Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

ID Theft

The Aftermath of a Mega Data Breach

A Ponemon Study sponsored by Experian® explores consumers’ sentiments about data breaches. The goal was to learn the affect data breaches had on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

The study asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100% since the 2012 study when only 25% of individuals surveyed were victims of a data breach.

For purposes of the research, they define a data breach as

the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records

797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76% of respondents) followed by having to spend time resolving problems caused by the data breach (39% of respondents).

The most significant findings of the research:-

What companies should do following a data breach

  • 63% of consumers continue to believe that organizations should be obligated to provide identity theft protection
  • 58% believe credit monitoring services should be offered
  • 67% believe compensation such as cash, products or services should be offered

–       These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications

  • 62% of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim.

  • Prior to having their personal information lost or stolen, 24% say they were extremely or very concerned about becoming a victim of identity theft.
  • Following the data breach, this concern increased significantly to 45%.
  • 48% of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches?

  • The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Other findings:-

  • 25% of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29% of respondents received such an offer
  • 67% of those receiving a notification wanted the organisation to “Explain the risks or harms that I will experience”
  • 32% said “I ignored the notification(s) and did nothing”
  • 78% were most worried about their Social Security number followed by Password/PIN at 71% and Credit card or bank payment information with 65%
  • 81% of respondents who were victims of a data breach did not have any out of pocket costs. If they did, it averaged about $38
  • 34% say they were able to resolve the consequences of the breach in one day
  • 55% say they have done nothing to protect themselves and their family from identity theft

The full report can be found here.

Advertisements

Consumers express their opinions of Data Breach Notifications

Ponemon Institute have released an Experian® Data Breach Resolution sponsored survey into what consumer think about Data Breach Notifications, titled 2012 Consumer Study on Data Breach Notifications.

I have made a summary of the survey below.

Consumers in the Ponemon and Experian joint study believe data breach notification is important under certain conditions

  • 85% believe notification about data breach and the loss or theft of their personal information is relevant to them
  • 57% say that they want to be informed only if the organization is certain that they are at risk
  • 58% say that if they remembered the notification it failed to explain all the facts and “sugar coated” the message

The trustworthiness of an organization is linked to the efforts it makes to protect personal information

  • 83% of respondents believe organizations that fail to protect their personal information are untrustworthy
  • 82% believe the privacy and security of their personal information is important

Following a data breach, consumers believe organizations have obligations to provide compensation and protect them from identity theft

  • 63% say organizations should be obligated to compensate data breach victims with cash, their products or services
  • 59% believe a data breach notification means there is a high probability they will become an identity theft victim. As a result, 58% say the organization has an obligation to provide identity protection services and 55% say they should provide credit-monitoring services.

Most consumers recall receiving a form letter and more than one notification

  • 65% of consumers say they have received at least one notification
  • 35% recall receiving at least three In 2005, 91% said they received only one
  • 62% of consumers say the notification was a form letter 19% who say it was a personal letter.

Most consumers do not believe the organizations that sent them notifications did a good job in communicating and handling the data breach

  • 72% of consumers were disappointed in the way the notification was handled
  • 28% say the organization did a good job in communicating and handling the data breach

A key reason for the disappointment is respondents’ belief that the notification did not increase their understanding about the data breach. In fact, since 2005 respondents are more in the dark about what happened with their data.

  • 41% of respondent say their data was most likely stolen
  • 37% say they have no idea what the data breach incident was about
  • This is an increase from 37% in 2005 who said their data was most likely stolen and 28% of consumers who said they had no idea what the data breach incident was about
  • 51% say their customer or consumer information was stolen
  • 21% who say it was their financial information such as credit card/debit card account numbers
  • In 2005 86% said it was their customer or consumer information 10% said it was employee records
  • 44% of consumers do not know the specific data that was lost or stolen which makes it more difficult for them to take steps to protect themselves from further harm. Those who do know say the following were most likely to have been lost or stolen: name, credit card or bank payment information and Social Security number.

