Subscribe to our podcast via:
 |  |
The following is a transcript of the podcast episode
Recently First Data produced a cybersecurity study that took a look at personally identifiable information. Can you give us a brief overview of this study or survey and what was its main focus?
EJ Jackson – Head of Security and Fraud Solutions at First Data
Happy to. The study explores the attitudes and actions of today’s consumers as how they secure their personal identifiable information, we’ll call it PII. It identifies trends that can give financial institutions, retailers, service providers, and individuals themselves an extra edge on how t battle that goes on for their personal data. One of the things that is pretty revealing is that the results show the consumers really lack an awareness of how much of their PII data is on the dark web despite how little trust they have in businesses’ ability to keep their data safe. It’s bit contradictory if you will. The study is based on a survey of about 1800 consumers and aggregates responses across four unique age groups. If you go to our site, we reference them as “linksters,” which are aged 18 to 23; “socializers,” aged 24 to 30; the MTV generation, which where I hail from, 35 to 54; and then the “mature” 55 plus.
Ryan McEndarfer – Editor-in-chief at PaymentsJournal.com
When we’re talking about PII, personally identifiable information, what type of information are we talking about? Is it is it your basic name, phone number, email, possibly Social Security or the breadth of this type of information that’s typically out there?
EJ Jackson – Head of Security and Fraud Solutions at First Data
“Breadth” is a good word to use because PII is data that can be used ultimately to uniquely identify you. You named some elements such as name, date of birth, address. Those are some of the basics of PII data, but you can go a level deeper in terms of family members, your relationships with them, login credentials, and passwords, even social security or passport identification. Ultimately, it’s all of that data that comprises the way that you are uniquely identified. And that’s the data that fraudsters are really targeting heavily so that they can manipulate access to that data as if they were your proxy.
Ryan McEndarfer – Editor-in-chief at PaymentsJournal.com
The study also took a look at consumers’ trust in certain business types. What can you tell us about the results from that section of the survey?
EJ Jackson – Head of Security and Fraud Solutions at First Data
We found that the three most trusted businesses were financial institutions, health care organizations, and insurance companies. What’s also interesting is that the least trusted are petrol companies, telecom, food service, and QSR. And I would say that from my experience in the industry, those are also the industries that are typically targeted the most and have typically the highest level of breaches. I think by the nature of financial institutions and healthcare insurance companies, they’re heavily regulated organizations. Security and compliance are fundamental and core to those organizations, and processes that go back, tens and tens of years they’ve perfected over time. Petrol, telecom, food service, QSR, the ones that are least trusted, I think the reason they are least trusted is they’re also the ones that tend to get breached and they’re not as sophisticated or as mature in their compliance mechanisms and their ability and maturity in fending off fraudsters, particularly as fraudsters are growing more and more sophisticated.
Ryan McEndarfer – Editor-in-chief at PaymentsJournal.com
One thing I find particularly interesting and maybe you can shed a bit more light on it. In the press release in which First Data announced citing this, among the business types most trusted by consumers are the financial services providers, trusted by 46 percent, which to me seemed a little low. Their information was secure with a financial institution. It seems the main value proposition of a financial institution really is that security — I place my money in a financial institution and therefore it should be safe. Therefore I feel the same way about my data. But from the survey results, it seems that less than half the people felt that way. What’s your take on that?
EJ Jackson – Head of Security and Fraud Solutions at First Data
It’s is a great perspective because I think we use the term “most trusted” as somewhat of a misnomer in that it’s the most trusted in comparison to the least trusted. So if we’re seeing financial institutions, health care, and so forth in the upper 30s and mid 40s in terms of the level of trust, which is tenfold higher than the quick service restaurants, telecom, food service. However, as you’re pointing out, it’s less than a 50% threshold, meaning more consumers are less trusting than are trusting. I think one of the interesting (and I found pretty jolting) statistical findings of our survey was that 1 in 4 consumers stated that they believe their information has been compromised in the past 30 days. The reality is that the overall consumer sentiment is that many breaches are occurring, more companies are failing than succeeding at fighting against it, and their confidence is at a low, such that 25% of them feel like they’ve had a violation against their data in the past 30 days. That is very much aligned with what we’re seeing from the consumer perspective. I think the bottom line takeaway from that is there’s a lot of work that all of these merchants need to do and all these institutions need to do to shore themselves up against the fraudsters because the general perspective is that the fraudsters are winning more than they’re losing.
