Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10:15 PM
Simon Marshall
Simon Marshall
Simon Marshall

Retail Security Threat Season is in Full Swing

Christmas shopping season is over, but shopping -- and threats to retailers and their customers -- is still going strong.

As the primary buying season closes, and we move into New Year sales and gift refunds, we can 'relax' and see what types of holiday data breach pop up.

About nine out of ten of us planned to do holiday season shopping -- so, not absolutely everyone was looking to make a purchase. But for us folks who decided to flex our credit cards, about 75% of us are worried about data breaches during this season, according to a Generali Global Assistance survey.

Generali claims those concerns weigh heavy, with nearly 85% of us saying we just won't do business with a retailer who has experienced a data breach in the past. So, we might choose not to snack at SONIC, send a package by UPS, buy a book from Barnes & Noble or save our feet using Uber.

"It's clear that more and more people are disgruntled and uncomfortable with the way businesses look after personal information and that's why the score is so high," Paige Schaffer, president and COO of Generali Global Assistance's Identity and Digital Protection Services Global Unit, told SecurityNow. "And that (sentiment) is not going away."

About 40% of consumers are unconvinced that retailers are doing all they can to solve the problem, and about the same number say they are even doing enough. Given the general confusion at consumer level about what can and can't be done to protect PI, it's surprising the numbers aren't higher, but perhaps it's only a matter of time. Because this is the season where retailers and consumers are, one feels, hunted by hackers like game for the Christmas table.

"There are many reasons why we see increased risk at this time of year. People are spending a ton of money, more than they usually do. And there are more transactions as a result," said Schaffer.

Consumers are generally more hurried and distracted while they make buying decisions. Then, there are people traveling during the holiday season and that increases a physical risk of losing a wallet, purse or mobile device. There are pickpockets, but only 10% of us are worried about them.

Consumers shopping online might be using unsecured public Wi-Fi, and also may be checking their bank accounts at the time. Then, there are bargain hunters who go to online sites that they're not familiar with. People also like to donate, and there are a lot of scammer sites up there with embracing arms.

Multiply all of this against the fact that people tend to spread the load over numerous credit cards, and the archetypal crisp white snow of the holidays melts into dank pools of lukewarm water.

Consumer education

Consumers have in previous years seemingly been less concerned about the data that retailers hold on file, perhaps somewhat unaware of the quantity or quality of the information, or have generally been more comfortable that it was being kept safely. Out of sight, out of mind.

Now, if this year's consumer-facing breaches weren't enough, more education is needed about what is possible and what feasibly could be demanded by consumers to protect themselves.

"The US is ahead of understanding the need for some sort of protection," said Schaffer. "It hasn't seemed as pressing an issue in Europe but now our sister companies are getting requests for it. The reason that Europe might be behind is that it's a different consumer culture.

"The US is a credit-based culture, a large percentage of the population is monitored by one of three credit bureaus - like it or not - whereas Europe is not, and there's not the reliance on credit." According to Schaffer, credit bureaus currently only cover about 10-20% of the population within European countries.

Just before the Equifax breach, Generali went through a fact-finding process, and found that about 60% of consumers recognized they wanted help defending against financial security threats. But about only 35% of them knew where they could find it, or what they needed to do.

"Speculation on my part, but purely because of Equifax, is that folks are less likely to buy (an insurance service directly) from a credit bureau right now," said Schaffer. Generally, the top three outlets for cyber insurance are specific identity insurance agencies, like Generali, or an insurance firm or bank.

The Equifax breach affected both US and European consumers, the US is acting quicker to make amends, but Europe is catching up.

"From a gut standpoint it's clear that after the Equifax breach, we did start to get a number more requests (for coverage) from Europe," said Schaffer. "Typically, it takes Europe a while (to respond) even when they're presented with the information because there's a lot of thinking about it. But, now there's a palpable sense of urgency."

Dark Web coverage

A lot of scams happen in the bright light of the regular WWW. But Generali plans a Dark Web monitoring and alert service shortly, having acknowledged that PI is for sale on underground properties, in order to protect credit card and passport numbers, and medical information.

Participants will - in a qualified way -- be asked to share their details through a Dark Web monitoring portal, which will hold consumer data and be matched by an algorithm against stolen data details.

"We know that there needs to be monitoring on the Dark Web as well," said Schaffer. "It varies from those who are willing to share all of their data to those who will share a little bit to those who will share none. But you've got to be in it to reap the benefits of it. (People should) bear in mind that one of our most treasured assets - the social security number -- is already out there."

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-28
A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
PUBLISHED: 2021-11-28
ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...