Personal data respondents worry most about if lost or stolen

  • 48% Email address
  • 48% Health plan provider account number
  • 48% Taxpayer ID number/Employer ID number
  • 52% Telephone or mobile number
  • 53% Driver’s license number
  • 57% Credit or payment history
  • 65% Credit card or bank payment information
  • 65% Prescriptions
  • 68% Social media accounts/handles
  • 89% Social Security number
  • 92% Password/PIN

Consumers say key facts about the breach are missing in most communications. 67% say the notification did not provide enough details about data breach.

The majority of consumers (51%) would like to have more information about how the organization will protect them to minimize the harm to them and their family. This is consistent with the 2005 study.

How the data breach may affect them and their family decreased significantly from 40% of respondents in 2005 to 24% this year. Identity protection or credit monitoring services and steps to take to protect their personal information were included for the first time in this year’s study and were significantly lower than the first choice about protections to minimize the possible negative consequences of a data breach.

Notification letters are increasingly perceived to be junk mail, according to many consumers

  • 36% say they thought the data breach notification letter looked like junk mail This is an increase from 15% in 2005
  • 34% say it was an important communication, this is a significant decrease from 51% in 2005

If they thought it looked like junk mail

  • 63% of respondents recommend that the notification provide the names of individuals they can contact if they have questions or concerns
  • 54% say the notification should be personalized
  • 50% suggest making a phone call or email alerting them to the notification

Customer loyalty is at risk following notification. In response to being notified by an organization

  • 15% say they will terminate their relationship
  • 39% say they will consider ending the relationship
  • 35% say their relationship and loyalty is dependent upon the organization not having another data breach

Only a small percentage of respondents in both studies do not blame the organization reporting the data breach. Further, respondents’ reactions to a breach have not changed significantly in the past seven years.

As in the previous finding, data breaches diminish customer loyalty and trust and this has not changed much since 2005. The study reveals that 62% say the notification decreased their trust and confidence in the organization Only 30% say it had no affect on their trust and confidence.

Since 2005, data breach notifications have not become easier to understand with 61% of consumers have problems understanding the notification An increase from 52% in 2005.

The biggest improvements that could be made would be to explain the risks or harms that they are most likely to experience as a result of the breach and to disclose all the facts.

The believability of data breach notifications has declined

  • In 2005, 61% say the message was believable
  • This has decreased to 55% in 2012

Scepticism about the content of the notification has increased since 2005. Of the 45% who say it was not believable, 51% say the message did not tell them about the harms or risks they will likely experience. This is an increase from 37% who believed this in 2005. In addition, perceptions that the organization is hiding key facts about the data breach have increased from 37% to 44%,

Respondents are just as worried today as they were in 2005 about the security of their personal information

  • 63% are more worried about the security of their personal information
  • 44% say they have had to spend time resolving problems as a result of the breach
  • Despite concerns about identity theft and other harms, almost half (49%) are doing nothing to protect themselves

Consumers are, however, more cautious about sharing personal information with the organization that had the breach (45%) and 35% are more cautious about sharing information with all organizations.

Ponemon’s Conclusion

Consumers in our study believe the privacy and security of their personal information is important. Organizations that do not provide adequate safeguards are considered untrustworthy. Further, typical responses to a data breach notification are to immediately discontinue the relationship with the organization that had the breach, to consider discontinuing the relationship or to continue the relationship only as long as another breach does not occur.

One of the goals of this research is to determine if consumers’ perceptions about data breach notification have changed since 2005 when we conducted the first study about this topic. Based on the findings, improvements need to be made to both how the notifications are delivered and the information that is communicated to victims of the data breach.

