Security passwords that have become common for e-commerce transactions and financial accounts translate poorly to mobile devices, fueling consumers' bad habits regarding weak or reused passwords.
Mobile represents "another door" for criminals to attack card data and other personal information, yet consumers "don't keep this door locked, making it less secure than our desktops or laptops," said Al Pascual, senior analyst for Javelin Strategy & Research, which teamed with Nok Nok Labs to survey 5,600 adults to reveal new findings on mobile fraud.
Android, Apple and Windows mobile users undermine the security of their devices by reusing passwords more often than the average consumer, Pascual said.
Consumers said they use the same password on nearly 40% of their online accounts through a mobile device, a trend that motivates criminals to target those devices to secure credentials they believe will access other valuable accounts and services, the report said.
The mobile world, especially for Android users, includes heavy use of one-time passwords sent to users logging on with unfamiliar devices who may have forgotten their passwords, the research revealed.
"The one-time password or code sent as a text message is like the second factor in authentication, but the problem is there is malware now that can intercept that code on your phone and redirect it," Pascual said. The malware releases a Trojan to capture information as the user inputs it into a browser.
More than four in 10 Android users face this threat because they reported using two-factor authentications for online financial accounts through one-time passwords.
Consumers working on small screens, whether it is a smartphone or a tablet, generally don't like to go through the trouble of typing in longer passwords, or creating new passwords for each new environment, Pascual said. "Mobile devices are not conducive to that and, as a result, any bad habits we had with using the same passwords in the past are just getting worse."
The Faster Identity Online Alliance has been working to develop new authentication practices that would eliminate the use of simple passwords, said Jamie Cowper, senior director of business development and marketing at Nok Nok Labs, which was one of the creators of FIDO.
Apple and Samsung have provided good examples of using fingerprint scanning to unlock a local device to access online services, Cowper said.
Such developments, along with other FIDO authentication tools, zero in on the goal of avoiding consumer use of weak passwords or the same password for all accounts, Cowper added.
"We are seeing a lot of manufacturers moving to fingerprint biometrics because it is usable and affordable," Cowper said. "It will be tough to make a $100-plus purchase without fingerprint authentication in another year."
A key reason Javelin and Nok Nok pursued this latest research was noticing a trend in mobile fraud at the same time new security solutions are being developed to thwart that fraud, Pascual said.
"There are specific behaviors and trends that are increasing, such as certain age groups always using the same passwords, and malware advancing to steal passwords," Pascual said. "But there is an opportunity to stop this."
Mobile operators and financial institutions should encourage use of the biometrics authentication capabilities within a device and educate users about their benefits, the report said. In addition, they should promote the use of comprehensive security software. Consumers should be cautious in accepting one-time passwords and avoid obtaining them as a text message when they are related to valuable accounts or online banking.
It's not all bad news, however.
The research doesn't indicate that mobile devices are less secure by nature, rather it signals that bad consumer habits are more pronounced in a mobile environment, Pascual said.
And things are changing, Cowper said.
"There is momentum and a general willingness for people to push in the same way for better security," Cowper said. "Developers want to get out of the password business and they are frustrated with what we now have."
As such, FIDO continues to move forward, but "won't fix things overnight" without everyone continuing to push in the same direction for better security, Cowper added.
"People are putting their toes in the water and rolling out new methods to get into the customers' hands in the next three to six months," Cowper said. "We will see a lot more activity in the next year as these capabilities come to market."