2. Contents
1.1 Foreword
1. Industry Facts
1.3 Research methodology
1.4 Key Findings
- Over 1.7 million people use the same password every time they
go online
- Only a few people have a unique password for their online
accounts
- A large minority do not keep passwords confidential
- One in ten people have had their web accounts accessed by
fraudsters
- Nearly one in five (18%) had goods illegally bought in their name
- People choose predictable passwords that aren’t difficult to
crack
- “It’s too difficult to remember numerous passwords”
1.5 Conclusion
1.6 Avoiding online fraud
1.7 How to create a secure password
1.8 Further Information
1.9 About CPP
Password Online Security September 2009
3. Introduction 3
1.1 Foreword
Today just about everything under
the sun – from our favourite books,
films and music to our medical and
financial records – has moved online.
And to access this content you
invariably need a password.
In addition, the number of web users is expected to increase from 1.5 billion today to 2.2
billion by 2013, putting a huge amount of information and content on the internet. Every
year, the equivalent of 40,000 years of television is added to the web; a clear indication that
the internet has truly penetrated all aspects of our daily lives
Unfortunately the increased use of the internet is associated with the increased use of the
channel as a means to defraud consumers. Fraud losses from online banking rose last year
132% to £52.5m. In addition, the main driver for card fraud remains card-not-present (CNP)
fraud, which is predominately fraud over the internet, which last year totalled £328.4m, up
13% year-on-year.
Fraud that does not require face-to-face contact is inevitably less risky for the perpetrator
and will continue its upwards trend until a mass market solution is introduced; very much
like how Chip and PIN has significantly reduced retailer or face-to-face fraud in the UK from
Fraud losses a peak of £218.8m in 2004 – the year before its widespread introduction in the UK. In 2008
retailer fraud stood at £98.5m.
from online The biggest challenge consumers face is managing their secure online authentication.
This report clearly shows us that consumer behaviour around managing their passwords is
banking not consistent with keeping their online accounts secure. Hackers using a good laptop and
brute force software to crack passwords can comfortably guess 10 million combinations
rose last per seconds, meaning our passwords are probably not as secure we think they are.
In addition, we now have sophisticated methods of extracting this information via phishing
year 132% e-mails, malware and increasingly smishing (via SMS) and vishing (voice).
It will be interesting to see whether the industry moves beyond the use of passwords for
to £5.5m secure authentication as fraudsters continue the trend of account takeover. And whether
consumers will ultimately object to carrying around multi-factor authentication in the form
of card-sized number generators to authenticate online access or continue to remember
lots of unique passwords.
Password Online Security September 2009
4. 4
1. Industry Facts
The proliferation of online threats continues and it is contributing to the raise in online
banking fraud losses.
- Online banking fraud losses totalled £52.5m in 2008 up 132% year-on-year
14,369
(source: APACS)
- Account (or facility) takeover rose 207% in 2008 to 19,275 victims
different (source: CIFAS)
- 14,369 different phishing e-mails were sent in the first quarter of 2009,
phishing up from 10,235 in the same period last year
(source: APACS)
e-mails were - Panda Security reports receiving more than 35,000 new malware samples –
viruses, worms, Trojans – every day. Trojan software designed to steal bank
sent in the details, debit/credit card numbers, or online login names and passwords
represents 71% of this total. Up from 51% in 2007
first quarter - AVG Technologies reported 64% of web users only rarely changed their
passwords, while only 43% adjust their privacy setting on a regular basis – this
of 2009 is despite 55% reporting to have been a victim of a phishing attack and 47%
having been attacked by malware
1.3 Research Methodology
CPP commissioned research in August 2009 to establish how much risk consumers were
putting themselves at through the inappropriate use of passwords, such as repetitive
passwords or passwords that are not confidential. The research also sought to find out
whether their online accounts have been accessed by fraudsters either by phishing or
malware software.
A representative sample of 1,661 UK credit and debit card holders aged 18+ were
questioned by Tickbox.net/Opinion Matters.
Password Online Security September 2009
5. 5
1.4 Key Findings
Over 1.7 million people use the same password every time they go online
Whilst nearly half of people have five or more passwords, a small number (5%) rely on a
single password to access all their online accounts. With over 33.9 million people having
access to the internet in the UK (Office for National Statistics), this equates to over half a
million people who are compromising their online security through the repetitive use of a
single password.
Those aged 16-24 years old, are the most likely (11.3%) to put themselves at risk through
the use of repetitive passwords, which is surprising given they have grown up with the
internet and should be most aware of the threats posed by malware and internet hackers.
Q: How many passwords and logins do you have?
