Two out of three merchants fail to make any changes to their fraud prevention strategies even after they suffer a data breach, according to a merchant survey that also found those merchants are more concerned with reputational damage from a breach than the actual loss of data.
The results – contained in the Kount Mobile Payments and Fraud Report – highlight the relative priorities of organisations that are increasingly coming under regulatory and legislative pressure to improve their breach detection, incident response and security capabilities.
New legislation such as Australia’s National Data Breach (NDB) scheme and the European Union’s General Data Protection Regulation (GDPR) has ratcheted up the pressure on Australian businesses to learn from their breach-detection exposure.
The more than 800 surveyed merchants were well aware of the damage a breach can cause – with consumers’ perception of weak security named by 44 percent of respondents and loss of personal data (20.4 percent), the causative link between breaches and fraud (15.6 percent) and loss of financial data (13.2 percent) all named as consequences – but there was a significant gap between understanding and practice.
Indeed, fully 68.4 percent of respondents to the Kount survey admitted they had made no changes to their fraud prevention practices even after their security was compromised. This means “they are leaving themselves open for recurring (and many times preventable) fraud attacks,” Kount vice president of marketing Don Bush said in a statement.
“It’s important that merchants not become complacent in their security efforts [and] research specific tools that can best protect their business without any negative impact to the customer experience.”
The importance of the customer-facing experience is also reflected in the ongoing vulnerabilities affecting the retail industry and its point-of-sale (POS) machines. Recent analysis in Trustwave’s Global Security Report 2017 found that 42 percent of all security incidents affected the retail and food/beverage industries,
Fully 31 percent of breaches were targeted at POS systems – nearly as high a proportion as the 43 percent hitting corporate and internal networks. POS systems’ share of attacks surged dramatically during 2016; this compared with the percentage of attacks against e-commerce targets, which dropped from 38 percent in 2015 to 26 percent of attacks in 2016.
Just as important as the distribution of breaches was the type of data that was targeted: fully 63 percent of breaches, for example, targeted payment card data (with PoSeidon malware found in 18 percent of Trustwave investigations and Alina in 13.5 percent). PoSeidon, in particular, was improved in 2016 with a privilege escalation exploit and a monitoring process that ensures the malware remains installed and running on infected systems.
North America’s slow progress towards use of chip-based EMV card security was blamed for a rise in that region’s share of security incidents, which increased from 45 percent in 2015 to 49 percent of incidents in 2016. By contrast, the percentage of compromises hitting the APAC region decreased over the same time, from 27 percent of breaches to just 21 percent.
This geographical shift, as well as the change in perceptions about e-commerce, dovetailed with the findings of the Kount survey about mobile commerce. Whereas previous surveys had found broad distrust of mobile commerce methods, this year saw a decline in the percentage of merchants that view mobile sales as riskier than traditional e-commerce – 8 percent this year versus 14 percent last year.
Even though fully 40 percent of merchants suggested they had seen an increase in mobile channel fraud, just 25 percent said using mobile apps for payments presents a higher risk than conventional Web-based e-commerce. As a corollary, 61 percent of merchants said they identify ‘safety’ with Apple devices compared to other brands such as Android (3.7 percent), Blackberry (3.7 percent), and Windows (1.4 percent).