Online fraud: too many accounts, too few passwords

Cases of online fraud have increased threefold compared to 2010, partly due to consumers having a large number of web accounts, according to new research.

Credit-checking firm Experian found that for an average of 26 different online accounts, users had only five different passwords. 25-34-year-olds are the most prolific, with no fewer than 40 online accounts per person on average.

Online criminals have illegally traded 12 million pieces of personal information between January and April this year.

Of this, 90 per cent consisted of password and login details, which comes as little surprise after 400,000 Yahoo! Voice passwords were stolen and Nvidia and Android forum users' passwords were illegally accessed last week.

Another statistic says two thirds of people have inactive accounts which they have not closed down, leaving them vulnerable.

Security conscious

Graham Cluley, security expert and senior technology consultant at Sophos, blames the online firms themselves for comprising the security of their customers and users.

"I think [password hacks] send a clear message to consumers that even if they take great care over their choice of passwords, all that good work can be undone if online companies are sloppy with their security," he told TechRadar.

Users' data is sensitive information that needs to be stored securely to prevent break-ins, according to Cluley.

"It's clear that some online firms are being extremely careless with customer information, and are failing to even follow security best practices which were established 30 years ago."

It had happened to them

Geologist Alexander Lerche was working in Liberia in 2010 when he realised his card had been blocked. On calling his UK bank, he learnt someone in Bulgaria was using his Amazon account to buy high definition TVs.

"It got caught because it tried to take out over £3000 in one transaction and then repeated it twice. The second one actually blocked the card but the first time it raised a flag," he says.

"Amazon said that my password must have been easy to crack or that I had written it down somewhere public which I told them was completely impossible since I had more than 10 different passwords and they had never been written down anywhere."

Lerche believes it could have been a leak in Amazon's system that caused his account details fall into a third party's hands, although it may have been through a well-disguised phishing email or other method. He was eventually credited back with £6000 that his bank had been holding after the illegal transactions had taken place.

Preventive measures

Sophos' technology consultant Cluley believes that not only must users make their passwords "hard to crack and not easily guessable", but to lie on their password reminder forms.

"Usually, the security question involves your mother's maiden name. You should lie about that and say it's Mother Theresa or Xena Warrior Princess."

"It's a matter of public record, so it can be found out online," Cluley says, adding that it is a method hackers often use to gain access to accounts.

Freelance journalist Will Coldwell received an email from PayPal in February last year about account activity and a transaction he did not remember performing.

"I'm not sure how it happened, but I only realised when I received an email saying 'Your Payment Has Been Sent', and I hadn't used paypal for months," Coldwell says.

An amount of £350 had been taken out of his bank account via PayPal. But a quick email to PayPal's fraud team resolved the conflict straight away, freezing the transfer and returning the amount within three days.

Coldwell doesn't know how his account details were found out. "I think I am pretty good when it comes to avoiding dodgy links… I hadn't changed my password on it [PayPal] for years, and didn't use it that much so perhaps that made it more of a target."

One solution suggested by Cluley is using password management systems such as KeePass, and 1Password. In turn, he suggests using a strong password to keep this programme secure.

"It's only a problem if there are too many passwords. I don't even know my eBay password because I use a management system."