Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

12/29/2017
10:15 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Retail Security Threat Season is in Full Swing

Christmas shopping season is over, but shopping -- and threats to retailers and their customers -- is still going strong.

As the primary buying season closes, and we move into New Year sales and gift refunds, we can 'relax' and see what types of holiday data breach pop up.

About nine out of ten of us planned to do holiday season shopping -- so, not absolutely everyone was looking to make a purchase. But for us folks who decided to flex our credit cards, about 75% of us are worried about data breaches during this season, according to a Generali Global Assistance survey.

Generali claims those concerns weigh heavy, with nearly 85% of us saying we just won't do business with a retailer who has experienced a data breach in the past. So, we might choose not to snack at SONIC, send a package by UPS, buy a book from Barnes & Noble or save our feet using Uber.

"It's clear that more and more people are disgruntled and uncomfortable with the way businesses look after personal information and that's why the score is so high," Paige Schaffer, president and COO of Generali Global Assistance's Identity and Digital Protection Services Global Unit, told SecurityNow. "And that (sentiment) is not going away."

About 40% of consumers are unconvinced that retailers are doing all they can to solve the problem, and about the same number say they are even doing enough. Given the general confusion at consumer level about what can and can't be done to protect PI, it's surprising the numbers aren't higher, but perhaps it's only a matter of time. Because this is the season where retailers and consumers are, one feels, hunted by hackers like game for the Christmas table.

"There are many reasons why we see increased risk at this time of year. People are spending a ton of money, more than they usually do. And there are more transactions as a result," said Schaffer.

Consumers are generally more hurried and distracted while they make buying decisions. Then, there are people traveling during the holiday season and that increases a physical risk of losing a wallet, purse or mobile device. There are pickpockets, but only 10% of us are worried about them.

Consumers shopping online might be using unsecured public Wi-Fi, and also may be checking their bank accounts at the time. Then, there are bargain hunters who go to online sites that they're not familiar with. People also like to donate, and there are a lot of scammer sites up there with embracing arms.

Multiply all of this against the fact that people tend to spread the load over numerous credit cards, and the archetypal crisp white snow of the holidays melts into dank pools of lukewarm water.

Consumer education

Consumers have in previous years seemingly been less concerned about the data that retailers hold on file, perhaps somewhat unaware of the quantity or quality of the information, or have generally been more comfortable that it was being kept safely. Out of sight, out of mind.

Now, if this year's consumer-facing breaches weren't enough, more education is needed about what is possible and what feasibly could be demanded by consumers to protect themselves.

"The US is ahead of understanding the need for some sort of protection," said Schaffer. "It hasn't seemed as pressing an issue in Europe but now our sister companies are getting requests for it. The reason that Europe might be behind is that it's a different consumer culture.

"The US is a credit-based culture, a large percentage of the population is monitored by one of three credit bureaus - like it or not - whereas Europe is not, and there's not the reliance on credit." According to Schaffer, credit bureaus currently only cover about 10-20% of the population within European countries.

Just before the Equifax breach, Generali went through a fact-finding process, and found that about 60% of consumers recognized they wanted help defending against financial security threats. But about only 35% of them knew where they could find it, or what they needed to do.

"Speculation on my part, but purely because of Equifax, is that folks are less likely to buy (an insurance service directly) from a credit bureau right now," said Schaffer. Generally, the top three outlets for cyber insurance are specific identity insurance agencies, like Generali, or an insurance firm or bank.

The Equifax breach affected both US and European consumers, the US is acting quicker to make amends, but Europe is catching up.

"From a gut standpoint it's clear that after the Equifax breach, we did start to get a number more requests (for coverage) from Europe," said Schaffer. "Typically, it takes Europe a while (to respond) even when they're presented with the information because there's a lot of thinking about it. But, now there's a palpable sense of urgency."

Dark Web coverage

A lot of scams happen in the bright light of the regular WWW. But Generali plans a Dark Web monitoring and alert service shortly, having acknowledged that PI is for sale on underground properties, in order to protect credit card and passport numbers, and medical information.

Participants will - in a qualified way -- be asked to share their details through a Dark Web monitoring portal, which will hold consumer data and be matched by an algorithm against stolen data details.

"We know that there needs to be monitoring on the Dark Web as well," said Schaffer. "It varies from those who are willing to share all of their data to those who will share a little bit to those who will share none. But you've got to be in it to reap the benefits of it. (People should) bear in mind that one of our most treasured assets - the social security number -- is already out there."

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.