Most U.S. consumers don’t have a high level of confidence that their personal information will be safeguarded by retailers with whom they shop, according to a new Pew Research Center report.
Only 14% of adults surveyed were “very confident” that companies and retailers they do business with will protect the sensitive data collected about them, and 46% said they were “somewhat confident.” More than one-third of respondents expressed low levels of assuredness, with 21% “not too confident” and 15% “not at all confident” in the ability of retailers to securely handle their information.
“The results were not outside of the realm of what we expected. We saw a lack of confidence in entities people interact with daily, and that was very consistent with the public climate given the steady stream of hacks, breaches and cyberattacks by hostile entities that have been in the news,” says Aaron W. Smith, associate director of research at Pew. “The broader population feels as though the dissemination and use of their personal information is out of their control.”
The Pew Research Center’s study, titled “Americans and Cybersecurity” and released late last week, is based on a phone survey in spring 2016 of 1,040 U.S. adults across all 50 states.
The findings of low public trust and pervasive worry for privacy pose problems for web merchants, who need to maintain and nurture loyalty with shoppers. Given that a majority of those consumers surveyed — 64% — have experienced a major data breach of some sort and 41% having encountered fraudulent charges on their credit cards, online retailers have to know how to inspire confidence during and after checkout. After all, any momentary hesitation from a potential customer in entering payment information could result in shopping cart abandonment and lost sales, digital security experts warn.
The first step is for merchants to gain a deeper understanding of what’s happening with fraud front so they can better combat data theft, says Lawrence Pingree, research director and security technologies analyst at Gartner Inc.
Data breaches often are considered isolated events, but they tend to be cumulative in nature, Pingree says. Just like credit card companies collect many data points on a cardholder to vet purchases — including retail history, geo-specific transaction locations, IP addresses and devices used — criminal hackers likewise attempt to cull a comprehensive profile on a given shopper’s life and habits, but with malicious intent.
For example, if attackers in the Target Corp. breach accessed card numbers, expiration dates, the embedded security codes, names, postal addresses, email addresses and phone numbers, that stolen information gets passed along for storage in an underground criminal warehouse. There, names or email addresses can be synced with previous stolen lists of consumer data that might include Social Security numbers, mother’s maiden name answers, usernames, passwords and the like, Pingree says. The more complete a picture that can be painted of an individual, the easier it becomes to steal that person’s identity and make fraudulent purchases.
According to another Pew report published in December 2016, roughly eight in 10 Americans are online shoppers, and 15% buy online on a weekly basis. More than half of adults in the U.S. — 51% — have used their mobile phone to purchase something online. This can be risky behavior because consumers tend not to update device apps and operating systems as frequently as they should, missing patches for known security issues. Pew’s cybersecurity report found more than half of internet users utilize public Wi-Fi networks, such as those in cafes and libraries, even for online shopping or banking. These networks are especially common targets for hackers.
“It boils down to weaknesses in the process and non-ideal behavior consumers are engaging in during these interactions with retailers,” says Pingree, who has more than 20 years’ experience in the security industry. “When you ask a bank robber why they choose to rob a bank, they say ‘Because that’s where the money is.’ Well, this is where the data is. And data can be leveraged for financial gain.”
Online retailers are guilty of underestimating hackers and the impact of extensive and growing underground data networks, Pingree says. E-retailers that have not had a data serious breach tend to meet the minimum of regulatory requirements for security and privacy set by the Federal Financial Institutions Examination Council, he says. Unfortunately, those mandates are several years out of date, and advanced attackers have already figured out ways around those protections, Pingree says. But once merchants are burned with a breach, they pay more attention.
“Then they start erring on the side of caution because they don’t want to be the next news headline,” he says.
Smart retailers are moving toward more advanced machine learning, Pingree says. Algorithms are able to compare past and current shopper behavior by interconnecting events and categorizing data so that strange transactions that depart from a shopper’s typical pattern can be identified, thereby increasing the odds that fraudulent transactions are weeded out.
Perhaps the most important thing for retailers to integrate into their payment processing is what is called multi-factored authentication, Pingree says. For security industry professionals verifying someone’s identity, the first prong relates to “What you know,” which includes a password, PIN or login. The second is “What you are,” which includes biometrics like a fingerprint on an iPhone. And the third is “What you have,” which would be a “token” the shopper receives, or perhaps a verification code that gets sent to a mobile phone when a purchase is being initiated. The added layers of authentication make it harder for hackers to pass off stolen information because they may not have access to all of the pieces, Pingree says.
“This is the future for retailers,” he adds. “It’s so important that they keep their customers’ personal data safe from misuse, even if customers are failing to follow best practices with digital security. That way, retailers can make strides in improving the public perception of how safe their sensitive information is against attackers.”
Other findings from the Pew Research Center cybersecurity report:
- 21% of U.S. consumers who use public Wi-Fi networks make online purchases while connected.
- 49% feel their personal information is less secure than it was five years ago while 31% feel it is about as safe as it was five years ago.
- 39% use the same or very similar passwords for many of their online accounts.
- 28% of smartphone owners do not use a screen lock or other security features to access their phone.
- One in 10 smartphone owners never install updates to their mobile device’s apps or operating system.