Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Banks, Retailers Seek to Regain User Trust

But new research suggests the trust battle is mostly uphill

WASHINGTON -- Leaders of major banks, retailers, and financial institutions met here today to discuss the growing loss of trust among credit card customers -- and how to get it back.

In a summit hosted by Visa, key members of the retail credit supply chain discussed their efforts to combat online phishing and fraud as well as data breaches that lead to the loss of customers' personal information. "We have to recognize that when a theft or breach occurs, the most valuable thing that is lost is not the money, but the trust of the consumer," said John Philip Coghlan, president and CEO of Visa USA.

And while Coghlan called the industry to action, two market researchers unveiled new data to suggest that consumer attitudes are becoming more sensitive to security issues than ever. In a report released today, Javelin Strategy & Research found that 75 percent of consumers believe identity fraud is increasing.

While 85 percent of the respondents said they would shop more at a merchant that distinguished itself as a security leader, 78 percent said they would not continue shopping at a retailer if they learned that it had compromised their data through a security breach. "The interesting thing is that there is a wide perception that fraud is on the increase, even though statistics indicate that the actual incidence of fraud has leveled off," said James Van Dyke, founder and president of Javelin.

And while large banks and retailers are pushing new security initiatives, a separate study suggests that small retailers are still at risk. In research released here today, the National Federation of Independent Business and Visa USA reported that small businesses are generally confident about their ability to protect their customer data -- more than half (52 percent) are currently storing credit card numbers, bank account information, and/or Social Security numbers onsite.

Retailers, in general, are the weakest link in the consumer trust chain, according to the Javelin study. Sixty-three percent of the respondents in the study cited merchants as less secure than banks or payment processors, and most consumers said they are most likely to identify their retailer -- not the bank or credit card company -- as the one at fault when fraud occurs.

But no matter who gets the blame, the entire transaction chain is being hurt by negative perceptions caused by online fraud, said Meg Whitman, president and CEO of eBay Inc., in a keynote address.

"There are bad guys targeting our systems every day -- it's an arms race in its most classic form," she said. "People see phishing attacks in their email on a regular basis. Some people are fooled by them. Some people learn to ignore them. Some people just get tired of seeing them and decide not to buy online anymore. Companies like eBay are targets. It's not our fault, but it's definitely our problem."

Companies such as eBay and Visa are taking steps to reduce online consumers' risk, according to top executives. EBay worked with Microsoft to implement Extended Validation SSL features in Internet Explorer 7 to help users identify phishing sites, Whitman observed. The online auction company is also implementing a technology called domain key signing, which helps ISPs separate legitimate eBay and Paypal email from phishing attacks and spam, she said.

Visa, for its part, is testing new technology that would attach a dynamic, unique identifier to each transaction, making it difficult for an attacker to duplicate. Visa will be working with credit card issuers and merchants to pilot this dynamic form of authentication "in the coming months," but any solution will have to have industry-wide participation to be successful, Coghlan observed.

While large companies are experimenting with these new technologies, however, customer confidence continues to erode. In a study conducted last year, the CMO (chief marketing officer) Council found that about 40 percent of customers already have disconnected from online transactions because of concerns about security, said Donovan Neale-May, executive director of the council.

"In the United States -- and this is different from Europe -- people are actually more concerned about their digital security than about the physical security of their homes and themselves," Neale-May said.

Some panelists at the event said that such a high level of consumer fear may be unwarranted. Javelin's Van Dyke noted that Internet-caused crimes and corporate data breaches collectively accounted for only about 19 percent of fraud last year, while the majority of consumer identity fraud occurred through traditional physical channels, such as lost checkbooks and stolen wallets.

There are similar misperceptions in the world of data breaches, according to Bruce Hansen, chairman and CEO of ID Analytics, which studies breaches and risk. "On average, we've found that the rate of actual fraud occurring from data breaches is less than one tenth of 1 percent," Hansen said. "A breach is much more about loss of trust than actual financial loss."

But in the world of banking and credit, perception is reality, experts said. "Our studies show that the number one factor in choosing a financial institution is trust," said Van Dyke. "If you can't maintain that trust, you're going to lose customers."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6342
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
CVE-2020-11082
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
CVE-2020-5357
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
CVE-2020-13660
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
CVE-2020-11079
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.