These include

  • Making the notification easier to understand by making it shorter with less legalese
  • Eliminating the perception that the notification is junk mail by providing names that can be contacted if there are questions or concerns, personalizing the message and making a phone call or sending an email in advance of sending the notification
  • Providing specifics about the incident that explain the cause of the breach and the type of data that was lost or stolen so the victim understands what the data breach is all about
  • Assuring the victims that the organization will take steps to protect them from identity theft and other negative consequences

Most of the consumers who responded to the survey cannot recall if they received notification. We conclude that despite their concern about privacy and security, consumers are not paying attention to the notices. They also are not being proactive about preventing identity theft following notification. Instead, they believe it is the obligation of the organization to fully explain the potential harms they are likely to experience and to take steps to reduce the risk of identity theft.

In many instances, when organizations have a data breach the notification process is a matter of sending out a form letter. As shown in this study, communicating the circumstances of the data breach can influence customer loyalty, trustworthiness and reputation. Resources spent on personalizing the message, offering assistance to reduce the likelihood of identity theft and future harms and providing specific information about the incident may help organizations avoid the risk of losing customer trust and loyalty in the aftermath of the data breach.

Read the full report by registering here.

With Breach Notifications to be mandatory in the not so distant future it would be worth reading my review of the proposed European Data Protection Act here.

UK Fraud Report 2012

In April Experian released their 2012 review of Fraud in the UK. There are some interesting findings and a summary of the 28 page document is below.

Executive Summary of the report

  • Annual fraud losses across the UK are now estimated to now top £70 billion
  • Of this around £3.5 billion is in financial services
  • A year-on-year rise of 4% in application fraud rates across all financial services products has been noted – reflecting a trend traditionally seen during downturns
  • Mortgage fraud rose by 8% in 2011, highlighting the level of exaggerated affordability and adverse credit some customers are now trying to hide
  • Insurance fraud has risen by 23%
  • The most significant year-on-year increase in fraud was seen around current accounts, which were up by more than half
  • First party fraud has continued to rise, while third party identity fraud has declined
  • A seasonal uptick in first-party fraud was also noted with significant H2 rises during the run up to Christmas
  • Traditional blue collar and welfare-dependent groups were among the most likely to attempt first-party fraud, as well as now becoming victims of fraud
  • The switch sees fraud moving closer to home and suggests an ‘anyone goes’ approach by fraudsters willing to aggressively pursue more lower-yield opportunities
  • Card fraud and automotive fraud both saw 40% year-on-year falls, suggesting identity capabilities and verification technology are improving
  • Elsewhere, fraud on savings and loan products has seen modest falls within the past year, also reflecting improving industry-wide good practice

Fraud in the UK is now at a record level.   During the past 12 months, Experian estimates it went up by at least 4% and is an industry with an annual turnover that is now estimated to cost the country more than £70 billion.

Mortgage Fraud Rates

  • 2006, around 15 frauds per 10,000 applications were being detected.
  • 2008 the figure stood at around 26 per 10,000.
  • 2011 34 per 10,000 mortgage applications were found to be fraudulent.

Insurance Fraud Rates

At present around 11 frauds in every 10,000 policy application and claims are fraudulent.

The Association of British Insurers is detecting more fraud than ever with more than 2,500 fraudulent claims worth £18 million every week.

The most common frauds

  • Home insurance with 66,000 bogus or exaggerated claims detected
  • Dishonest motor insurance claims with 40,000 frauds uncovered

Of these, motor frauds were by far the most costly, totalling £466 million. As a result, insurance fraud is estimated to now cost £2.1 billion per year.

Current Account Fraud Rates

Within the past 12 months, the rate of current account fraud jumped from more than 20 per 10,000 applications, to around 36 in every 10,000 applications. Around 60% of current account fraud was committed by first-parties, while the remaining 40% was committed by third-party identity fraudsters.

Automotive Fraud Rates

Fraud rates have fallen significantly in automotive finance, dropping from nearly 40 frauds per 10,000 applications at the end of 2010, to around 23 per 10,000 by the end of 2011. The vast majority (85%) of successful frauds were committed by first-parties, possibly reflecting an increasing availability and prevalence towards dealer credit.

Card Fraud Rates

Experian found that during the past two years the overall rate of credit card fraud has also dropped away.

