Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

12/29/2017
10:15 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Retail Security Threat Season is in Full Swing

Christmas shopping season is over, but shopping -- and threats to retailers and their customers -- is still going strong.

As the primary buying season closes, and we move into New Year sales and gift refunds, we can 'relax' and see what types of holiday data breach pop up.

About nine out of ten of us planned to do holiday season shopping -- so, not absolutely everyone was looking to make a purchase. But for us folks who decided to flex our credit cards, about 75% of us are worried about data breaches during this season, according to a Generali Global Assistance survey.

Generali claims those concerns weigh heavy, with nearly 85% of us saying we just won't do business with a retailer who has experienced a data breach in the past. So, we might choose not to snack at SONIC, send a package by UPS, buy a book from Barnes & Noble or save our feet using Uber.

"It's clear that more and more people are disgruntled and uncomfortable with the way businesses look after personal information and that's why the score is so high," Paige Schaffer, president and COO of Generali Global Assistance's Identity and Digital Protection Services Global Unit, told SecurityNow. "And that (sentiment) is not going away."

About 40% of consumers are unconvinced that retailers are doing all they can to solve the problem, and about the same number say they are even doing enough. Given the general confusion at consumer level about what can and can't be done to protect PI, it's surprising the numbers aren't higher, but perhaps it's only a matter of time. Because this is the season where retailers and consumers are, one feels, hunted by hackers like game for the Christmas table.

"There are many reasons why we see increased risk at this time of year. People are spending a ton of money, more than they usually do. And there are more transactions as a result," said Schaffer.

Consumers are generally more hurried and distracted while they make buying decisions. Then, there are people traveling during the holiday season and that increases a physical risk of losing a wallet, purse or mobile device. There are pickpockets, but only 10% of us are worried about them.

Consumers shopping online might be using unsecured public Wi-Fi, and also may be checking their bank accounts at the time. Then, there are bargain hunters who go to online sites that they're not familiar with. People also like to donate, and there are a lot of scammer sites up there with embracing arms.

Multiply all of this against the fact that people tend to spread the load over numerous credit cards, and the archetypal crisp white snow of the holidays melts into dank pools of lukewarm water.

Consumer education

Consumers have in previous years seemingly been less concerned about the data that retailers hold on file, perhaps somewhat unaware of the quantity or quality of the information, or have generally been more comfortable that it was being kept safely. Out of sight, out of mind.

Now, if this year's consumer-facing breaches weren't enough, more education is needed about what is possible and what feasibly could be demanded by consumers to protect themselves.

"The US is ahead of understanding the need for some sort of protection," said Schaffer. "It hasn't seemed as pressing an issue in Europe but now our sister companies are getting requests for it. The reason that Europe might be behind is that it's a different consumer culture.

"The US is a credit-based culture, a large percentage of the population is monitored by one of three credit bureaus - like it or not - whereas Europe is not, and there's not the reliance on credit." According to Schaffer, credit bureaus currently only cover about 10-20% of the population within European countries.

Just before the Equifax breach, Generali went through a fact-finding process, and found that about 60% of consumers recognized they wanted help defending against financial security threats. But about only 35% of them knew where they could find it, or what they needed to do.

"Speculation on my part, but purely because of Equifax, is that folks are less likely to buy (an insurance service directly) from a credit bureau right now," said Schaffer. Generally, the top three outlets for cyber insurance are specific identity insurance agencies, like Generali, or an insurance firm or bank.

The Equifax breach affected both US and European consumers, the US is acting quicker to make amends, but Europe is catching up.

"From a gut standpoint it's clear that after the Equifax breach, we did start to get a number more requests (for coverage) from Europe," said Schaffer. "Typically, it takes Europe a while (to respond) even when they're presented with the information because there's a lot of thinking about it. But, now there's a palpable sense of urgency."

Dark Web coverage

A lot of scams happen in the bright light of the regular WWW. But Generali plans a Dark Web monitoring and alert service shortly, having acknowledged that PI is for sale on underground properties, in order to protect credit card and passport numbers, and medical information.

Participants will - in a qualified way -- be asked to share their details through a Dark Web monitoring portal, which will hold consumer data and be matched by an algorithm against stolen data details.

"We know that there needs to be monitoring on the Dark Web as well," said Schaffer. "It varies from those who are willing to share all of their data to those who will share a little bit to those who will share none. But you've got to be in it to reap the benefits of it. (People should) bear in mind that one of our most treasured assets - the social security number -- is already out there."

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.