Password Online Security September 2009
6. 6
Only a few people have a unique password for their online accounts
With over 182,226,259 internet sites (source: Netcraft April 2008) in existence (and
growing by an estimated million per month), the prominence of the internet across all
areas of our lives is not in question. With passwords required for most online sites
including banking, shopping, social media, employment, medical and sport and leisure, it
is not surprising that only 11% have a completely different password for each of their
internet accounts
Men are more likely to be more security conscious and use a completely different
password for every site, but they are shown to access fewer sites and are therefore able to
remember more unique passwords.
The average number of websites visited each month that require a password and login is
23. Women are more likely to login to more internet sites – 38% access between sixteen
to twenty separate websites verses 31% of men.
A further 54% of adults confess to using variations of the same login password.
It is clear consumers simply have too many passwords to remember and therefore resort
to using the same password, use passwords that are easy to remember (and so easy to
‘break’), write them down, or rely on resetting them using the ‘forgotten your password’
function on a website, which itself can be insecure.
Men are Q: Do you have completely different passwords and logins for every site?
more likely
to be more
security
conscious
and use a
completely
different
password
for every site
Password Online Security September 2009
7. 7
A large minority do not keep passwords confidential
Despite the constant threat of fraud and barrage of media reports about online fraud, this
report shows that nearly 40% of adults admit that at least one other person knows their
passwords, ranging from partners, friends, children and parents. Interestingly over half a
million people confess their ex-partners have access to their personal login details.
Women are more likely to have shared their passwords (42.2% verses 34.9%) than men.
Women are most likely to share their passwords with their partners and children.
With over 50 billion pounds spent online in the UK every year, and a 132% rise in web
banking fraud against UK consumers last year totalling £52.5 million, the need for
increased vigilance is clear.
Q: Do any other people know your passwords or login details for your email addresses,
shopping accounts or social networking profiles
Women
are most
likely to
share their
passwords
with their
partners and
children
Password Online Security September 2009
8. 8
One in ten people have had their web accounts accessed by fraudsters
The threat of fraud is real – one in ten people have had their web accounts accessed by
fraudsters. Demographically those aged 25-34 were the most likely to confirm their
accounts had been illegally accessed (14%). Worryingly the majority of these attacks
(57%) have happened in the last twelve months.
This statistic is backed up by the huge rise in account takeover during the course of 2008.
This type of fraud increased 207% with over 19,000 victims. Account takeover is when the
perpetrator secretly ‘hijacks and plunders’ a victims account often through ‘phishing’
where a fraudster will solicit passwords and login details as well as other sensitive financial
information to illegally hijack accounts.
There has also been a parallel rise in ‘smishing’ where fraudsters use SMS text messages
to try to impersonate financial services companies, phone firms and other retail businesses.
Q: Have any of your e-mail addresses, social networking profiles or shopping accounts ever been
hacked/broken into/used fraudulently?
The threat
of fraud is
real – one in
ten people
have had
their web
accounts
accessed by
fraudsters
Password Online Security September 2009
9. 9
Nearly one in five (18%) had goods illegally bought in their name
Of those people who had their accounts hijacked, 18% of people said goods were illegally
bought in their name and nearly 14% said money was stolen. Equally distressing, many
people reported fake e-mails and spam being sent in their name, which could be an
attempt to ‘phish’ for personal or sensitive financial information, or just malicious
dissemination of content.
The average sum of money stolen was reported to be £1,030. Demographically there were
big differences between men and women, with 43% of men saying over £1,000 was
stolen verses only 13% of women.
The majority (36.4%) of people claimed to have lost between £101 and £500.
Q: Which of the following did you experience when your email addresses, social networking profiles
or shopping accounts were hacked/broken into/used fraudulently?
Password Online Security September 2009
10. 10
People choose predictable passwords that aren’t difficult to crack
People’s vulnerability is heightened by the fact that many people resort to choosing predictable
passwords that aren’t difficult to crack. Nearly one in five (18%) use their pet’s names while
one in eight use memorable dates like birthdays or wedding anniversaries (12%). Others use
their children’s names (10%) or even their mother’s maiden name (nine per cent).
Whilst these passwords may be appropriate for some online sites i.e. news sites, they are
inappropriate for online banking and retail sites, for example.
Q: How do you usually choose your password?
Ten most popular passwords
1 Pet’s Name 18%
Memorable date i.e. wedding anniversary 12.3%
3 Child’s name 10.3%
4 Mother’s Maiden name 8.7%
5 Your name 7.9%
6 Your birthday 5.5%
7 Favourite place 5.5%
8 Holiday destination 5.2%
9 Home town 4.9%
10 Favourite football team 4.4%
Password Online Security September 2009
11. 11
“It’s too difficult to remember numerous passwords”
The majority (68%) of people claim it is too difficult to remember numerous passwords
and 17% say they are worried about forgetting a password and being logged out.
