Holiday shoppers aren’t necessarily more vulnerable than consumers during the rest of the year to having their personal information breached, but during the flurry of end-of-year gift buying, shoppers are reminded to stay aware about fraud, said the chief executive officer of the nonprofit Identity Theft Resource Center.
Identity theft and breaches exposing personal and financial information remain at high levels, said Eva Velasquez, CEO of California-based Identity Theft Resource Center, which tracks reported data breaches and offers free assistance to identity theft victims.
And each new data point collected about you — such as downloading a mobile retail application on a cell phone or signing up for text and email loyalty discount programs — creates a new risk of it ending up in the wrong hands, Velasquez said.
“Is it worth it to you to have all that data collected about you… to get those discounts?” she said.
Key trends in data security this year include changing motivations behind cyber attacks and what defines one’s identity profile, she said. Hackers and other groups might try to obtain personal records to change behavior they don’t like, such as targeting the affairs website Ashley Madison, revealing online profiles of users. Additionally, information collected about purchases, how often you shop and where you travel can give fraudsters clues about your identity, Velasquez said.
Sharing email and other information might be worth the savings promised from retailers, she said. Her advice this season is this: be aware and be prepared with a plan for how to respond in case your information is used to make a fraudulent charge or loan application.
“The potential risk of exposure for your information remains high,” Velasquez said. “All of the data we’re creating about ourselves creates extra vulnerabilities.”
Thursday kicks off one of the biggest shopping weekends of the year. Here are five facts about the state of cyber security to keep in mind:
1. Number of breaches could plateau. According to the latest figures from Identity Theft Resource Center, 669 data breaches have occurred as of Nov. 18 this year in the United States, exposing nearly 182 million records.
The counseling center compiles media reports and records obtained from federal sources and state attorneys general to come up with the count. Many incidents affect an unknown number of records. It’s likely the actual number of breaches is greater due to delayed reporting or businesses unaware their systems are compromised, said Velasquez.
But the number of known breaches are tracking about 4 percent lower than last year’s record pace, according to the nonprofit.
The surge in data security failures leading to the record level of breaches wasn’t sustainable, likely leading to a slowdown in the rate of reported new breaches, said Daimon Geopfert, the national leader of security and privacy consulting for accounting firm RSM.
“The sheer number of breaches isn’t going down. Because of the market saturation, it can’t increase any faster,” Geopfert said.
Mega breaches found at Target Corp., T-Mobile and Anthem Inc. are the outliers, he said.
“Small and medium size businesses have been the primary target and will continue to be so,” he said. “The main issue for a lot of the smaller organizations is they’re less capable of knowing when they’ve been breached.”
2. Threats are going mobile too. Cyber threats are following higher web traffic on cell phones to mobile platforms too, said Chris Hart, operational risk director for Cincinnati-based First Financial Bancorp.
Online banking is still the most preferred banking method for U.S. adults (32 percent), but mobile banking is now preferred by 12 percent of consumers, according to a recent American Bankers Association survey cited by Hart. Mobile banking preferences have grown 3 percent over the last five years, according to Hart’s information.
Malware hasn’t become very common yet for the average mobile user, but mobile is becoming a more active space for junk applications and unwanted software programs that can infect devices, according to information provided by Hart.
“It used to be the bad guys would just focus on the laptop computers because that’s where most of the population did their online banking, for example,” Hart said. “You’re seeing a lot more of what you call the mega breaches… but I think the targets of where those exploits are occurring… are moving more and more towards the mobile devices.”
Apple Pay allows transactions to be verified using the phone’s fingerprint scanner, adding an authentication factor to the payment process, Hart added. Moreover, Apple Pay and Android Pay secure payment card credentials in cloud storage or on the device, which makes it difficult for the physical cards to be compromised and counterfeited, he said.
However, not all merchants are able to accept these payment methods due to the equipment required to support their use, he said.
Whether using plastic cards or virtual ones, consumers are protected from all unauthorized activity charged to their accounts as long as notice is provided to their financial institution, in writing, within 60 days after the bill with the disputed charge was sent, Hart said.
3. Liability has changed. New rules went in effect Oct. 1 for when banks or merchants are held liable for fraudulent charges, said Al Druso, ATM and cards director for First Financial.
Previously, if a card was counterfeit, the retailer where the fake card was used had no liability. Now, if the counterfeit debit or credit card contains a new electronic chip and the fake card is used at a merchant that doesn’t have the equipment to process the chip, the merchant takes the loss, Druso said.
But if a fake chip card is presented at a merchant that has a chip reader, the bank still takes the loss, he said.
A magnetic stripe swiped by users of traditional cards contains the card number, name, expiration date, service code and security value. Data thieves can use fake card readers and skimmers to steal that information. While not foolproof, a chip card is believe to be safer because the chip’s security value changes each transaction, so even if it’s stolen, the value will be a different number next time, he said.
“We’re seeing out of all of our fraud at least 50 percent or more is magnetic stripe, counterfeit fraud, not lost or stolen,” Druso said. “I think by the end of next year, if not earlier, all debit cards and credit cards will be chip cards.”
4. Not all breaches are equal. Fraudulent charges can cause financial harm. But a stolen identity can hurt you for life, Geopfert of RSM said. Personally identifying information such as Social Security numbers, driver’s license numbers and medical records is more valuable to thieves who can sell the information for a higher price. It can be used to apply for credit and loans in your name, Geopfert said.
Automatic fraud detection systems might catch a bad attempt to charge an account or customers will notice transactions they didn’t make. One of the first signs of identity theft is finding credit applications or checks on a credit report, he said.
“Be very, very careful about what entities you give your information to,” he said.
Various types of data breaches include breaking into computer systems to steal consumer names, payment card numbers, medical records and other information, as well as devices infected by malware due to phishing emails and other scams, Hart, of First Financial, has previously said.
5. Small businesses are “low-hanging fruit.” Businesses without a plan to respond to a data breach are like drivers without car insurance, said attorney Jamie Ramsey, chair of the law firm Calfee, Halter & Griswold LLP’s privacy and data security practice group.
“It’s just a cost of doing business now,” Ramsey said.
Basic things companies can do to help keep their and customer information safe is employee training, encouraging a privacy culture, reviewing vendor agreements and developing a plan for how to respond if something happens, Ramsey said.
Training not to click on fishy websites, locking computers and writing strong passwords, for example, should be offered for new hires as well as existing employees.
Just like many companies have a culture of safety on the job to prevent falls and life-threatening hazards, privacy should also be a top priority including making employees comfortable reporting problems, he said.
Also, he said it’s necessary to review all contracts with vendors to determine who’s responsible for what if a breach happens, such as a network provider agreement, he said.
“The incident response plan is the most important document you could have in place,” Ramsey said, and should spell out who to call if a breach happens, who the spokesperson is, and whether a forensics investigation will be conducted in-house or outsourced, he said.