Password online security 2009

Password Online SecurityA CPP white paper

September 2009

�

Password Online Security September 2009

1.1 Foreword

1.� Industry Facts

1.3 Research methodology

1.4 Key Findings

Over 1.7 million people use the same password every time they go online

Only a few people have a unique password for their online accounts

A large minority do not keep passwords confidential

One in ten people have had their web accounts accessed by fraudsters

Nearly one in five (18%) had goods illegally bought in their name

People choose predictable passwords that aren’t difficult to crack

“It’s too difficult to remember numerous passwords”

1.5 Conclusion

1.6 Avoiding online fraud

1.7 How to create a secure password

1.8 Further Information

1.9 About CPP

-

-

-

-

-

-

-

Contents

3


1.1 Foreword

Today just about everything under the sun – from our favourite books, films and music to our medical and financial records – has moved online. And to access this content you invariably need a password.In addition, the number of web users is expected to increase from 1.5 billion today to 2.2 billion by 2013, putting a huge amount of information and content on the internet. Every year, the equivalent of 40,000 years of television is added to the web; a clear indication that the internet has truly penetrated all aspects of our daily lives

Unfortunately the increased use of the internet is associated with the increased use of the channel as a means to defraud consumers. Fraud losses from online banking rose last year 132% to £52.5m. In addition, the main driver for card fraud remains card-not-present (CNP) fraud, which is predominately fraud over the internet, which last year totalled £328.4m, up 13% year-on-year.

Fraud that does not require face-to-face contact is inevitably less risky for the perpetrator and will continue its upwards trend until a mass market solution is introduced; very much like how Chip and PIN has significantly reduced retailer or face-to-face fraud in the UK from a peak of £218.8m in 2004 – the year before its widespread introduction in the UK. In 2008 retailer fraud stood at £98.5m.

The biggest challenge consumers face is managing their secure online authentication. This report clearly shows us that consumer behaviour around managing their passwords is not consistent with keeping their online accounts secure. Hackers using a good laptop and brute force software to crack passwords can comfortably guess 10 million combinations per seconds, meaning our passwords are probably not as secure we think they are. In addition, we now have sophisticated methods of extracting this information via phishing e-mails, malware and increasingly smishing (via SMS) and vishing (voice).

It will be interesting to see whether the industry moves beyond the use of passwords for secure authentication as fraudsters continue the trend of account takeover. And whether consumers will ultimately object to carrying around multi-factor authentication in the form of card-sized number generators to authenticate online access or continue to remember lots of unique passwords.

Fraud losses from online

banking rose last

year 132% to £5�.5m

Introduction

4


1.� Industry Facts

The proliferation of online threats continues and it is contributing to the raise in online banking fraud losses.

Online banking fraud losses totalled £52.5m in 2008 up 132% year-on-year (source: APACS)

Account (or facility) takeover rose 207% in 2008 to 19,275 victims (source: CIFAS)

14,369 different phishing e-mails were sent in the first quarter of 2009, up from 10,235 in the same period last year (source: APACS)

Panda Security reports receiving more than 35,000 new malware samples – viruses, worms, Trojans – every day. Trojan software designed to steal bank details, debit/credit card numbers, or online login names and passwords represents 71% of this total. Up from 51% in 2007

AVG Technologies reported 64% of web users only rarely changed their passwords, while only 43% adjust their privacy setting on a regular basis – this is despite 55% reporting to have been a victim of a phishing attack and 47% having been attacked by malware

1.3 Research Methodology

CPP commissioned research in August 2009 to establish how much risk consumers were putting themselves at through the inappropriate use of passwords, such as repetitive passwords or passwords that are not confidential. The research also sought to find out whether their online accounts have been accessed by fraudsters either by phishing or malware software.

A representative sample of 1,661 UK credit and debit card holders aged 18+ were questioned by Tickbox.net/Opinion Matters.

-

-

-

-

-

14,369 different phishing

e-mails were sent in the first quarter

of 2009

5


1.4 Key Findings

Over 1.7 million people use the same password every time they go online

Whilst nearly half of people have five or more passwords, a small number (5%) rely on a single password to access all their online accounts. With over 33.9 million people having access to the internet in the UK (Office for National Statistics), this equates to over half a million people who are compromising their online security through the repetitive use of a single password.

Those aged 16-24 years old, are the most likely (11.3%) to put themselves at risk through the use of repetitive passwords, which is surprising given they have grown up with the internet and should be most aware of the threats posed by malware and internet hackers.

