Privacy

SPOTLIGHT ON SECURITY

Consumers Fed Up With Data Breaches

Consumers have lost patience with businesses that experience data breaches. A large majority of recent survey participants -- 80.3 percent -- felt the officers of a company should be held accountable for a breach. "Since the Target breach, there's been almost weekly breaches," said HyTrust President Eric Chiu. "Consumers are tired of it. They feel that companies are not really paying attention."

With news of massive data breaches becoming almost a weekly occurrence, consumers are beginning to lose their patience with the custodians of their personal information.

Survey results from 2,000 consumers released last week by HyTrust, suggest that 51 percent of those polled would bolt from any business involved in a data breach that compromised personal information such as address, Social Security number or credit card details.

Suspicions have been growing among consumers that businesses aren’t doing enough to protect the data they eagerly collect from their customers, Eric Chiu, president and founder of HyTrust, told TechNewsWorld.

“We’re seeing repeats of the same sorts of attacks over and over,” he said. “It means that in the retail world, everyone is playing kick the can. They’re not addressing what needs to be addressed now and putting the consumer first.”

Give ’em Jail Time

The survey also revealed some harsh attitudes toward businesses involved in a data breach. Almost half of the respondents (45.6 percent) said companies should be considered “criminally negligent” the moment a breach occurs.

Attitudes on that front appear to be colored by age, though. Only 34 percent of 25-34 year olds were in favor of immediate blame, while 51 percent of respondents 65 and older wouldn’t hesitate to lower the hammer on a company involved in a breach.

The same is true for consumers who vowed to vote with their feet against a company that suffered a breach. Three out of every five respondents (60.2 percent) in the 35-44 age bracket said they’d take their business elsewhere, compared to 51 percent overall.

A large majority of the consumers participating in the survey (80.3 percent) felt the officers of a company should be held accountable for a breach.

“Since the Target breach, there’s been almost weekly breaches,” Chiu said. “Consumers are tired of it. They feel that companies are not really paying attention.”

Holiday Anxiety

With the holiday season approaching, visions of the Target data breach fiasco — not sugar plums — will be dancing in many shoppers’ heads.

What’s a consumer to do? For one thing, consumers can pay closer attention to what’s appearing on their credit card statements. They don’t have to wait for those statements to arrive in the mail, either. They can check transactions online — and many regularly do so.

“They should also consider using credit cards that provide more detailed information about credit card transactions,” Sean Leonard, founder and CEO of Penango, told TechNewsWorld. “That makes it easier for both the credit card company and consumer to detect fraud.”

Using a credit card to make purchases is preferable to using a debit card, according to Leonard.

“Purchasing with a credit card is better than purchasing with a debit card. Getting money lost to debit card fraud back is a lot harder than disputing a charge on credit card statement,” he said.

“If all you have is debit cards,” said Leonard, “you should use the credit card feature of the debit card.”

2FA for Feds

Two-factor authentication is gaining traction among online service providers as a way to prevent their customers’ accounts from being hijacked.

2FA is relatively simple. In addition to a username and password, a single-use code is sent — typically to a user’s cellphone — to verify the customer’s identity.

Some government departments and branches of the military have been using 2FA for years. However, it usually involves a dedicated token — just another gadget that has to be lugged around and can be lost, stolen or forgotten.

The complexity and expense of token-based systems has acted as a brake on the more widespread adoption of 2FA in the federal government.

In an effort to change that, Globalscape last week announced an alliance with SMS Passcode.

With governments at all levels looking for economical and effective security solutions, a 2FA system that uses something employees already have — their mobile phones — could be an attractive proposition.

While agencies still would need to pay licensing fees to Globalscape and SMS Passcode, much of the overhead of token-based systems could be eliminated.

“It dramatically increases security with only those licensing fees,” Greg Hoffer, senior director of engineering for Globalscape, told TechNewsWorld. “That’s a lot cheaper than solutions that are hardware based or Web-application firewall-based.”

Another benefit of the SMS solution is that it’s location aware, he noted.

“If a log-in attempt originates in China and we know your mobile phone is in the U.S. or Canada, the system will block the log-in attempt,” Hoffer explained. “So it increases security through geo-awareness.”

