Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Breach Fatigue Sets In With Consumers
Newest First  |  Oldest First  |  Threaded View
RichardB055
50%
50%
RichardB055,
User Rank: Apprentice
11/5/2014 | 1:37:56 PM
It's Really Breach Resignation
I believe that Ponemon and RSA have ignored their own observations and mischaracterized the attitude of consumers. The article states that "consumers really do little to alter their shopping behavior following breaches at their favorite stores" but also that "consumers still have strong opinions about how companies should protect their information and how they should respond to breaches."

This is not "breach fatigue" but rather "breach resignation." What can a consumer do realistically in order to counter the risk of a breach? They could no longer shop at a store that has suffered a breach, which many consumers including myself have done. Of course, this assumes that the stores publicly admit to having been breached and also assumes that consumers have an alternative place to shop. Consumers can also stop using credit cards and carry around large wads of cash with which to make their purchases. I've done that, too; but that poses a different type of security risk. Or, I suppose, consumers can bring a security team with them to conduct a security audit of the store and all of its suppliers whenever they want to buy a roll of toilet paper.

In fact, if a consumer really needs something and needs to use a credit card, they are at the mercy of the store with regard to protection from a breach. With an ever increasing number of stores suffering breaches, consumers have no practical alternative but to resign themselves that they are taking a risk by shopping there.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
11/5/2014 | 11:34:57 AM
Difficult to visualise
I think a lot of the problems with this stem from the fact that the consumers can't see the problem and can't see the reaction from the company. Because it's all digital, it's hard to imagine it being real. 

If a store gets robbed at gunpoint, you might see an armed guard show up, or a better alarm system and security doors in place, but with a hack or data breach, it seems like business as usual for the consumers. So everything must be ok, right?
aws0513
100%
0%
aws0513,
User Rank: Ninja
11/4/2014 | 2:52:32 PM
Decisions are often local
The hard fact about the survey is that it cannot eliminate the human need for services or products when taking distance into consideration.

Example: If a person has reasonable access to only one hardware store, that person is going to use that hardware store.  The person may decide to stop using their payment card if a bank or ATM is conveniently located where they can get cash before going to the hardward store.  But if that is not the case, or they are in a pinch to get a certain product, they may conduct their own on-th-spot "risk assessment" and accept the risks involved with conducting an electronic purchase with the store.
I know some people would claim that there are always other stores or means to purchase services or products.  But that is not a realistic claim. 
Many parts of the world have a limited number of vendors that are nearby where they live and/or work.  If one needs to buy lumber, you could try to buy it online, but delivery options may be limited if there are no distribution points nearby.  BTW...  if you buy lumber, would you really trust the delivery guys to bring the quality lumber you expect?

I guess what I am trying to say is that reliance on customer actions to change commercial security practices is very likely a false expectation.

 


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.