There has been a sizeable swing from third to first-party frauds during 2011. After a stable first three quarters to 2010, the proportion of first party fraud began to rise rapidly, peaking at 70% in Q3 2011. Although the economy is likely to be a factor, with hidden adverse credit and inaccurate salary as the most common reasons given, this trend in behaviour is also partly driven by some lenders’ changes to reporting methodology.

Savings Accounts Fraud Rates

The fall in fraud rates has coincided with a decrease in the average time after application when a fraud was noted, with 75% of fraud being marked within one month of the application.

Towards the end of 2011, lenders began to note more first-party frauds, citing previous payment fraud. The victims are largely the highest earners as they continue to clearly represent the richest pickings for fraudsters.

Loans Fraud Rates

Loans show a slowly decreasing fraud rate, down around 10% on the year but remaining at around seven frauds per 10,000 applications. More than three out of four (76%) loans were marked as fraud within one month in H2 2011, down slightly from 83% in H1 2010.

First Party Fraud – where it occurs

London continues to be the centre of UK fraud, with acute problems in the inner-city boroughs of Tower Hamlets, East Ham and Woolwich. There also London continues to be problem in and around south east London.

The recent trend for a broad westward migration along the Thames Valley and out into the Home Counties has also continued. This is typified by the commuter towns of Reading, Luton and Croydon, which all recorded above average levels of fraud.

Northern Ireland continues to be a disproportionately high-risk region.

Elsewhere in the UK, provincial inner cities including Birmingham, Manchester, Leeds, Sheffield, Coventry, Leicester, Derby, as well as a triangle of Fenland towns around Peterborough, all showed an uptick in first-party fraud.

Third Party Fraud – where it occurs

The geographic spread of third-party fraud is broadly in line with first-party fraud, although there are far higher concentrations within the London boroughs, inside the M25’s commuter belt and with notable spikes along the Thames Estuary’s gateway towns.   During the past few years there has been a gradual migration outside of Greater London, although more recently the numbers suggest a contraction back into London – particularly around East London.

The fraudsters pattern of behaviour by numbers

  1. The UK’s leading ecommerce businesses say their peak fraud period is from 9pm to 12 midnight. Nearly three out of 10 (28%) companies surveyed cited this period in which most fraudulent orders were put through their site
  2. With thousands of websites to defraud and thousands of institutions offering credit, it’s no great loss to fraudsters when they do get beaten by the embedded defences companies put in place. Fraudsters simply move onto the next site in the list. According to a survey of fraud managers at internet retail operations, seven out of 10 (70%) of retailers don’t report fraud to the police
  3. Fraudsters favour a mid-range attempt that doesn’t arouse suspicion or warrant great scrutiny. Fraud managers have indicated that nearly half (43%) of attempted fraudulent transactions were in the £250 to £500 range, while less than a third (29%) were in the £500-plus bracket
  4. Despite the obvious advantages offered by the online retail environment, many fraudsters still prefer to use a third-party to distribute stolen property, often favouring the convenience and ease of a speedy cash sale to a member within their broadly co-operative fraud networks
  5. Fraud managers have their own online forums to discuss, share information, tips and fraud alerts to work together to beat the fraudster, so it’s unsurprising to find that fraudsters also have their own forums as well. Numerous ‘carding sites’ exist on the web where sets of card numbers, names, addresses and other information any web-literate person can purchase and take home, before attempting their own Card-Not-Present scam.

Download the full copy of the Experian 2012 Fraud Report here, registration is required.

You may also want to read RSA’s April Online Fraud Report 2012

.

The majority of adults are worried about possible exposure of their personal information

According to SailPoint’s Market Pulse Survey, the majority of adults in the United States, Great Britain and Australia are worried about possible exposure of their personal information, and a large percentage of adults have lost confidence in how companies protect their personal information. As an example, 80% of Americans, 81% of Britons and 83% of Australians who have personal medical information are concerned about moving that information to an electronic form because of the risks of identity theft or invasion of privacy resulting from their personal information being exposed on the Internet, to other staff members or even their employers. The frequent incidence of data breaches is reflected in the fact that many adults think they have become commonplace at financial institutions and retailers: 12% of Americans, 8% of Britons and 8% of Australians believe these breaches happen all the time.