Breach Diary

  • Sept. 22. First NBC Bank of New Orleans files lawsuit seeking US$5 million in damages from Home Depot in case connected to breach in which data on some 56 million payment cards was stolen. So far, about a dozen lawsuits have been filed against the company because of the breach.
  • Sept. 22. BBC reports it has discovered more than 100 ads on eBay that contained links to phishing sites that attempt to get bank account information from members.
  • Sept. 23. Sheplers, a western wear retailer, reports point-of-sale system at its Amarillo, Texas, store breached and credit card information at risk for an undetermined number of customers who shopped there from June 11 to Sept. 4.
  • Sept. 23. RiskIQ reports watering hole attack at jquery.com, a location frequented by system administrators and Web developers. The open source jQuery library is used by an estimated 30 percent of the websites on the Internet. Visitors to the site receive a “drive-by” infection that plants malware on their systems.
  • Sept. 23. U.S. Department of Homeland Security and FBI issue a “public service announcement” warning businesses of an increase in computer network exploitation and disruption by disgruntled employees. Such disruptions can cost businesses losses ranging from $5,000 to $3 million, the agencies said.
  • Sept. 24. National Institute of Standards and Technology posts alert about flaw in GNU BASH dubbed “Shellshock,” which could affect millions of computers running Linux and OS X.
  • Sept. 24. Jimmy John’s, a national chain of sandwich shops, confirms 216 stores were involved in a data breach from June 16-Sept. 5. The breach is still under investigation and the number of affected customers has not been made public.
  • Sept. 24. Ponemon Institute reports 43 percent of companies experienced a data breach in 2014, a 10 percent increase over 2013.

Upcoming Security Events

  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; nonmember, $1,150. After Aug. 29, member and government, $995; nonmember, $1,250.
  • Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, nonmembers $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, nonmember $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
  • Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
  • Sept. 30. Can Your Website and Network Infrastructure Withstand Multi-vector Attacks? 1 p.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Oct. 1. Indianapolis SecureWorld. Sheraton Indianapolis at Keystone Crossing. Registration: $695, two days; $545, one day.
  • Oct. 2. How To Avoid Being the Breach Scapegoat. 2 p.m. ET. Webinar. Free with registration.
  • Oct. 3. B-Sides Portland. Refuge PDX, Portland, Oregon. Free.
  • Oct. 9. Cyberspace as Battlespace. 2 p.m. ET. Black Hat webinar. Free with registration.
  • Oct. 10-11. B-Sides Warsaw. Andersa 29, Warsaw, Poland. Free.
  • Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, the Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
  • Oct. 16. SecureWorld Denver. The Cable Center, Denver. Registration: $695, two days; $545, one day.
  • Oct. 18. B-Sides Raleigh. Raleighwood, Raleigh, North Carolina. Free.
  • Oct. 18. B-Sides Houston. HCC Alief campus, 2811 Hayes Rd., Houston, Texas. Free.
  • Oct. 19-20. B-Sides Washington D.C. Washington Marriott Metro Center, Washington, D.C. Free.
  • Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nevada. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
  • Oct. 29-30. Security Industry Association: Securing New Ground. Millennium Broadway Hotel, New York City. Registration: before Oct. 4, $1,095-$1,395; after Oct. 3, $1,495-$1,895.
  • Oct. 29-30. Dallas SecureWorld. Plano Centre, 2000 East Spring Parkway, Plano, Texas. Registration: $695, two days; $545, one day.
  • Nov. 5. Bay Area Secureworld. Santa Clara Convention Center, Santa Clara, California. Registration: $695, two days; $545, one day.
  • Nov. 12-13. Seattle Secureworld. Meydenbauer Center, Seattle. Registration: $695, two days; $545, one day.
  • Nov. 19. Stealing from Uncle Sam. 7:30 a.m.-1:30 p.m. ET. Newseum, Washington, D.C. Registration: government and press, free; before Nov. 19, $495; Nov. 19, $595.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesars Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.
  • Dec. 8-11. Black Hat Trainings. The Bolger Center, Potomac, Maryland. Course Registation: before Nov. 1, $2,500-$3,800; before Dec. 6, $2,700-$4,000; after Dec. 10, $3,800-$4,300.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Privacy

Technewsworld Channels