Retailers Failing to Protect Consumer Data
Modernizing Authentication — What It Takes to Transform Secure Access
Target, Neiman Marcus and other retailers have a responsibility to provide a trustworthy transaction system, but too often they are shortchanging their customers.
By Samuel Greengard
The ripples and ramifications from the recent Target and Neiman Marcus security breaches continue to slam consumers…and other businesses. According to new data from Javelin Strategy and Research, a consumer had about a 10 percent chance of seeing their stolen credit card data used three years ago. Now the figure stands at about 33 percent. Debit cards have hit 46 percent.
In addition to the financial risk—particularly on unprotected debit cards—there's the hassle factor. I know. One of my credit cards was entangled in the Target debacle and, consequently, my bank sent me a new card. That meant venturing online and calling merchants to update my payment information. Right now, I'm at about 45 minutes and counting. Multiply this by the 40 million Target shoppers and 1.1 million Neiman Marcus shoppers and we're talking about far more than a minor inconvenience.
I'll admit it, I'm boiling mad. As a result, I'm avoiding Target stores for the foreseeable future. The way I see it, Target, Neiman Marcus and others have a responsibility to provide a transaction system consumers can trust. I don't want to hear excuses.
Alas, most retailers don't seem to be getting the message. Another study conducted by password manager vendor Dashlane found that, among top 100 e-commerce sites, more than half accept weak passwords, such as "password" or "123456"; 51 percent do not block wrong entries, even after 10 failed attempts; and many send requested password information with minimal verification.
The worst offenders? 1-800-Flowers, J. Crew, Toys "R" Us, MLB.com, Dick's Sporting Goods, Amazon, Wal-Mart and Victoria's Secret. In fact, only about 10 percent of the sites Dashline studied met the firm's criteria for enforcing strong passwords and protections. Just one in 10 businesses—that's a jaw dropper.
A fundamental problem with today's authentication systems is that they're based on what Steve Schwartz, president of ID monitoring service Identity Guard, describes as "knowledge-based verification." The key is a simple string of data that people tend to use at numerous sites, and services such as Facebook share across multiple sites. That means that if a password is breached, the ripples quickly grow into a tidal wave.
There's no simple fix to the problem, which actually is a number of problems. There's a need for far better security procedures and policies—and a pressing need to rethink security from the password up, including authentication. Retailers and others had better take notice soon. My sense is that many consumers are beginning to reach the boiling point.
About the Author
Samuel Greengard is a contributing writer for CIO Insight. To read his previous CIO Insight blog post, "Open Source Has Changed Everything," click here.