Consumers' loose habits around their account passwords and mobile devices will force credit unions and banks to take stronger security measures, a recent study suggests.
The findings come at a time when mobile banking adoption and usage are expected to continue growing rapidly - Aite Group expects 96.1 million Americans to be using mobile banking by 2016 -- and as phishing and hacking attempts on bank customers escalate.
Mobile device users are about 25% more likely than the general population to use the same password to access more than one online account, according to the survey of 5,634 U.S. adults, which was conducted by Javelin Strategy and Research. This motivates criminals to seek to steal account credentials from mobile device users with the expectation that they will provide an entree to a variety of the victim's valuable accounts and services, the report's author, Al Pascual, said.
"Generally folks are doing a really poor job of securing their devices and any accounts associated with that device," he said.
The repurposing of passwords is easy to understand. It is hard to enter long passwords on small devices. Consumers tend to access more apps and online services through their mobile devices than from full-sized computers, making password discipline harder to maintain.
It is not just consumers who are apathetic about mobile device security, Pascual notes. "Device manufacturers and carriers often provide updates haphazardly, or they don't consider the effect an update has on consumers' willingness to upgrade their devices - they'll just wait until they can afford a new one. That means security vulnerabilities aren't addressed."
Financial institutions got called out in the report for providing one-time passwords through text messages, which can be intercepted by certain types of malware. Using one-time passwords to authenticate a user was once considered a decent form of second-factor authentication.
"It was a good idea until two years ago, when it started to become really popular, then you knew it was done in," Pascual said. "As soon as it became ubiquitous, it was done for."
In short, when it comes to mobile security, nothing is working.
"No one is doing nearly enough," Pascual said.
The way forward, many in the industry believe, is biometrics.
Fingerprint recognition is the most popular form of biometric authentication among consumers - more than a third said they would prefer to use a fingerprint to authenticate their identity online.
Apple's building of fingerprint recognition into some of its phones has helped raise awareness and acceptance of the technology, which was once associated with criminals.
Some security experts have pointed out that fingerprints can be lifted off a phone, glass or other object and reproduced, and that consumers cannot simply call a call center to change a fingerprint the way they can a password. And once a fingerprint is transmuted into a data string, as all biometric identities eventually are, it could be stolen from a database like any other data element.
But the odds of someone going to the trouble of stealing a physical fingerprint are low, according to Pascual.
The far greater problem is criminals are compromising accounts en masse over the Internet, using stolen information such as passwords and Social Security numbers. "We really need to deal with that problem first," he said. "Fingerprints are worlds more secure than we are today."
Eye (iris or retina) recognition is also well received among the consumers Javelin surveyed - more than 13% said eye scanning would be their preferred method of biometric authentication. Pascual chalks this up to the many popular fiction books and movies featuring the technology.
"It conjures up a certain image," Pascual said. "Over the next few years, I think we'll see that come into its own."
In fact, Pascual predicts that within a few years, passwords will disappear, at least for high-risk transactions.