COVID-19 has put a spotlight on ethical issues emerging from the increased use of AI applications and the potential for bias and discrimination.
A report from the Capgemini Research Institute found that in 2020 45% of organizations have defined an ethical charter to provide guidelines on AI development, up from 5% in 2019, as businesses recognize the importance of having defined standards across industries.
However, a lack of leadership in terms of how these systems are developed and used is coming at a high cost for organizations.
The report notes that while organizations are more ethically aware, progress in implementing ethical AI has been inconsistent. For example, the progress on “fairness” (65%) and “auditability” (45%) dimensions of ethical AI has been non-existent, while transparency has dropped from 73% to 59%, despite the fact that 58% of businesses say they have been building awareness amongst employees about issues that can result from the use of AI.
The research also reveals that 70% of customers want a clear explanation of results and expect organizations to provide AI interactions that are transparent and fair.
Ethical governance has become a prerequisite
The need for organizations to implement an ethical charter is also driven by increased regulatory frameworks. For example, the European Commission has issued guidelines on the key ethical principles that should be used for designing AI applications.
Meanwhile, guidelines issued by the FTC in early 2020 call for transparent AI, stating that when an AI-enabled system makes an adverse decision (such as declining credit for a customer), then the organization should show the affected consumer the key data points used in arriving at the decision and give them the right to change any incorrect information.
However, while globally 73% of organizations informed users about the ways in which AI decisions might affect them in 2019, today, this has dropped to 59%.
According to the report, this is indicative of current circumstances brought about by COVID-19, growing complexity of AI models, and a change in consumer behavior, which has disrupted the functionalities of the AI algorithms.
New factors, including a preference of safety, bulk buying, and a lack of training data for similar situations from the past, has meant that organizations are redesigning their systems to suit a new normal; however, this has led to less transparency.
Discriminatory bias with AI systems come at a high cost for orgs
Many public and private institutions deployed a range of AI technologies during COVID-19 in an attempt to curtail the impacts wrought by the pandemic. As these continue, it is critical for organizations to uphold customer trust by furthering positive relationships between AI and consumers. However, reports show that datasets collected for healthcare and the public sector are subjected to social and cultural bias.
This is not limited to just the public sector. The research found that 65% of executives said they were aware of the issue of discriminatory bias with AI systems. Further, close to 60% of organizations have attracted legal scrutiny and 22% have faced a customer backlash in the last two to three years because of decisions reached by AI systems.
In fact, 45% of customers noted they will share their negative experiences with family and friends and urge them not to engage with an organization, 39% will raise their concerns with the organization and demand an explanation, and 39% will switch from the AI channel to a higher-cost human interaction. 27% of consumers say they would cease dealing with the organization altogether.
Establish ownership of ethical issues – leaders must be accountable
Only 53% of organizations have a leader who is responsible for the ethics of AI systems at their organization, such as a Chief Ethics Officer. It is crucial to establish leadership at the top to ensure these issues receive due priority from top management and to create ethically robust AI systems.
In addition, leaders in business and technology functions must be fully accountable for the ethical outcomes of AI applications. Our research shows that only half said they had a confidential hotline or ombudsman to enable customers and employees to raise ethical issues with AI systems.
The report highlights seven key actions for organizations to build an ethically robust AI system, which need to be underpinned by a strong foundation of leadership, governance, and internal practices:
- Clearly outline the intended purpose of AI systems and assess its overall potential impact
- Proactively deploy AI for the benefit of society and environment
- Embed diversity and inclusion principles throughout the lifecycle of AI systems
- Enhance transparency with the help of technology tools
- Humanize the AI experience and ensure human oversight of AI systems
- Ensure technological robustness of AI systems
- Protect people’s individual privacy by empowering them and putting them in charge of AI interactions
Anne-Laure Thieullent, Artificial Intelligence and Analytics Group Offer Leader at Capgemini, explains, “Given its potential, it would be a disservice if the ethical use of AI is only limited to ensure no harm to users and customers. It should be a proactive pursuit of environmental good and social welfare.
“AI is a transformational technology with the power to bring about far-reaching developments across the business, as well as society and the environment. This means governmental and non-governmental organizations that possess the AI capabilities, wealth of data, and a purpose to work for the welfare of society and environment must take greater responsibility in tackling these issues to benefit societies now and in the future.”
QR codes are rising in popularity and use, according to a consumer sentiment study by MobileIron. Sixty-four percent of respondents stated that a QR code makes life easier in a touchless world – despite a majority of people lacking security on their mobile devices, with 51% of respondents stating they do not have or do not know if they have security software installed on their mobile devices.
Mobile devices have become even more important and ingrained in everyone’s lives during the COVID-19 pandemic, and 47% of respondents have noticed an increase in QR code use.
At the same time, employees are using mobile devices – and in many cases, their own unsecured devices – more than ever before to connect with others, interact with a variety of cloud-based applications and services, and stay productive as they work from anywhere.
Many employees are also using their mobile devices to scan QR codes in their everyday lives, putting themselves and enterprise resources at risk.