The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers,” said Jackie Gilbert, vice president of marketing and co-founder at SailPoint. “These companies obviously spent millions to recover from these data breaches, but the longer term and harder-to-measure costs will be the erosion of customer loyalty and decline in brand perception.”

The Market Pulse Survey indicates that a security breach at a financial institution or retailer can severely impact customer loyalty. Case in point: 16% of Americans, 24% of Britons and 26% of Australians said they would no longer do business with a bank, credit card company or retailer if a security breach occurred that potentially exposed their personal and financial information to theft. Within these groups, 10% of Americans, 14% of Britons and 16% of Australians would not only not do business with that organization, but also would tell their family and friends not to do business with that same organization.

In all three regions, the growing use of electronic medical records is a main concern because adults believe that having healthcare organizations manage their personal data electronically exposes them to more threats. Specifically, of the adults in these countries who have personal medical information: 29% of these Americans, 26% of these Britons and 30% of these Australians are most concerned that medical records being made available electronically might result in those records being exposed on the Internet. 35% of these Americans, 33% of these Britons and 37% of these Australians are most concerned about the use of their private information being used to steal their identity. Finally, 10% of these Americans, 14% of these Britons and 11% of these Australians are most concerned about staff members not directly related with their care being able to view their private data.

Consumers have reason to be concerned about the safety of their personal information and to question how effective organizations are at protecting that information,” continued Gilbert. “In some widely publicized cases, the very basics of user access control were not put in place to safeguard sensitive data, making it child’s play for intruders to gain access to it. SailPoint is working with some of the largest financial services, retail and healthcare organizations around the world to ensure strong controls over data access. Unfortunately, as this survey shows, there is still a lot of work to do to win back customer confidence in light of the number of bad examples across industries.”

Survey background: SailPoint Market Pulse Survey, conducted online by Harris Interactive, consumers expressed cynicism about how these organizations are protecting their data and a willingness to leave a business that experienced a breach. The recent online survey was conducted among 2,241 adults in Great Britain, 1,023 adults in Australia and 2,309 U.S. adults. SOURCE: SailPoint

.

Test your IT Security and ID Theft Knowledge

KENZ
Image via Wikipedia

Preparation is often the best way of ensuring you have the right protection.

The Consumer Federation of America have worked to put together some excellent quizzes that will help you understand the potential impact of an Identity Theft and several IT Security threats and risks.

Test your Identity Theft knowledge by participating in any or all of the following Identity Theft Quizzes.

  1.  Pretend that your identity’s been stolen and learn how to get it back by correctly answering questions in the Federal Trade Commission’s ID Theft Face-Off Quiz.
  2. Learn how to keep your wireless Internet connection secure and fend off intruders by taking the Federal Trade Commission’s Invasion of the Wireless Hackers Quiz.
  3. Don’t let spyware sneak onto your computer to give others a peek at information you enter online. Get wise to the spyware guise by taking the Federal Trade Commission’s Beware of Spyware Quiz.
  4. The techie spy and his cunning crew are out to get your personal information. Stop them cold and prove you’re ready to protect yourself online by cracking the Federal Trade Commission’s Case of the Cyber Criminal Quiz.
  5. You’re in big trouble at work because your laptop’s been stolen and the information on it wasn’t secure. It won’t happen again if you take the Federal Trade Commission’s Mission: Laptop Security Quiz.
  6. Phishers are looking to lure you into providing your personal information with bogus emails and pop-ups. Will you take the bait or live to swim another day? Find out by taking the Federal Trade Commission’s Phishing Scams Quiz.
  7. Identity thieves use many methods to steal your key personal and financial information to sell, use to drain your accounts, or set up new accounts using your good name. How much do you know about identity theft, related fraud, and how to reduce your risks? Find out and have some fun by taking the University of Oklahoma Police Department’s Identity Theft and Fraud Quiz.
  8. Are you at risk for identity theft? Take the Privacy Rights Clearinghouse Identity Theft IQ Test to see how you rate.
  9. Identity theft affects people of all ages, including children. Test your knowledge of child identity theft by taking the Identity Theft Risk CheckSM Quiz, a quiz designed by the National Sheriffs’ Association and the National Foundation for Credit Counseling.