Q: How many passwords and logins do you have?

6


Only a few people have a unique password for their online accounts

With over 182,226,259 internet sites (source: Netcraft April 2008) in existence (and growing by an estimated million per month), the prominence of the internet across all areas of our lives is not in question. With passwords required for most online sites including banking, shopping, social media, employment, medical and sport and leisure, it is not surprising that only 11% have a completely different password for each of their internet accounts

Men are more likely to be more security conscious and use a completely different password for every site, but they are shown to access fewer sites and are therefore able to remember more unique passwords.

The average number of websites visited each month that require a password and login is 23. Women are more likely to login to more internet sites – 38% access between sixteen to twenty separate websites verses 31% of men.

A further 54% of adults confess to using variations of the same login password.

It is clear consumers simply have too many passwords to remember and therefore resort to using the same password, use passwords that are easy to remember (and so easy to ‘break’), write them down, or rely on resetting them using the ‘forgotten your password’ function on a website, which itself can be insecure.

Q: Do you have completely different passwords and logins for every site? Men are more likely to be more

security conscious and use a

completely different

password for every site

7


A large minority do not keep passwords confidential

Despite the constant threat of fraud and barrage of media reports about online fraud, this report shows that nearly 40% of adults admit that at least one other person knows their passwords, ranging from partners, friends, children and parents. Interestingly over half a million people confess their ex-partners have access to their personal login details.

Women are more likely to have shared their passwords (42.2% verses 34.9%) than men. Women are most likely to share their passwords with their partners and children.

With over 50 billion pounds spent online in the UK every year, and a 132% rise in web banking fraud against UK consumers last year totalling £52.5 million, the need for increased vigilance is clear.

Q: Do any other people know your passwords or login details for your email addresses, shopping accounts or social networking profiles

Women are most likely to

share their passwords with their

partners and children

8


One in ten people have had their web accounts accessed by fraudsters

The threat of fraud is real – one in ten people have had their web accounts accessed by fraudsters. Demographically those aged 25-34 were the most likely to confirm their accounts had been illegally accessed (14%). Worryingly the majority of these attacks (57%) have happened in the last twelve months.

This statistic is backed up by the huge rise in account takeover during the course of 2008. This type of fraud increased 207% with over 19,000 victims. Account takeover is when the perpetrator secretly ‘hijacks and plunders’ a victims account often through ‘phishing’ where a fraudster will solicit passwords and login details as well as other sensitive financial information to illegally hijack accounts.

There has also been a parallel rise in ‘smishing’ where fraudsters use SMS text messages to try to impersonate financial services companies, phone firms and other retail businesses.

Q: Have any of your e-mail addresses, social networking profiles or shopping accounts ever been hacked/broken into/used fraudulently?

The threat of fraud is

real – one in ten people have had their web accounts

accessed by fraudsters

9


Nearly one in five (18%) had goods illegally bought in their name

Of those people who had their accounts hijacked, 18% of people said goods were illegally bought in their name and nearly 14% said money was stolen. Equally distressing, many people reported fake e-mails and spam being sent in their name, which could be an attempt to ‘phish’ for personal or sensitive financial information, or just malicious dissemination of content.

The average sum of money stolen was reported to be £1,030. Demographically there were big differences between men and women, with 43% of men saying over £1,000 was stolen verses only 13% of women.

The majority (36.4%) of people claimed to have lost between £101 and £500.

Q: Which of the following did you experience when your email addresses, social networking profiles or shopping accounts were hacked/broken into/used fraudulently?

10


People choose predictable passwords that aren’t difficult to crack

People’s vulnerability is heightened by the fact that many people resort to choosing predictable passwords that aren’t difficult to crack. Nearly one in five (18%) use their pet’s names while one in eight use memorable dates like birthdays or wedding anniversaries (12%). Others use their children’s names (10%) or even their mother’s maiden name (nine per cent).

Whilst these passwords may be appropriate for some online sites i.e. news sites, they are inappropriate for online banking and retail sites, for example.

Q: How do you usually choose your password?

Ten most popular passwords

1 Pet’s Name 18%

� Memorable date i.e. wedding anniversary 12.3%

3 Child’s name 10.3%

4 Mother’s Maiden name 8.7%

5 Your name 7.9%

6 Your birthday 5.5%

7 Favourite place 5.5%

8 Holiday destination 5.2%

9 Home town 4.9%

10 Favourite football team 4.4%

11


“It’s too difficult to remember numerous passwords”

The majority (68%) of people claim it is too difficult to remember numerous passwords and 17% say they are worried about forgetting a password and being logged out.

Women are more likely than men to worry about remembering passwords. This is backed up by the fact that they are less likely to have unique passwords for different online sites.

Demographically those aged 24-34 year olds (74%) are most likely to claim it is difficult to remember passwords verses those aged 55+ (62%) who probably login to fewer online sites.

With more and more fraudsters attempting to obtain account numbers, passwords and PINs by randomly e-mailing people, it is even more important people adapt more sophisticated passwords and change them on a regular basis – the fact that we claim it is too difficult makes consumers an easy target for consumers.

The latest statistics from APACS report that it counted 14,369 different versions of phishing e-mails in the first quarter of 2009, up 40% from 10,235 in the same period the year before. With each e-mail sent to millions of recipients, the total sent annually runs comfortably into the tens of billions.

Q: Which of the following best describes why you do not have a completely different password and login for every site?

The majority (68%) of

people claim it is too

difficult to remember numerous passwords

1�


1.5 Conclusion

It is clear that although the internet has revolutionised the way we live our lives, it has also provided new avenues for fraudsters to exploit and the dangers of internet scams has never been higher.

Consumers are still falling victim to online scams and responding to fraudulent requests for personal and other sensitive information – perhaps the immediacy and informality of the internet makes us less suspicious of official-looking requests. In the past CPP has conducted social engineering experiments and has found that an official looking clip-board, branded t-shirt and badge is often enough to extract enough information to commit identity fraud and account takeover.

This report clearly shows us that consumers are not being cautious enough with regards to having secure passwords and are all too often reliant on a single, simple password, which is not secure, in order to access all of their online accounts including retail and banking sites. The motivation for only using one password remains the simple fact that consumers find it too difficult to remember multiple unique passwords for numerous sites particularly as we manage more and more of our daily lives online.

Having secure passwords in place is an important part of the prevention process. However, it has to be complemented by installing proper internet and computer security programmes that are kept regularly updated. The proliferation of viruses means we may inadvertently download viruses that capture sensitive financial information and our password details.

With losses from online fraud escalating, the need for identity protection products and services has never being greater.

1.6 Avoiding Online Fraud

Michael Lynch is an identity fraud expert at CPP and offers the following advice to consumers to help protect them from identity fraud. Michael is responsible for the UK Identity Protection portfolio at CPP Group Plc (CPP).

Michael has been with CPP for 14 years. His experience in financial services extends to customer service, new product and market development and affinity relationships.

During his time at CPP, Michael has helped bring to market the UK’s market leading service, Identity Protection, which now protects over one million UK consumers from the consequences of this rapidly growing crime. In addition, Michael had used his expertise to create a commercial identity theft product aimed at protecting businesses of all sizes. He has also developed a strong understanding of consumer perception and reaction to identity theft and its consequences. Michael has also been responsible for breaking some major identity theft stories in the media including the availability of fraudulent documents online, car cloning, junk mail and postal theft. Committed to forging industry co-operation to reduce the opportunities for identity theft he is leading the call for consumers to change their behaviour to counter what is becoming an increasingly sophisticated and intrusive crime.

Michael is media trained across print and broadcast and is available for media interviews on the issue of identity fraud.

Having secure

passwords in place is an

important part of the prevention

process

13


Top tips to avoid falling victim to online fraud

Install a trusted anti-virus system and firewalls on your computer and keep them up-to-date. Usually a message will appear on your screen when updates need downloading.

Do not click on any link in an unsolicited e-mail, even if it seems genuine. If you are not sure type in the web address and contact the bank using an advertised phone number or directory enquiries.

Do not engage in any dialogue with the fraudster by replying to phishing e-mails and providing bogus information or letting the sender know it is a scam. Doing so puts you and your PC at risk.

Do not give out PIN numbers or passwords to anyone online either, or over the telephone. Because fraudsters start with very limited information, phishing e-mails are usually addressed to “Dear Customer” rather than to your name.

Remember banks will never contact you by e-mail to ask you to enter passwords or any other sensitive information by clicking on a link or visiting a website. Phishing e-mails are sent out completely at random in the hope of reaching a live e-mail address of a customer with an account at the bank being targeted

Only make online transactions on secure websites that begin ‘https’ or display a padlock in the corner of your web browser.

Register your payment cards Verified by Visa or MasterCard SecureCode. It adds another layer to online security and makes it harder to fall victim to online fraud.

Always log out after shopping online and save the confirmation e-mail as a record of your order.

If you are a victim of online banking fraud, you have protection through the Banking Code, which states that unless you have acted fraudulently or without reasonable care you will not be liable for losses caused by someone else.

Avoid carrying out transactions on public or shared computers.

-

-

-

-

-

-

-

-

-

-

14


1.7 How to create a secure password

Make sure it is at least 8 characters (9 or 10 would be even better)

Ideally your password should consist of a combination of upper and lower case letter, numbers and special characters like £, $, %, and &

Ideally it should not be a guessable or dictionary word and never use obvious words ‘password’, ‘hello’ or ‘1234’

The trick for choosing a password is to pick an everyday word or phrase that means something to you and turn it into something secure. That way, providing you remember how you made it secure, you will find it easier to remember your password, for example:

Think of a phrase, song title or another group of words that you might easily remember and remove the vowels. So ‘Secure Password’ becomes ‘scrpsswrd’. For added security add a four digit number to the end. This could be the last four digits of a friend’s phone number, so we then have ‘scrpsswrd2301’. Finally replace some letters with special characters and make others upper case (replace ‘S’ letters with a ‘£’ sign and change all ‘R’s’ to upper case). So your final password is ‘£cRp££wRd�301’.

Do not write your password down

Do not tell your password to anyone else not even family or friends

If possible use different passwords for different websites

Always log off on your computer when finished particularly on shared use or public computers

1.8 For further information please contact:

Nick Jones PR and Communications Manager CPP Group Plc Holgate Park York YO26 4GA

Tel 01904 544 387 E-Mail [email protected] Web www.cppgroup.com

-

-

-

-

-

•

•

•

•

15


CPP is an award- winning organisation:

Named in the Sunday Times �008 PricewaterhouseCoopers Profit Track 100

Finalists in the National Business Awards, 3i Growth Strategy category, �008

Finalist in the National Business Awards, Business of the Year category, �007 and Highly Commended in �008

Named in the Sunday Times �006, �007 and �008 HSBC Top Track �50 companies

Regional winner of the National Training Awards, �007

Winner of the BITC Health, Work and Well-Being Award, �007

Highly Commended in the UK National Customer Service Awards, �006

Winner of the Tamworth Community Involvement Award, �006. Finalist in �008

Highly Commended in The Press Best Link Between Business and Education, �005 and �006. Winner in �007

Award Finalist in the National Business Awards, Innovation category, �005

Award finalist for the �003 The Royal Bank of Scotland Sunday Times Business Awards

Recognised as one of the Growth Plus Europe 500 companies

-

-

-

-

-

-

-

-

-

-

-

-

1.9 About CPP

The CPP Group Plc (CPP) is an international marketing services business offering bespoke customer management solutions to multi-sector business partners designed to enhance their customer revenue, engagement and loyalty, whilst at the same time reducing cost to deliver improved profitability.

This is underpinned by the delivery of a portfolio of complementary Life Assistance products, designed to help our mutual customers cope with the anxieties associated with the challenges and opportunities of everyday life.

Whether our customers have lost their wallets, been a victim of identity fraud or looking for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to enjoy life. Globally, our Life Assistance products and services are designed to simplify the complexities of everyday living whether these affect personal finances, home, travel, personal data or future plans. When it really matters, Life Assistance enables people to live life and worry less.

Established in 1980, CPP has 11 million customers and more than 200 business partners across Europe, North America and Asia Pacific and employs 2,000 employees who handle 16 million consumer sales and service conversations each year.

In 2008, Group revenue was £259.5 million, an increase of more than 15 per cent over the previous year. This is more than five times the sales level of 2000.

What We Do:

CPP provides a range of assistance products and services that allow our business partners to forge closer relationships with their customers.

We have a solution for many eventualities, including:

Insuring our customers’ mobile phones

Protecting the payment cards in our customers’ wallets and purses, should these be lost or stolen

Providing assistance and protection if a customer’s keys are lost or stolen

Providing advice, insurance and assistance to protect customers against the insidious crime of identity fraud

Offering advice to people considering legal action and cover for the costs involved in taking action on a range of legal issues

Providing discounts on everyday lifestyle commodities

Monitoring the credit status of our customers

For more information on CPP visit:

www.cppgroup.com

-

-

-

-

-

-

-

www.cppgroup.com

Documents

Password online security 2009