QR codes skyrocketed in popularity and use during the pandemic
- 84% of people have scanned a QR code before, with 32% most recently having scanned a QR code in the past week and 26% most recently having scanned a QR code in the past month.
- In the last six months, 38% of respondents have scanned a QR code at a restaurant, bar or café; 37% of respondents have scanned a QR code at a retailer; and 32% have scanned a QR code on a consumer product.
- 53% of respondents want to see QR codes used more broadly in the future.
- 43% of respondents plan to use a QR code as a payment method in the near future.
- 40% of people would vote using a QR code received in the mail, if it was an option.
Attackers are also capitalizing on security gaps during the pandemic and increasingly targeting mobile devices with sophisticated attacks. Mobile devices are appealing targets for hackers because the mobile user interface prompts users to take immediate actions, while limiting the amount of information available. Plus, users are often distracted when on their mobile devices, making them more likely to fall victim to attacks.
“Hackers are launching attacks across mobile threat vectors, including emails, text and SMS messages, instant messages, social media and other modes of communication,” said Alex Mosher, Global VP of Solutions, MobileIron.
“I expect we’ll soon see an onslaught of attacks via QR codes. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Or, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.”
QR codes pose significant risks to both end users and enterprises
- 71% of respondents cannot distinguish between a legitimate and malicious QR code, whereas 67% of those surveyed are able to distinguish between a legitimate and malicious URL.
- While 67% of respondents are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate. Only 19% of respondents believe scanning a QR code can draft an email; 20% believe scanning a QR code can start a phone call; and 24% believe scanning a QR code can initiate a text message.
- 51% of respondents have privacy, security, financial or other concerns about using QR codes, but still use them anyway; 34% have no concerns about using QR codes.
- 35% of respondents are unsure whether hackers can target victims using a QR code.
“Companies need to urgently rethink their security strategies to focus on mobile devices,” continued Mosher. “At the same time, they need to prioritize a seamless user experience. A unified endpoint management solution can provide the IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data, while maximizing productivity.
“Organizations can also build upon UEM with a mobile threat defense solution to detect and remediate mobile threats, including malicious QR codes, even when a device is offline.”
Californians regularly opt-out of companies selling their personal information, with “Do-not-sell” being the most common CCPA right exercised, happening nearly 50% of the time over access and deletion requests, DataGrail’s Mid-Year CCPA Trends Report shows.
Consumer rights under CCPA
The California Consumer Privacy Act gives California residents the right to:
- Know what personal data businesses have about them
- Know what businesses do with that information (to whom they sell it or disclose it)
- Access their personal data
- Refuse the sale of their personal data
- Request that a business deletes their personal data
Do-not-sell requests are almost 50% of all DSRs
When CCPA went into effect in January 2020, DataGrail saw people exercise their rights immediately, with a surge of data subject requests (DSRs) going across its platform in January 2020.
Since the initial surge, DSRs have stabilized around 13 DSRs per million records every month, which is a substantial rate and confirms that organizations need an established privacy program.
Consumers are accessing their data (21%), deleting their data (31%) and requiring that businesses do-not-sell their personal information (48%).
Gartner data shows that manually processing a single DSR costs on average $1,406. At this rate, organizations can expect to spend almost $240,000 per million records to fulfill DSRs – if they are done manually.
Additionally, organizations could be on the hook for more DSR requests from fines that will likely begin appearing in October, if CCPA follows the same timeline as GDPR.
According to the research, B2C companies should prepare to process approximately 170 total DSRs per one million consumer records each year.
DataGrail has also found that three of every ten DSRs will go unverified, confirming the need for a robust and scalable verification method to prevent fraud (i.e., detect fraudulent requests being made to steal personal data).
Access requests (DSARs) make up 70% of the unverified requests, validating the concern that nefarious characters could be submitting access requests to gain access to another person’s personal information.
A LexisNexis Risk Solutions report tracks global cybercrime activity from January 2020 through June 2020. The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.
The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.
The report analyzes data from more than 22.5 billion transactions processed, a 37% growth year over year. Mobile device transactions also continue to rise, with 66% of all transactions coming from mobile devices in the first half of 2020, up from 20% in early 2015.
There’s also an uptick in transactions from new devices and new digital identities. This is attributed to many new-to-digital consumers moving online to procure goods and services that were no longer available in person or harder to access via a physical store, during the pandemic.
Attacks by region
The EMEA region saw lower overall attack rates in comparison to most other global regions from January through June 2020. This is due to a high volume of trusted login transactions across relatively mature mobile apps.
The attack patterns in EMEA were also more benign and had less volatility and fewer spikes in attack rates. However, there are some notable exceptions. Desktop transactions conducted from EMEA had a higher attack rate than the global average and automated bot attack volume grew 45% year over year.
The UK originates the highest volume of human-initiated cyberattacks in EMEA, with Germany and France second and third in the region. The UK is also the second largest contributor to global bot attacks behind the U.S.