Ryan McEndarfer – Editor-in-chief at PaymentsJournal.com
I’m certainly glad that you brought up that statistic that basically a quarter of people feel that their data has been compromised. When you look at the news you really see that, Facebook in particular, really seems that it’s been getting hacked. And it seems like on a quite frequent basis and on a large volume basis as well. You talk about millions of people’s information that’s being stolen or breached. That would lead you to believe that large social platforms in particular really are huge targets for identity thieves. So, how concerned should people be about the security issues that seem to be cropping up left and right with social platforms?
EJ Jackson – Head of Security and Fraud Solutions at First Data
I think they should be highly concerned, and it’s interesting that some of the data from our survey again show these contrasting data elements — contrasting in that perceptions are low, trust is low, but actions by consumers, even though they have such a low sentiment toward their data protection, the way they behave is still as if things were safe. I’ll give you an example.
First of all 18% of the consumers we surveyed stated that their social media account had been hacked recently; 27% of Facebook users are still using Facebook at the same frequency as before;
only 21% percent changed their password recently. So even though 1 in 5 roughly are saying they’ve been hacked, only 1 in 5 actually changed their Facebook password in a relatively near time; 8% deleted their accounts. So 92% continue to use Facebook extensively. And 7% deleted other social media. So the reality is we’re continuing as if it’s business as usual in that we’re not changing our behaviors. We’re still actively using these social media platforms, and we’re taking very little action to protect ourselves. Yet we’ve either directly experienced, 1 in 5 of us directly experienced our accounts being hacked or breached, and more than half of us have a low faith [in the security]. So it’s fascinating to me that the data shows the sentiment is low and that consumers have experienced in a meaningful way ,1 in 4 experienced breaches that have personally impacted them or their accounts being taken over, yet the majority of them have not changed their behavior. So I think that also needs to be something that blends to the businesses in that they need to understand as well that these consumers are also part of the problem in that they’re behaving in a manner that’s the same as they were five years ago, but the known threats are increasing, the breaches are increasing. And this is unfortunately another weak link for these financial institutions and these businesses to protect from account takeover to protect from these malicious fraudsters that are able to get this PII data and exploit it for their nefarious means
Ryan McEndarfer – Editor-in-chief at PaymentsJournal.com
It’s an extremely interesting psychology and it fits the definition of insanity in that these data breaches happen over and over again and people get outraged but then do nothing themselves to help prevent it, not just even changing their password, And when their information was stolen, only 8% of people said “I don’t want to risk it anymore. I’m just going to delete the entire account.” To me the interesting psychology is that some of these social platforms have gotten to the point where they’re so ingrained in people’s behavior that it almost doesn’t matter what happens to them in terms of their data is being breached or getting hacked into or things getting stolen from. They’re going to keep using the service no matter what happens. I ask people, “What do you think is the tipping point, or is there a tipping point?” We opened Pandora’s box and people think, “Well, my data got hacked into. That’s the story. These things happen, and it is what it is.” I’m interested to hear, EJ, whether you think that there’s a tipping point for people when it comes to their data and security.
EJ Jackson – Head of Security and Fraud Solutions at First Data
I do. Clearly we’re not at that tipping point yet. There’s a reason these social platforms are so widely consumed. They do give a level of connectedness. I’m a consumer of Facebook as well as other social platforms that I use personally and professionally. Speaking anecdotally, I myself have in the back of my head concerns over the fact that I have what might be considered private interactions that are now being put into the public domain, monetized, measured, or even could be used, for an illicit or taken by a fraudster to be used in a negative way. I would say that at the moment the social platforms give greater value than the growing sentiment of our current state of confidence and trust and so forth. But what I do believe is that at some point in time as breaches continue to occur with growing acceleration and velocity, that as it becomes financial impact, also as you the consumer begin to become aware that maybe you were a victim of social manipulation that impacted or influenced your mindset on very false premises, that as you understand that at some point in time that is going to have greater harm than the benefit of the social platform. I think that we are precariously getting to that tipping point. I don’t know if that’s something that’s in months or years. My personal opinion is if the social platforms, the businesses, and consumers themselves don’t each take action to materially change that, it’s a two- to three-year phenomenon before we will begin to see erosion of the engagement and use of these platforms because they’re not going to be viewed as safe. They’re not going to be viewed as trusted, and they’re going to be a vulnerability that further exploit these consumers with what they do with these other businesses that they interact with. So, I think that ultimately a call to action is happening now. There’s still time. The value of f these social platforms is greater than the perceived risk or harm that’s being caused.
Ryan McEndarfer – Editor-in-chief at PaymentsJournal.com
To shift gears here, I want to focus on the dark web, certainly an interesting subject, that could probably have an entire episode of this podcast series. It’s kind of mysterious and not a lot of people understand what it is, how it works, but you see it cropping up a lot in the news, especially with these data breaches. So to tie it within our subject here, is there any validity to the news that there’s a lot of personal data out there on the dark web that’s for sale, or is that being overhyped because it’s a sensational headline?
