their online accounts - A large minority do not keep passwords confidential - One in ten people have had their web accounts accessed by fraudsters - Nearly one in five (18%) had goods illegally bought in their name - People choose predictable passwords that aren’t difficult to crack - “It’s too difficult to remember numerous passwords” 1.5 Conclusion 1.6 Avoiding online fraud 1.7 How to create a secure password 1.8 Further Information 1.9 About CPP Password Online Security September 2009
  3. 3. Introduction 3 1.1 Foreword Today just about everything under the sun – from our favourite books, films and music to our medical and financial records – has moved online. And to access this content you invariably need a password. In addition, the number of web users is expected to increase from 1.5 billion today to 2.2 billion by 2013, putting a huge amount of information and content on the internet. Every year, the equivalent of 40,000 years of television is added to the web; a clear indication that the internet has truly penetrated all aspects of our daily lives Unfortunately the increased use of the internet is associated with the increased use of the channel as a means to defraud consumers. Fraud losses from online banking rose last year 132% to £52.5m. In addition, the main driver for card fraud remains card-not-present (CNP) fraud, which is predominately fraud over the internet, which last year totalled £328.4m, up 13% year-on-year. Fraud that does not require face-to-face contact is inevitably less risky for the perpetrator and will continue its upwards trend until a mass market solution is introduced; very much like how Chip and PIN has significantly reduced retailer or face-to-face fraud in the UK fromFraud losses a peak of £218.8m in 2004 – the year before its widespread introduction in the UK. In 2008 retailer fraud stood at £98.5m.from online The biggest challenge consumers face is managing their secure online authentication. This report clearly shows us that consumer behaviour around managing their passwords is banking not consistent with keeping their online accounts secure. Hackers using a good laptop and brute force software to crack passwords can comfortably guess 10 million combinations rose last per seconds, meaning our passwords are probably not as secure we think they are. In addition, we now have sophisticated methods of extracting this information via phishing year 132% e-mails, malware and increasingly smishing (via SMS) and vishing (voice). It will be interesting to see whether the industry moves beyond the use of passwords for to £5.5m secure authentication as fraudsters continue the trend of account takeover. And whether consumers will ultimately object to carrying around multi-factor authentication in the form of card-sized number generators to authenticate online access or continue to remember lots of unique passwords. Password Online Security September 2009
  4. 4. 4 1. Industry Facts The proliferation of online threats continues and it is contributing to the raise in online banking fraud losses. - Online banking fraud losses totalled £52.5m in 2008 up 132% year-on-year 14,369 (source: APACS) - Account (or facility) takeover rose 207% in 2008 to 19,275 victims different (source: CIFAS) - 14,369 different phishing e-mails were sent in the first quarter of 2009, phishing up from 10,235 in the same period last year (source: APACS)e-mails were - Panda Security reports receiving more than 35,000 new malware samples – viruses, worms, Trojans – every day. Trojan software designed to steal bank sent in the details, debit/credit card numbers, or online login names and passwords represents 71% of this total. Up from 51% in 2007 first quarter - AVG Technologies reported 64% of web users only rarely changed their passwords, while only 43% adjust their privacy setting on a regular basis – this of 2009 is despite 55% reporting to have been a victim of a phishing attack and 47% having been attacked by malware 1.3 Research Methodology CPP commissioned research in August 2009 to establish how much risk consumers were putting themselves at through the inappropriate use of passwords, such as repetitive passwords or passwords that are not confidential. The research also sought to find out whether their online accounts have been accessed by fraudsters either by phishing or malware software. A representative sample of 1,661 UK credit and debit card holders aged 18+ were questioned by Matters. Password Online Security September 2009
  5. 5. 5 1.4 Key Findings Over 1.7 million people use the same password every time they go online Whilst nearly half of people have five or more passwords, a small number (5%) rely on a single password to access all their online accounts. With over 33.9 million people having access to the internet in the UK (Office for National Statistics), this equates to over half a million people who are compromising their online security through the repetitive use of a single password. Those aged 16-24 years old, are the most likely (11.3%) to put themselves at risk through the use of repetitive passwords, which is surprising given they have grown up with the internet and should be most aware of the threats posed by malware and internet hackers. Q: How many passwords and logins do you have?Password Online Security September 2009
