Despite non-stop news reports about data breaches, Americans over the past year have gotten sloppier about their usage of passwords to protect their financial accounts online.
That’s the word from research firm Aite Group LLC and Visa Inc., which recently announced results of their second annual Global Security Engagement Scorecard survey. The purpose of the study was to find out how much consumers engage in safe procedures to protect their financial and other accounts with sensitive personal data. For this year’s survey, Aite queried 2,842 consumers in the United States, Australia, Brazil, Canada, India, South Africa, and the United Kingdom.
Many security executives and researchers dislike passwords because they’re often stolen in data breaches, and they can be easily guessed by fraudsters using specialty computer programs. Consumers magnify this flaw by frequently using the same user names and passwords, or slight variants of them, for multiple accounts. While warnings about password vulnerabilities abound, fewer Americans seem to be listening.
“The trend line on password hygiene is going in the wrong direction in the U.S. and India, with the number of consumers indicating that they use the same user name and password across all or most online sites increasing from 2016,” the survey summary says.
For example, 8% of U.S. respondents in the 2016 survey admitted to using the exact same password across all online sites. This year, 13% of Americans admitted to doing that. And in 2017, 18% of Americans said they use the same password across most online sites, up from 14% in 2016. The number of Americans saying they use the same password on some sites but different ones on others remained the same at 29%
Similar behavior is occurring in India, but the study still found that consumers in that country as well as Brazil and South Africa lead the pack this year in signing up for alerts to warn them of suspicious activity on their debit card accounts. Those three countries also lead in using credit card alerts. In the U.S., 66% of respondents said they use debit card alerts versus 86% of in India, 84% in South Africa, and 72% in Brazil. Consumers in India, Brazil, and South Africa also use anti-virus and anti-malware programs on their smart phones far more than citizens of the U.S., Canada, Australia and the U.K.
The likely source of many Americans’ lax behavior regarding passwords and card alerts is the zero-liability policies of the card networks and banks, according to security analyst Julie Conroy, research director at Aite Group. Many countries, including India, either don’t have such protections or have more limited ones than the U.S.
“Consumers in countries where the concept of zero liability is not well-established or well-understood are much more proactively engaged in the fraud-prevention experience, because they actually have skin in the game,” Conroy tells Digital Transactions News. “At the end of the day, U.S. consumers have very little actual liability for fraud. It’s a pain if it happens, but the bank or the merchant ultimately takes the financial responsibility, so convenience trumps security for the vast majority of consumers.”
Younger American adults, the so-called GenXers and Millennials, were more likely to use fraud alerts than older adults, the Baby Boomers and seniors, the study found. Not surprisingly, younger consumers also took to using biometrics to protect their smart phones more than older adults.
Overall, the study found that consumers in all countries are more concerned about payment card fraud than they are about identity fraud, even though ID fraud can have more a more direct impact on a consumer’s financial status and is more difficult to unravel, according to Aite.
On that note, the study was completed before Equifax Inc. in September disclosed its massive data breach that compromised personal data on 145 million consumers. Credit-reporting agencies such as Equifax compile personal and financial data from multiple lenders, making its breach potentially much more damaging than one at a single financial institution or merchant.
“In previous breaches we’ve seen a limited halo effect of concern,” says Conroy. “It’ll be interesting to see what happens when we repeat this [study] next year, a full nine months after the announcement.”