.

13% of Britains are “casual hackers” and 16% have been hacked…

CPP Group
Image via Wikipedia

CPP Group Plc a “life assistance company“ has published its research into people accessing other people’s data without their permission, also known as hacking.

The results are alarming, with “13% admitting they have accessed someone else’s online account details without their permission”.

CPP have coined the term “casual hacking” with Facebook and similar social sites being the most targeted. Further research results are below:-

  • 32% casually dismissed their hacking as something they did ‘just for fun’
  • 29% admitted they did it to check up on their “other half”
  • 8% admitted they were checking on a work colleague
  • 2% were not just “spying”, they were aiming to make a financial gain

16% of people have had their own online password-protected information accessed without their permission

Of those who have had their data accessed

  • 24% have had their personal e-mails accessed
  • 7% claim to have had their work e-mails accessed
  • 19% say their eBay accounts have been hacked
  • 16% had their social networking profiles hacked
  • 10% claim to have had money or a loan taken out in their name

Identity fraud expert from CPP, Danny Harrison said: “People may dismiss checking up on their friend or partner’s accounts as a bit of fun, but in reality they are hacking. Looking at someone’s personal information without their knowledge is a serious act and one that could have serious repercussions both personally and professionally. We would urge everyone to be very careful about sharing passwords and to be vigilant about monitoring their accounts.”

The CPP research also polled the “casual hackers” about their knowledge and attitudes towards tutorials and hacking advice being available on the internet.

  • 17% of people aware of their existence
  • 87% agree that this kind of material should not be available online
  • 63% think ‘hacking’ tutorials should be removed from the internet
  • 56% saying the Government should take action to remove ‘hacking’ tutorials from the internet
  • 59% feel these videos and step-by-step guides increase the risk of identity fraud

Danny Harrison continued: “Hacking presents a risk to consumers and businesses and it is important people take the necessary steps to protect their identities and manage any compromised data. People are concerned about their password protected information being accessed without their permission and we are calling on the Government to review access to these online hacking lessons.”

CPP’s have produced their top tips on protecting your information from hackers:

  1. Change your passwords regularly – the longer and more obscure, the better
  2. Leave a website if you notice strange behaviour (unknown certificates, pop-ups etc.)
  3. Avoid transmitting sensitive data over public (free or otherwise) Wi-Fi
  4. When seeking Wi-Fi connections: know who you are connecting to, be wary of free Wi-Fi access
  5. If using a Smartphone: disable Wi-Fi ‘auto-connect’
  6. If you are concerned about identity fraud, consider purchasing an identity fraud protection product to help you detect, prevent and resolve any incidence of the fraud

CPP’s website can be found here.

.

Study: Consumers’ Reaction to Online Fraud

Image representing ThreatMetrix as depicted in...
Image via CrunchBase

ThreatMatrix and Cloud-based Fraud Prevention Company and the Ponemon Institute have released the findings of their joint study on Consumers and their awareness and appreciation of online fraud.

The study has revealed

  • 85% of respondents reported being worried and dissatisfied with the level of protection online businesses are providing to stop fraudsters. This % is up 5% on the Ponemon study of 2009.
  • 42% of respondents said they have been the victim of online fraud.
  • 80% of victims said they did not report the crime.
  • 19% that said they had reported the fraud only reported to the online business.

A lot of fraudulent activity goes unreported today, making it difficult for online businesses to fully understand the prominence and seriousness of the problem,” said Reed Taussig, president and CEO, ThreatMetrix. “With a rise in online transactions and activities across devices, more needs to be done to educate online merchants, banks, social outlets and other businesses on how to decrease fraudulent activity.”