Women are more likely than men to worry about remembering passwords. This is backed
up by the fact that they are less likely to have unique passwords for different online sites.
The majority Demographically those aged 24-34 year olds (74%) are most likely to claim it is difficult to
remember passwords verses those aged 55+ (62%) who probably login to fewer online sites.
(68%) of With more and more fraudsters attempting to obtain account numbers, passwords and
PINs by randomly e-mailing people, it is even more important people adapt more
people claim sophisticated passwords and change them on a regular basis – the fact that we claim it is
too difficult makes consumers an easy target for consumers.
it is too The latest statistics from APACS report that it counted 14,369 different versions of
phishing e-mails in the first quarter of 2009, up 40% from 10,235 in the same period the
difficult to year before. With each e-mail sent to millions of recipients, the total sent annually runs
comfortably into the tens of billions.
remember Q: Which of the following best describes why you do not have a completely different password
numerous and login for every site?
passwords
Password Online Security September 2009
12. 1
1.5 Conclusion
It is clear that although the internet has revolutionised the way we live our lives, it has also
provided new avenues for fraudsters to exploit and the dangers of internet scams has
never been higher.
Consumers are still falling victim to online scams and responding to fraudulent requests
for personal and other sensitive information – perhaps the immediacy and informality of
the internet makes us less suspicious of official-looking requests. In the past CPP has
conducted social engineering experiments and has found that an official looking clip-
board, branded t-shirt and badge is often enough to extract enough information to commit
identity fraud and account takeover.
This report clearly shows us that consumers are not being cautious enough with regards
to having secure passwords and are all too often reliant on a single, simple password,
which is not secure, in order to access all of their online accounts including retail and
banking sites. The motivation for only using one password remains the simple fact that
consumers find it too difficult to remember multiple unique passwords for numerous sites
particularly as we manage more and more of our daily lives online.
Having secure passwords in place is an important part of the prevention process. However, it
has to be complemented by installing proper internet and computer security programmes
that are kept regularly updated. The proliferation of viruses means we may inadvertently
download viruses that capture sensitive financial information and our password details.
With losses from online fraud escalating, the need for identity protection products and
services has never being greater.
Having
secure 1.6 Avoiding Online Fraud
passwords Michael Lynch is an identity fraud expert at CPP and offers the following advice to
consumers to help protect them from identity fraud. Michael is responsible for the UK
in place is an
Identity Protection portfolio at CPP Group Plc (CPP).
Michael has been with CPP for 14 years. His experience in financial services extends to
important customer service, new product and market development and affinity relationships.
During his time at CPP, Michael has helped bring to market the UK’s market leading
part of the service, Identity Protection, which now protects over one million UK consumers from the
consequences of this rapidly growing crime. In addition, Michael had used his expertise to
prevention create a commercial identity theft product aimed at protecting businesses of all sizes. He
has also developed a strong understanding of consumer perception and reaction to
process identity theft and its consequences. Michael has also been responsible for breaking some
major identity theft stories in the media including the availability of fraudulent documents
online, car cloning, junk mail and postal theft. Committed to forging industry co-operation to
reduce the opportunities for identity theft he is leading the call for consumers to change their
behaviour to counter what is becoming an increasingly sophisticated and intrusive crime.
Michael is media trained across print and broadcast and is available for media interviews
on the issue of identity fraud.
Password Online Security September 2009
13. 13
Top tips to avoid falling victim to online fraud
- Install a trusted anti-virus system and firewalls on your computer and keep
them up-to-date. Usually a message will appear on your screen when updates
need downloading.
- Do not click on any link in an unsolicited e-mail, even if it seems genuine. If you
are not sure type in the web address and contact the bank using an advertised
phone number or directory enquiries.
- Do not engage in any dialogue with the fraudster by replying to phishing e-
mails and providing bogus information or letting the sender know it is a scam.
Doing so puts you and your PC at risk.
- Do not give out PIN numbers or passwords to anyone online either, or over the
telephone. Because fraudsters start with very limited information, phishing e-
mails are usually addressed to “Dear Customer” rather than to your name.
- Remember banks will never contact you by e-mail to ask you to enter passwords
or any other sensitive information by clicking on a link or visiting a website.
Phishing e-mails are sent out completely at random in the hope of reaching a live
e-mail address of a customer with an account at the bank being targeted
- Only make online transactions on secure websites that begin ‘https’ or display
a padlock in the corner of your web browser.
