Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/25/2019
11:35 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Financial Institutions on the Hook for Data Breaches this Holiday Shopping Season

American consumers will hold financial institutions accountable for compromised data regardless of who's at fault; Banks stand to lose nearly half of customer base, according to new study from Terbium Labs

Fears of data loss, identity theft and fraud are leaving American consumers on edge this holiday season, and they're prepared to hold their financial institution responsible for the damages. This is according to "How Fraud Stole Christmas", a new study released today by leading digital risk protection company Terbium Labs, which found that a strong majority of shoppers (68 percent) would hold their bank at least partly responsible for fraudulent activity, regardless of how the compromise occurred.

The Blame Game
Americans are on high alert heading into the busy holiday season, as 66 percent believe they could easily become a victim of fraud, while another 65 percent believe they are at a higher risk of having their financial information exposed as a result of their holiday shopping.

If and when these fears turn into a reality, consumers have made it clear they expect their financial institution to be accountable, even if it wasn't the original source of the data breach. Just over half of holiday shoppers (51 percent) say they'd blame both the original source of the data compromise, such as a retailer, and the financial institution that issued the payment card, while another 17 percent say they'd only hold their financial institution responsible regardless of how the compromise occurred.

According to the data, this will have a direct impact on the bottom line as financial institutions stand to lose almost half (45 percent) of their customer base if data is compromised over the holidays. This includes nearly two out of 10 consumers (19 percent) that say they'd leave the bank and close their account following a data breach, and another 26 percent that would only keep their accounts if their financial institution took specific actions to improve security.

Consumers fail to minimize the risk
Putting even more pressure on the banks this holiday season, shoppers will be increasing their potential for exposure, while disregarding best practices that could keep their data safe in the first place. For example, consumers aren't limiting themselves to one payment option. More than a third (35 percent) plan on using a mix of both debit and credit cards, while nearly half (49 percent) say that they'll use between two and three cards in total. This common tendency to spread holiday spending across multiple cards creates a much greater volume of cards in circulation – and far more opportunity for cyber criminals to capture payment data from multiple accounts. 

Unfortunately, only seven percent of respondents plan on using two-factor authentication when shopping online. Instead, more than a third (38 percent) say they'll prioritize monitoring their transaction history, even though 14 percent say they get frustrated when purchases that aren't suspicious get flagged too often. Despite expressing clear concern over fraud, this indicates that few consumers are willing to take a proactive approach to combatting the threat altogether. 

"Financial institutions are under heavy scrutiny by consumers during the holiday season, and should be taking customer trust and loyalty very seriously," said Emily Wilson, VP of Research at Terbium Labs. "Cyber criminals thrive during peak holiday shopping – the hustle and bustle of transactions and unusual shopping patterns create countless opportunities to capture payment data and attempt fraudulent transactions. Consumers are distracted, and prefer reactive measures to account for fraud, all while holding financial institutions to a high standard in keeping their data safe and their accounts secure. If financial institutions don't take proactive measures to monitor customer data and detect the first sign of exposure, they could face significant consequences in the new year."

Anxiety over identity theft
Despite the potential for payment card compromise during the holiday shopping blitz, American consumers are most concerned over identity theft. In fact, respondents ranked Social Security numbers (23 percent) as the type of data they are most worried will be compromised this holiday season. This was just ahead of two types of financial information – debit card numbers (22 percent) and credit card numbers (21 percent). This fear is certainly warranted, as cybercriminals can easily steal an identity with just a stolen Social Security number, name and address. 

"Consumers recognize the potential for payment fraud," Wilson said, "but the threat of identity theft is still firmly front of mind. The wave of massive breaches exposing personal data in recent years has left consumers more worried than ever about protecting their identity information – making the stakes even higher for financial institutions who need to secure that data."

For full analysis into these findings, along with additional survey data, the "How Fraud Stole Christmas" research study can be downloaded here.

Survey Methodology
Terbium Labs surveyed over 1,000 consumers in the United States to better understand their shopping behaviors and preferred payment strategies during the 2019 holiday shopping season. The survey was fielded in October 2019 and includes responses from consumers aged 18 years and older.

About Terbium Labs
Terbium Labs empowers organizations to reduce the risk of inevitable data exposure. Matchlight, the company's comprehensive digital risk protection (DRP) platform features continuous digital asset monitoring, robust analytics, and actionable intelligence, to quickly identify and minimize the impact of exposed data across the Internet – whether it's the open, deep, or dark web. Featuring its patented data-fingerprinting technology that ensures private data stays private, unique fusion of data science and machine learning, and dedicated analysts, Terbium Labs provides pinpoint accuracy for early detection and remediation of data exposure, theft, or misuse across the digital landscape. Learn more about Terbium Labs' unique approach to DRP by visiting www.terbiumlabs.com or on Twitter @TerbiumLabs.

 

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...