With the holidays around the corner and U.S. consumer confidence at a 16-year high, Americans are ready to do some serious shopping. But keeping data safe should be a priority for shoppers, given the potential for point of sales data breaches and identity theft. How serious is the threat of retail-based data breaches, and ensuing identity theft? Very serious.
According to Trustwave's 2017 Global Report retail point of sale data (POS) breaches increased to 31% of systems "most breached" in 2016 vs. 22% in 2015. "Incidents involving POS systems were most common in North America, which has been slower than much of the world to adopt the EMV payment card standard," according to Trustwave.
The Trustwave study further shows:
- Consumer payment card data is "most at risk," with more than half of the incidents investigated targeting payment card data.
- Stolen card track (also called magnetic stripe) data, at 33% of incidents, primarily came from POS environments.
- Stolen card-not-present (CNP) data, at 30%, mostly came from e-commerce transactions.
- Financial credentials, including account names and passwords for banks and other financial institutions, accounted for 18% of incidents.
Six steps to protect your own data
There's plenty consumers can do to protect their data at malls, shops, restaurants, and other retail outlets. Here's six tips to help you do what data security experts do when they're out engaging with retailers in public.
Use different numbers
"As a rule of thumb, I have separate credit card numbers for online shopping, standard bills, physical shopping and travel," says Andrew Bagrin, founder and CEO of OmniNet, a leading Firewall-as-a-Service (FWaaS) provider, in Wilmington, De. "The reason is that it's easier to lose a credit card while traveling and it's easier to get a credit card compromised while shopping online or in store." (See also: There's One Big Difference Between Debit and Credit)
Bagrin also advises reducing the risk of a POS retail data breach by going the
‘alerts' route. "If available, set up your credit or debit card to notify you every time it is used for any amount," he says. "I get a quick email and I can tell right away if it was me, an automatic payment, or if I have a problem."
Track your credit health
Monitor your credit with a product like Experian CreditWorks to get notifications if your credit is accessed. "Since everyone's identity has been compromised, there very likely will be attempts to open credit with your identity to purchase something, and you will be stuck with the bill," Bagrin says. "To stop that, make sure you monitor and act fast."
Change your name
If you shop online, don't use the same username and password at multiple online locations. "If your account at Bobscandles.com get stolen and you used the same credentials at BankofAmerica.com and Paypal.com, you have a much bigger problem," Bagrin warns.
He advises altering your password at each online account, even if it's just adding "BOA" or "PP" to the beginning or end of your password. "Pick something you will know and remember - BOA for Bank of America and PP for PayPal," he adds. "This may seem very simple, but it's extremely effective." (See also: What If Everything You Know About Passwords Is Wrong?)
Don't hand your card over
One of the best point of sale defense mechanisms is to not let the cashier handle your card, and also to cover your hands when entering your four-digit pin number, states Adam Watson, managing director at Hollywood Mirrors, a U.K.-based retail enterprise. "Also, don't give any other personal details out if the shopkeeper requests like email address, postal address, phone number and name," Watson advises.
Shoppers can also check with their payment card providers to ensure they have the correct contact details on file. "That will enable the card issuer to contact you if they notice any unusual spending patterns on your card," says Grafton Potter, vice president of sales, North America at PCI Pal. "In turn, you should keep your card supplier's 24-hour contact details handy in case of emergency and keep your payment card with you at all times. Also, don't allow it to be taken away from you in shops, restaurants or bars."
Targeting the POS retail data breach problem
What's driving the increase in cyber-attacks? A big part of the problem is that companies and retailers are handling and collecting more and more personal information.
"A hacker only has to find one vulnerability—one small lapse—and can potentially get access to volumes of sensitive personal data," says David Thomas, chief executive officer of EvidentID, a cybersecurity solutions firm in Atlanta, Ga. "Criminals can easily monetize the data they are stealing either by leveraging it themselves for fraudulent activity, or by selling it. Either way, they are getting paid." (See also: What Is the Dark Web?)
Another challenge: cyber-fraudsters have multiple ways to steal data in retail point-of-sale scenarios.
"A customer's information can be compromised through unsecured network endpoints, such as customer Wi-Fi access points, which provide easy access to hackers seeking to steal customer data," says Carl Mazzanti, co-founder of eMazzanti Technologies, a New York City-based retail technology consultancy. "There's also access to the store's website. There, data is often obtained using malware hiding in encrypted web traffic." (See also: Here's What You Need to Know About KRACK, the Worst Cyber Threat Yet)
Will chip cards protect us?
Additionally, the promise of tighter retail industry data security controls really hasn't materialized yet, despite repeated efforts.
"The chip card (EMV) era arrived with the promise that data in retail environments will be better protected," notes Mike Baker, founder and managing partner at Mosaic451, a managed cyber security service provider. "Cardholders eventually will have much greater security at the point of sale with their own card data. But, while it will be much more difficult for thieves to steal card data at the point of swipe, the hackers are still hacking and data is still being lost—almost daily." (See also: New Technology From Banks to Help Protect Your Identity)
Plus, as cybercriminals become more sophisticated, staying ahead of threats is a daily challenge for retailers. "The card number is only a small part of what a hacker wants," Baker says. "The more data a hacker gets, the more complete a profile of an individual they obtain, making the data they steal that much more valuable."
In the case of POS retail data breaches, it's up to companies to take the prospective steps needed to protect consumer card payment data. (See also: Here's What You Should Do After a Data Breach)
"Companies need to reevaluate the way they store and manage sensitive personal data," Thomas explains. "They can now acquire the verified personal data they need without having to hold or manage personally identifiable information (PII) in one place."
Above all, retailers should pay close attention to cyber security in POS scenarios because they are increasingly the targets.
"Smaller retailers, especially, tend to underspend on security, making them easy marks for hackers and malware," says Mazzanti. "These threats are increasing because criminals are making money off of unprotected businesses."
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer, or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.