Those respondents that expressed concern over online fraud said they felt online merchants, banks and social networks need to take additional steps to prevent fraudsters from stealing consumer information.

  • 68% would allow a trusted online business to place a cookie on their computer to automatically authenticate them
  • 82% indicated that they would expect an online business to offer alternative authentication methods if they were unable to match the consumer’s digital fingerprint to their security system.

“Our survey results help validate the need and consumer preference for technology, such as device identification, to authenticate identity as opposed to using personally identifiable information,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Consumers expressed much more willingness to share data like ISP, computer serial number, type and make, rather than information like date of birth and telephone number.”

Information Consumers are Willing to Allow a Trusted Online Business to Check to Verify Their Identity, or Digitally Fingerprint Their Computer:

1. Serial number of computer 88%
2. Type and make of your computer 83%
3. Internet service provider 76%
4. Browser settings  71%
5. Type of browser  65%
6. IP address 59%
7. Types of software applications residing on your device 54%
8. Email address  46%
9. Purchase history  39%
10. Planned future purchases  35%
11. Date of birth  34%
12. Telephone number  17%
13. Home address  16%
14. Name  14%
15. Zip code 9%
16. Social Security number 4%
17. Driver’s license number 2%

Study findings indicate that consumers have a “positive perception about companies that use authentication and fraud detection tools to prevent online fraud”.

  • 56% of consumers indicated they are ‘more willing’ to shop or browse an online business if they know that company is taking specific measures toward combating fraud.
  • 88% of respondents stated a preference for companies to share information about their device for authentication purposes — as opposed to sharing personal information to verify their identity.

 Read the whole study here.

Identity Theft Resource Center found that hacking accounted for the largest number of breaches in 2011 year-to-date

The Identity Theft Resource Center® has found that hacking accounted for the largest number of breaches in 2011 year-to-date.

Almost 37% of breaches between January 1st and April 5th were due to malicious attacks on computer systems. This is more than double the amount of targeted attacks reflected in the 2010 ITRC Breach List (17.1%).

ITRC point out that their findings do not include the large Epsilon Email Breach as the full findings were are to be disclosed and the effects seen. The findings will not include the massive Sony Playstation Network breach as this was after the report.

Anecdotally the ITRC in their press release also refer to other pieces of research

  • Symantec Internet Security Threat Report. This report discloses that over 286 million new threats were identified during 2010. Additionally, the Symantec report said they witnessed more frequent and sophisticated targeted attacks in 2010.
  • McAfee found that the most significant threat to businesses was data leaked accidentally or intentionally by employees.

ITRC views employee breaches as two different types of breaches.

1. Accidental breaches are those that happen by employee mistakes, and while they cause harm, the people who made a mistake never intended to injure the company.

2. The insider who intentionally steals or allows others access to personal information is considered a malicious attacker.

“At first it may be difficult to know if a hacking was perpetrated by an insider or outsider,” says Linda Foley, founder of the ITRC and data breach report manager. “ITRC does not have access to the Secret Service’s forensic information has so we can only report on situations when information is released.   As of April 5, 11.6% of 2011 breaches with known forms of leakage were insider theft.  When these events are added to known hacking attacks, ITRC’s breach database report indicates that 48.2% of published breaches are some form of targeted attack.

Businesses are taking the brunt of hacking attacks, according to published reports of breaches. 

  • 53.6% of all breaches on the ITRC report were business related. 
  • The other categories, “Banking/Credit/Financial,” “Educational,” “Government/Military and Medical/Healthcare all dropped in their respective percentage of reported breaches.

Other ITRC finding include:

  • Nearly half of breached entities did not publicly report the number of potentially exposed records
  • Several medical breaches ranging up to 1.9 million records caused a spike in the total records for the health services field.

ITRC was unable to draw any long term conclusions from these initial findings.

For further details of the ITRC visit.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: