Shoppers in Singapore tend to reuse log-in details, passwords: IBM study

<p>Photo illustration of ATM and credit card scam.</p>
Photo illustration of ATM and credit card scam.PHOTO: ST

SINGAPORE - Cyber hygiene was not top of mind, even as more Singapore consumers went online amid the Covid-19 pandemic, a study has found.

On average, consumers here created 10 new online accounts, for services such as food deliveries, shopping, healthcare and entertainment, during the pandemic.

However, 45 per cent always or mostly reuse the same usernames and passwords for their different online accounts, according to findings released by technology firm IBM on Tuesday (June 15).

It is similar to the findings from 22 markets that were studied, including the United States, Britain, India, Japan and South Korea.

This is of concern, as cyber-security experts have long advised against reusing passwords for different online accounts.

If hackers are able to steal a person's username and password for one account and hack into it, they can easily hack his other accounts that reuse the same log-in details.

IBM's cyber-security arm IBM Security commissioned the study, which polled about 1,000 people here in March. The study also found that even after the pandemic has ended, about half the respondents (47 per cent) said they would not delete or deactivate the new online accounts they had made.

"With the increase in digital accounts and the likelihood of people retaining them past their prime usage, we may see an increase in data breaches," said Mr Matthew Glitzer, vice-president for Asia-Pacific at IBM Security.

On why so many consumers here reuse their log-in details, Mr Glitzer said that as consumers seek out more digital avenues in their daily lives due to Covid-19, "convenience appears to be an even greater priority, unfortunately overshadowing security and privacy concerns".

"Consumers' increased digital dependence appears to be creating fatigue when it comes to users following good password behaviour," he told The Straits Times.

Convenience was also likely why a third of respondents (34 per cent) here said they would rather order online than call or do so physically, even if there are concerns about the safety and privacy of a website or app.

Younger people tend to reuse their online account credentials more as well, according to the study.

Among those from Generation Z (born between 1997 and 2012), 52 per cent always or mostly reuse their log-in details for online accounts.

This proportion falls for older consumers, with the figure for baby boomers (born between 1946 and 1964) at 41 per cent.

"One reason that younger generations may be more lax with their password security is because they have been primed with high expectations for digital convenience and ease of use - with technologies like facial recognition and fingerprint ID making for very fast and seamless log-ins," explained Mr Glitzer.

He said older consumers might not be as accustomed to these newer forms of authentication, and so place more importance and care on passwords.

Some consumers like finance executive D.L. See, 39, use the same passwords for what she considers "less important" online accounts such as for shopping websites.

"For more important online accounts like those related to banking and finance with sensitive information, I have unique passwords for each," said Ms See, adding that she also creates different e-mail addresses to log into different types of accounts.

But with so many different passwords to remember, she admits it is challenging. So she uses mnemonic devices, like a phrase, to help her recall her passwords.

Many Singapore consumers also rely on memory to remember their log-in details - IBM Security's study found that one in two here do so.

About one in five will store the details in a note-taking app on their mobile devices. A same proportion will write them down on paper. But there are limits to how many passwords people can recall.

Mr Glitzer said there are better ways than saving log-in details on paper or committing them to memory. He suggested using password manager apps, which could also help users create stronger passwords, aside from storing them so they are easy to access.

Adding a second layer of authentication, such as SMS verification and fingerprint or face scanning, can go a long way to reduce risks too, said Mr Glitzer.

This is something many Singaporeans are doing. More than three quarters of consumers here said they have used multi-factor authentication to access an online account, which is higher than the two-thirds globally.

Consumers should also take stock of the apps on their phones and deactivate those which they do not use regularly, as well as delete the associated online accounts, Mr Glitzer suggested.

However, with the way consumers keep using the same log-in details across many accounts, he said companies can no longer rely on passwords to secure people's digital accounts to access their services.

Firms must instead work on the basis that customers' accounts are already compromised, and constantly monitor for and use artificial intelligence to spot any suspicious behaviour that could point to cyber criminals using hacked consumers' accounts.

"It's also important to remember that the poor security habits among consumers will also likely transfer to the workplace," warned Mr Glitzer.