EJ Jackson – Head of Security and Fraud Solutions at First Data
I don’t think it’s a sensational headline. First Data, we’re actually in the business of monitoring the dark web. And as you said we could do another episode on that topic. It’s a pretty large topic. But what I can say from First Data’s perspective is initially we got into the dark web to try and find breached card data. These are sellers that are taking card numbers and putting them up for sale. And what we’re seeing happening in growing velocity is PII data put up for sale. The PII data has value in two regards. One, it can be used in conjunction with card data to create further fraud. But the other element of PII data, is that it ultimately and now enables a fraudster to do what’s called. account takeover, which is really the keys to the kingdom on whatever asset you’re using that PII data to protect yourself or to uniquely identify yourself, whether it’s bank accounts, subscriptions you have, other commerce that you’re doing. One interesting phenomenon that we’ve also seen in the dark web is that PII data is trading for as much as five times breached card data. So that’s a pretty interesting fact and that shows you the fraudsters themselves are valuing PII data more than a stolen credit card.
Ryan McEndarfer – Editor-in-chief at PaymentsJournal.com
It makes a lot of sense as to why that would be. It’s been coming up in the news quite a bit news as to fraudsters taking pieces of verifiable information from a multitude of individuals to create a pseudo-individual. If people are checking, just one or two fields, these numbers technically exist, but it’s almost like creating a zombie person. On paper realistically all these numbers are correct, yet there’s no brain attached. This person doesn’t legitimately exist. Could that be maybe why there’s this increase in demand and also value to one-off PII data points?
EJ Jackson – Head of Security and Fraud Solutions at First Data
In the industry the term we use is “synthetic fraud.” the creation of an artificial identity. It is a growing concern, but if you talk with most in the industry, the biggest concern and the most immediate concern is account takeover. That goes along with the sentiment we talked about, that 1 in 4 of the consumers we surveyed were specifically aware of some breach of their data in the past 30 days and 18% said their social media accounts had been compromised or hacked. And so while synthetic fraud is a real phenomenon, the extent of it is not pervasive yet or as big a threat, particularly if you talk with financial institutions, the ones with a hole in the bag when synthetic fraud is actually successfully perpetrated, but the right now the 99% problem and the 99% concern is really around account takeover. So as consumers, while they acknowledge that they have the sentiment of fear and low confidence in how their data is managed, their own behaviors haven’t changed and they still have behaviors such as not changing passwords or using a single password universally across all of their varying accounts where the hacker can compromise one site. The fraudsters have basically now got the keys to the kingdom on that particular consumer. So I think that that’s the bigger issue right now. I think synthetic fraud is a very interesting topic, a new topic that we want to discuss, but the real meat on the bones right now is account takeover. That’s the biggest vulnerability most of us have, particularly if as consumers we’ve had these bad behaviors on our part.
Ryan McEndarfer
Before we close, is there anything you would like to add? Also, could you give a little plug on where individuals can find this report or the survey if they’re interested?
EJ Jackson – Head of Security and Fraud Solutions at First Data
The First Data 2018 “Protecting Personally Identifiable Information Survey” report can be found on First Data’s website, at www.firstdata.com/cybersecuritymonth. Or mail us at Cybersecurity Product Team at First Data.com, and we’re certainly happy to talk with those who are interested. For further information, you can reach us at 1-866-966-8330, My final thought is an extension of what we were talking about earlier, that in time the value of these social platforms will become greatly at risk or the engagement on them will dramatically decrease if consumers continue to have their accounts breached, they continue to have their data violated, or they’re presented with misinformation, and if businesses do not invest in shore up their defenses. Businesses as well as the consumers have to take action themselves. I look at a somewhat multiparty effort that has to happen because the adversary is very formidable. They’re using cutting-edge technology such as machine learning and so for all the tools that we talked about to prove to defend against fraudsters, the fraudsters themselves are using it and I would actually argue they’re even more cutting-edge. They have a higher level of experimentation and are early adopters of these technologies. If you think about it, their rewards are bigger too. If you can perpetrate a fraud, you can get a pretty big return on your investment to go after consumers and businesses. So we have to be extremely vigilant. But I also think it’s not one-dimensional; it’s multidimensional. For us to successfully counter these fraudsters, starting with consumers themselves. They need to look in the mirror. They need to get serious about their security. Businesses need to do the same. Social platforms need to do the same. That’s my final sentiment on this. It will be interesting as we continue to do the surveys, to see how things trend
Subscribe to our podcast via:
| |