- Register your payment cards Verified by Visa or MasterCard SecureCode. It adds
another layer to online security and makes it harder to fall victim to online fraud.
- Always log out after shopping online and save the confirmation e-mail as a
record of your order.
- If you are a victim of online banking fraud, you have protection through the
Banking Code, which states that unless you have acted fraudulently or without
reasonable care you will not be liable for losses caused by someone else.
- Avoid carrying out transactions on public or shared computers.
Password Online Security September 2009
14. 14
1.7 How to create a secure password
- Make sure it is at least 8 characters (9 or 10 would be even better)
- Ideally your password should consist of a combination of upper and lower case
letter, numbers and special characters like £, $, %, and
- Ideally it should not be a guessable or dictionary word and never use obvious
words ‘password’, ‘hello’ or ‘1234’
- The trick for choosing a password is to pick an everyday word or phrase that
means something to you and turn it into something secure. That way, providing
you remember how you made it secure, you will find it easier to remember
your password, for example:
- Think of a phrase, song title or another group of words that you might easily
remember and remove the vowels. So ‘Secure Password’ becomes
‘scrpsswrd’. For added security add a four digit number to the end. This could
be the last four digits of a friend’s phone number, so we then have
‘scrpsswrd2301’. Finally replace some letters with special characters and make
others upper case (replace ‘S’ letters with a ‘£’ sign and change all ‘R’s’ to
upper case). So your final password is ‘£cRp££wRd301’.
• Do not write your password down
• Do not tell your password to anyone else not even family or friends
• If possible use different passwords for different websites
• Always log off on your computer when finished particularly on shared
use or public computers
1.8 For further information please contact:
Nick Jones
PR and Communications Manager
CPP Group Plc
Holgate Park
York YO26 4GA
Tel 01904 544 387
E-Mail nick.jones@cpp.co.uk
Web www.cppgroup.com
Password Online Security September 2009
15. 15
CPP is an award- 1.9 About CPP
winning organisation:
The CPP Group Plc (CPP) is an international marketing services business offering bespoke
- Named in the
customer management solutions to multi-sector business partners designed to enhance
Sunday Times 008
PricewaterhouseCoopers
their customer revenue, engagement and loyalty, whilst at the same time reducing cost to
Profit Track 100 deliver improved profitability.
- Finalists in the National This is underpinned by the delivery of a portfolio of complementary Life Assistance
Business Awards, 3i Growth products, designed to help our mutual customers cope with the anxieties associated with
Strategy category, 008 the challenges and opportunities of everyday life.
- Finalist in the National Whether our customers have lost their wallets, been a victim of identity fraud or looking
Business Awards, Business for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to
of the Year category, 007
enjoy life. Globally, our Life Assistance products and services are designed to simplify the
and Highly Commended
in 008
complexities of everyday living whether these affect personal finances, home, travel,
personal data or future plans. When it really matters, Life Assistance enables people to live
- Named in the Sunday Times life and worry less.
006, 007 and 008 HSBC
Top Track 50 companies Established in 1980, CPP has 11 million customers and more than 200 business partners
across Europe, North America and Asia Pacific and employs 2,000 employees who handle
- Regional winner of the
National Training Awards,
16 million consumer sales and service conversations each year.
007 In 2008, Group revenue was £259.5 million, an increase of more than 15 per cent over the
- Winner of the BITC Health, previous year. This is more than five times the sales level of 2000.
Work and Well-Being
Award, 007 What We Do:
- Highly Commended in the CPP provides a range of assistance products and services that allow our business partners
UK National Customer to forge closer relationships with their customers.
Service Awards, 006
We have a solution for many eventualities, including:
- Winner of the Tamworth
Community Involvement - Insuring our customers’ mobile phones
Award, 006. Finalist in
- Protecting the payment cards in our customers’ wallets and purses, should
008
these be lost or stolen
- Highly Commended in The
Press Best Link Between - Providing assistance and protection if a customer’s keys are lost or stolen
Business and Education, 005
- Providing advice, insurance and assistance to protect customers against the
and 006. Winner in 007
insidious crime of identity fraud
- Award Finalist in the
National Business Awards, - Offering advice to people considering legal action and cover for the costs
Innovation category, 005 involved in taking action on a range of legal issues
- Award finalist for the 003 - Providing discounts on everyday lifestyle commodities
The Royal Bank of Scotland
Sunday Times Business - Monitoring the credit status of our customers
Awards
- Recognised as one of the
Growth Plus Europe 500 For more information on CPP visit:
www.cppgroup.com
companies
Password Online Security September 2009