On the heels of Black Friday, and Cyber Monday well underway, the season of shopping and gifting raises new concerns about data security for consumers and corporations alike.
According to the Risk:Value Research Report by NTT Com Security (formerly Integralis), only about one-third (37%) of stored data is completely secure and attempted breaches are becoming more and more common place. In the survey of 100 corporate executives, about 30% see data security breaches as a major hindrance to growing and running a successful business. Even as 65% of all respondents see protecting data, especially consumer information, as being vital to their businesses, only 10-12% of their budgets are spent on data security.
Data security breaches have far reaching consequences for businesses and come with actual costs, and can damage corporate reputations and spur a loss of consumer confidence. In an effort to better understand what people can do to protect themselves from data security breaches, Politic365 spoke with Chris Carnejo, Director of Assessment with NTT Com Security.
1. Use credit cards everywhere. Consumers are generally not liable for fraud losses so it doesn’t matter if a credit card is stolen. Contrast this with cash and gift cards, which are gone if they are lost, and debit cards where fraud liability increases based on how long it takes to notice a card has been stolen (unless individual banks offer better liability terms). Bank fraud (e.g. Based on wire transfers or stolen checks) generally follows the same rules as debit cards: liability increases based on how long it takes to detect the fraud. Credit cards definitely offer consumers the best protection.2. Check credit card statements each month. Many times banks will be able to detect fraud and alert a consumer but this is not fail proof. Consumers should be checking their own statements and should report any suspicious transactions to their bank so they can be voided.3. Carry a spare credit card that is not regularly used as a fallback in case a stolen card gets cancelled at an inopportune time. It’s best if this fallback card is issued by a different bank than the primary card.
Chip and PIN helps prevent stolen cards from being used fraudulently in a retail environment but doesn’t do anything to protect e-commerce transactions. Account information can be stolen from Chip and PIN cards by compromised point-of-sale systems and this information can then be used to make fraudulent e-commerce transactions. Chip and PIN alone is not a panacea (and most banks in the US are going to Chip and Sign rather than Chip and PIN). I’ve written about this in more detail here:The real solution for the type of retail fraud we’ve been seeing is called P2PE (for Point to Point Encryption). This is a standard for payment card data to be encrypted in the hardware terminal and works with both magnetic stripe cards or chip cards. Under P2PE the data is encrypted before it gets to the (potentially compromised) point-of-sale terminal and the retailer does not have the decryption keys. The encrypted data is passed straight through the processor who does have the ability to decrypt it. Even if the data is intercepted it should be useless for fraud purposes.New solutions like Apple Pay are also promising. Based on the technical information we’ve seen so far on Apple Pay it looks like they’re finally getting away from this idea of a “secret number” (the payment card account number) that has to be shared with everyone you want to make a purchase from. By using tokenized and one-time-use numbers the system should be much more difficult to abuse.
One of the problems with digital electronic data is that it is so easy to copy and therefore is difficult to destroy once released. As we’ve seen with the recently leaked celebrity nude photos, it is nearly impossible to prevent the dissemination of information once it is stolen. Governments and targeted advertising firms are busy compiling massive databases that track the behavior of nearly everyone in the connected society. Meanwhile consumers are increasingly putting their private data into social media sites and cloud services where they are skimmed by technology companies and fed into these databases. Access to these databases (the commercial ones at least) is a commodity, bought and sold every day. We are quickly heading towards a world where there are no more individual secrets, where any detail of a person’s life can be available with just a few clicks and a few dollars. Enterprising fraudsters have already figured this out and have been able to buy access to one of the largest credit reporting bureaus’ databases in order to sell social security numbers for identity theft purposes.
As we become an increasingly connected society, we have to be more vigilant when it comes to protecting our information. There is much to be done on both the corporate and consumer side to ensure our data is protected, but education about what’s happening in this new landscape is the prime place to start to make sure you know what do to in the face of a security breach.