  6. 6. 6 Only a few people have a unique password for their online accounts With over 182,226,259 internet sites (source: Netcraft April 2008) in existence (and growing by an estimated million per month), the prominence of the internet across all areas of our lives is not in question. With passwords required for most online sites including banking, shopping, social media, employment, medical and sport and leisure, it is not surprising that only 11% have a completely different password for each of their internet accounts Men are more likely to be more security conscious and use a completely different password for every site, but they are shown to access fewer sites and are therefore able to remember more unique passwords. The average number of websites visited each month that require a password and login is 23. Women are more likely to login to more internet sites – 38% access between sixteen to twenty separate websites verses 31% of men. A further 54% of adults confess to using variations of the same login password. It is clear consumers simply have too many passwords to remember and therefore resort to using the same password, use passwords that are easy to remember (and so easy to ‘break’), write them down, or rely on resetting them using the ‘forgotten your password’ function on a website, which itself can be insecure. Men are Q: Do you have completely different passwords and logins for every site? more likely to be more security conscious and use a completely different passwordfor every site Password Online Security September 2009
  7. 7. 7 A large minority do not keep passwords confidential Despite the constant threat of fraud and barrage of media reports about online fraud, this report shows that nearly 40% of adults admit that at least one other person knows their passwords, ranging from partners, friends, children and parents. Interestingly over half a million people confess their ex-partners have access to their personal login details. Women are more likely to have shared their passwords (42.2% verses 34.9%) than men. Women are most likely to share their passwords with their partners and children. With over 50 billion pounds spent online in the UK every year, and a 132% rise in web banking fraud against UK consumers last year totalling £52.5 million, the need for increased vigilance is clear. Q: Do any other people know your passwords or login details for your email addresses, shopping accounts or social networking profiles Women are most likely to share their passwords with theirpartners and children Password Online Security September 2009
  8. 8. 8 One in ten people have had their web accounts accessed by fraudsters The threat of fraud is real – one in ten people have had their web accounts accessed by fraudsters. Demographically those aged 25-34 were the most likely to confirm their accounts had been illegally accessed (14%). Worryingly the majority of these attacks (57%) have happened in the last twelve months. This statistic is backed up by the huge rise in account takeover during the course of 2008. This type of fraud increased 207% with over 19,000 victims. Account takeover is when the perpetrator secretly ‘hijacks and plunders’ a victims account often through ‘phishing’ where a fraudster will solicit passwords and login details as well as other sensitive financial information to illegally hijack accounts. There has also been a parallel rise in ‘smishing’ where fraudsters use SMS text messages to try to impersonate financial services companies, phone firms and other retail businesses. Q: Have any of your e-mail addresses, social networking profiles or shopping accounts ever been hacked/broken into/used fraudulently? The threat of fraud isreal – one in ten people have had their web accountsaccessed by fraudsters Password Online Security September 2009
  9. 9. 9 Nearly one in five (18%) had goods illegally bought in their name Of those people who had their accounts hijacked, 18% of people said goods were illegally bought in their name and nearly 14% said money was stolen. Equally distressing, many people reported fake e-mails and spam being sent in their name, which could be an attempt to ‘phish’ for personal or sensitive financial information, or just malicious dissemination of content. The average sum of money stolen was reported to be £1,030. Demographically there were big differences between men and women, with 43% of men saying over £1,000 was stolen verses only 13% of women. The majority (36.4%) of people claimed to have lost between £101 and £500. Q: Which of the following did you experience when your email addresses, social networking profiles or shopping accounts were hacked/broken into/used fraudulently?Password Online Security September 2009
  10. 10. 10 People choose predictable passwords that aren’t difficult to crack People’s vulnerability is heightened by the fact that many people resort to choosing predictable passwords that aren’t difficult to crack. Nearly one in five (18%) use their pet’s names while one in eight use memorable dates like birthdays or wedding anniversaries (12%). Others use their children’s names (10%) or even their mother’s maiden name (nine per cent). Whilst these passwords may be appropriate for some online sites i.e. news sites, they are inappropriate for online banking and retail sites, for example. Q: How do you usually choose your password? Ten most popular passwords 1 Pet’s Name 18% Memorable date i.e. wedding anniversary 12.3% 3 Child’s name 10.3% 4 Mother’s Maiden name 8.7% 5 Your name 7.9% 6 Your birthday 5.5% 7 Favourite place 5.5% 8 Holiday destination 5.2% 9 Home town 4.9% 10 Favourite football team 4.4%Password Online Security September 2009
  11. 11. 11 “It’s too difficult to remember numerous passwords” The majority (68%) of people claim it is too difficult to remember numerous passwords and 17% say they are worried about forgetting a password and being logged out. Women are more likely than men to worry about remembering passwords. This is backed up by the fact that they are less likely to have unique passwords for different online sites.The majority Demographically those aged 24-34 year olds (74%) are most likely to claim it is difficult to remember passwords verses those aged 55+ (62%) who probably login to fewer online sites. (68%) of With more and more fraudsters attempting to obtain account numbers, passwords and PINs by randomly e-mailing people, it is even more important people adapt morepeople claim sophisticated passwords and change them on a regular basis – the fact that we claim it is too difficult makes consumers an easy target for consumers. it is too The latest statistics from APACS report that it counted 14,369 different versions of phishing e-mails in the first quarter of 2009, up 40% from 10,235 in the same period the difficult to year before. With each e-mail sent to millions of recipients, the total sent annually runs comfortably into the tens of billions. remember Q: Which of the following best describes why you do not have a completely different password numerous and login for every site? passwords Password Online Security September 2009
  12. 12. 1 1.5 Conclusion It is clear that although the internet has revolutionised the way we live our lives, it has also provided new avenues for fraudsters to exploit and the dangers of internet scams has never been higher. Consumers are still falling victim to online scams and responding to fraudulent requests for personal and other sensitive information – perhaps the immediacy and informality of the internet makes us less suspicious of official-looking requests. In the past CPP has conducted social engineering experiments and has found that an official looking clip- board, branded t-shirt and badge is often enough to extract enough information to commit identity fraud and account takeover. This report clearly shows us that consumers are not being cautious enough with regards to having secure passwords and are all too often reliant on a single, simple password, which is not secure, in order to access all of their online accounts including retail and banking sites. The motivation for only using one password remains the simple fact that consumers find it too difficult to remember multiple unique passwords for numerous sites particularly as we manage more and more of our daily lives online. Having secure passwords in place is an important part of the prevention process. However, it has to be complemented by installing proper internet and computer security programmes that are kept regularly updated. The proliferation of viruses means we may inadvertently download viruses that capture sensitive financial information and our password details. With losses from online fraud escalating, the need for identity protection products and services has never being greater. Having secure 1.6 Avoiding Online Fraud passwords Michael Lynch is an identity fraud expert at CPP and offers the following advice to consumers to help protect them from identity fraud. Michael is responsible for the UKin place is an Identity Protection portfolio at CPP Group Plc (CPP). Michael has been with CPP for 14 years. His experience in financial services extends to important customer service, new product and market development and affinity relationships. During his time at CPP, Michael has helped bring to market the UK’s market leading part of the service, Identity Protection, which now protects over one million UK consumers from the consequences of this rapidly growing crime. In addition, Michael had used his expertise to prevention create a commercial identity theft product aimed at protecting businesses of all sizes. He has also developed a strong understanding of consumer perception and reaction to process identity theft and its consequences. Michael has also been responsible for breaking some major identity theft stories in the media including the availability of fraudulent documents online, car cloning, junk mail and postal theft. Committed to forging industry co-operation to reduce the opportunities for identity theft he is leading the call for consumers to change their behaviour to counter what is becoming an increasingly sophisticated and intrusive crime. Michael is media trained across print and broadcast and is available for media interviews on the issue of identity fraud. Password Online Security September 2009
  13. 13. 13 Top tips to avoid falling victim to online fraud - Install a trusted anti-virus system and firewalls on your computer and keep them up-to-date. Usually a message will appear on your screen when updates need downloading. - Do not click on any link in an unsolicited e-mail, even if it seems genuine. If you are not sure type in the web address and contact the bank using an advertised phone number or directory enquiries. - Do not engage in any dialogue with the fraudster by replying to phishing e- mails and providing bogus information or letting the sender know it is a scam. Doing so puts you and your PC at risk. - Do not give out PIN numbers or passwords to anyone online either, or over the telephone. Because fraudsters start with very limited information, phishing e- mails are usually addressed to “Dear Customer” rather than to your name. - Remember banks will never contact you by e-mail to ask you to enter passwords or any other sensitive information by clicking on a link or visiting a website. Phishing e-mails are sent out completely at random in the hope of reaching a live e-mail address of a customer with an account at the bank being targeted - Only make online transactions on secure websites that begin ‘https’ or display a padlock in the corner of your web browser. - Register your payment cards Verified by Visa or MasterCard SecureCode. It adds another layer to online security and makes it harder to fall victim to online fraud. - Always log out after shopping online and save the confirmation e-mail as a record of your order. - If you are a victim of online banking fraud, you have protection through the Banking Code, which states that unless you have acted fraudulently or without reasonable care you will not be liable for losses caused by someone else. - Avoid carrying out transactions on public or shared computers.Password Online Security September 2009
  14. 14. 14 1.7 How to create a secure password - Make sure it is at least 8 characters (9 or 10 would be even better) - Ideally your password should consist of a combination of upper and lower case letter, numbers and special characters like £, $, %, and - Ideally it should not be a guessable or dictionary word and never use obvious words ‘password’, ‘hello’ or ‘1234’ - The trick for choosing a password is to pick an everyday word or phrase that means something to you and turn it into something secure. That way, providing you remember how you made it secure, you will find it easier to remember your password, for example: - Think of a phrase, song title or another group of words that you might easily remember and remove the vowels. So ‘Secure Password’ becomes ‘scrpsswrd’. For added security add a four digit number to the end. This could be the last four digits of a friend’s phone number, so we then have ‘scrpsswrd2301’. Finally replace some letters with special characters and make others upper case (replace ‘S’ letters with a ‘£’ sign and change all ‘R’s’ to upper case). So your final password is ‘£cRp££wRd301’. • Do not write your password down • Do not tell your password to anyone else not even family or friends • If possible use different passwords for different websites • Always log off on your computer when finished particularly on shared use or public computers 1.8 For further information please contact: Nick Jones PR and Communications Manager CPP Group Plc Holgate Park York YO26 4GA Tel 01904 544 387 E-Mail Web www.cppgroup.comPassword Online Security September 2009
  15. 15. 15CPP is an award- 1.9 About CPPwinning organisation: The CPP Group Plc (CPP) is an international marketing services business offering bespoke- Named in the customer management solutions to multi-sector business partners designed to enhance Sunday Times 008 PricewaterhouseCoopers their customer revenue, engagement and loyalty, whilst at the same time reducing cost to Profit Track 100 deliver improved profitability.- Finalists in the National This is underpinned by the delivery of a portfolio of complementary Life Assistance Business Awards, 3i Growth products, designed to help our mutual customers cope with the anxieties associated with Strategy category, 008 the challenges and opportunities of everyday life.- Finalist in the National Whether our customers have lost their wallets, been a victim of identity fraud or looking Business Awards, Business for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to of the Year category, 007 enjoy life. Globally, our Life Assistance products and services are designed to simplify the and Highly Commended in 008 complexities of everyday living whether these affect personal finances, home, travel, personal data or future plans. When it really matters, Life Assistance enables people to live- Named in the Sunday Times life and worry less. 006, 007 and 008 HSBC Top Track 50 companies Established in 1980, CPP has 11 million customers and more than 200 business partners across Europe, North America and Asia Pacific and employs 2,000 employees who handle- Regional winner of the National Training Awards, 16 million consumer sales and service conversations each year. 007 In 2008, Group revenue was £259.5 million, an increase of more than 15 per cent over the- Winner of the BITC Health, previous year. This is more than five times the sales level of 2000. Work and Well-Being Award, 007 What We Do:- Highly Commended in the CPP provides a range of assistance products and services that allow our business partners UK National Customer to forge closer relationships with their customers. Service Awards, 006 We have a solution for many eventualities, including:- Winner of the Tamworth Community Involvement - Insuring our customers’ mobile phones Award, 006. Finalist in - Protecting the payment cards in our customers’ wallets and purses, should 008 these be lost or stolen- Highly Commended in The Press Best Link Between - Providing assistance and protection if a customer’s keys are lost or stolen Business and Education, 005 - Providing advice, insurance and assistance to protect customers against the and 006. Winner in 007 insidious crime of identity fraud- Award Finalist in the National Business Awards, - Offering advice to people considering legal action and cover for the costs Innovation category, 005 involved in taking action on a range of legal issues- Award finalist for the 003 - Providing discounts on everyday lifestyle commodities The Royal Bank of Scotland Sunday Times Business - Monitoring the credit status of our customers Awards- Recognised as one of the Growth Plus Europe 500 For more information on CPP visit: companies Password Online Security September 2009