One example of a UK banking fraud network saw more than $17 million exposed to fraud across 10 financial services organizations. This network alone consisted of 7,800 devices, 5,200 email addresses and 1,000 telephone numbers.
Decline in attack rate
The overall human-initiated attack rate fell through the first half of 2020, showing a 33% decline year over year. The breakdown by sector shows a 23% decline in financial services and a 55% decline in e-commerce attack rates.
Latin America experienced the highest attack rates of all regions globally and realized consistent growth in attack rates from March to June 2020. The attack patterns in North America and EMEA had less volatility and fewer spikes in attack rates from the six-month period observed.
Attack vector global view
Media is the only industry that recorded an overall year over year growth in human-initiated cyberattacks. There was a 3% increase solely across mobile browser transactions.
Globally, automated bots remain a key attack vector in the Digital Identity Network. Financial services organizations experienced a surge in automated bot attacks and continue to experience more bot attacks than any other industry.
Across the customer journey
New account creations see attacks at a higher rate than any other transaction type in the online customer journey. However, the largest volume of attacks targets online payments. Login transactions have seen the biggest drop in attack rate in comparison to other use cases.
Analysis across new customer touchpoints in the online journey is included in this report for the first time, providing additional context on key points of risk such as money transfers and password resets.
All industries have felt the impact of COVID-19. There are clear peaks and troughs in transaction volumes coinciding with global lockdown periods.
Financial services organizations realized a growth in new-to-digital banking users, a changing geographical footprint from previously well-traveled consumers and a reduction in the number of devices used per customer. There have also been several attacks targeting banks offering COVID-19-related loans.
E-commerce merchants have seen an increase in digital payments and several other key attack typologies that coincide with the lockdown period. These included account takeover attacks using identity spoofing and more first-party chargeback fraud.
Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions, said: “The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry.”
Video conferencing platform Zoom is finally offering all users the option to enable two-factor authentication (2FA) to secure their accounts against credential stuffing attacks and attacks leveraging phished login credentials.
How to enable Zoom 2FA on a Pro, Business, Education, or Enterprise account
Zoom gives the choice between two modes of delivery of the second authentication factor (a 6-digit code):
- Via a 2FA app that supports Time-based One-Time Password (TOTP) protocol – e.g., Google Authentication, Microsoft Authenticator, or FreeOTP
- Via SMS (text message)
Account owners/admins can enable the option at the account-level by:
1. Singing in to the Zoom Dashboard.
2. In the navigation menu, clicking Advanced, then Security.
3. Enabling the Sign in with Two-Factor Authentication option.
4. Specifying users to enable 2FA for:
- All users in the account
- Users with specific roles
- Users belonging to specific groups
5. Clicking Save.
Once that’s done, they can inform the users about the option and provide instructions on how to take advantage of it.
As it’s usual with these things, once users set up the option, they are also provided with backup codes to use in case they misplace their phone, uninstall their 2FA app or remove Zoom from the 2FA app by mistake. If they lose those, there’s always the option to ask their admin to reset their 2FA setup.
How to enable Zoom 2FA on a (free) Basic account
Users who have opted for a Basic account can set up 2FA by:
- Signing in to their account via the Zoom web portal
- In the navigation menu, clicking Profile, then enabling Two-Factor Authentication by clicking Turn on
- Entering their password into the pop-up box
- Opting for one of the options and setting it up:
Once they’ve set up 2FA, they can make changes at the same “place” (the Profile tab):
Zoom and security
Since its popularity and user base skyrocketed in the wake of the Covid-19 pandemic, Zoom has been working on fixing many security and privacy issues.
More recently, Zoom Video Communications announced that it is working on providing end-to-end encryption (E2EE) to both paying Zoom customers and those with free (Basic) accounts.
Although consumers remain concerned about sharing personal data with companies, the results of a Privitar survey highlight an opportunity for businesses to take a leadership role and build brand loyalty by protecting their customers.
The report found that more than three-quarters of respondents are concerned or very concerned about protecting their personal data, with 42 percent of consumers saying they wouldn’t share sensitive data (e.g. name, address, email address, phone number, location information, health information, banking information, social security number) with a business for any reason.
As consumers grow increasingly apprehensive when it comes to their data, business success will depend on an organizations’ ability to prioritize and successfully execute on privacy initiatives.
Disconnect between consumer sentiment and actions surrounding data protection
When it comes to the management of their data, many consumers aren’t fully aware of how brands are securing their personal information. According to the survey, 43 percent of consumers don’t know if they’ve worked with a business that has been impacted by a data breach.
When it comes to privacy notices, 28 percent admit to not reading privacy notices at all and 42 percent admitted to only skimming the text. These findings point to a growing sentiment that data privacy should be the responsibility of the business – not the customer. With this, businesses have a tremendous opportunity to make data privacy a differentiator and way to build long-term loyalty.
Pandemic creating more data sharing opportunities, still consumers are wary
Despite the growing advancements on the data protection front, 51 percent of consumers surveyed said they are still not comfortable sharing their personal information. One-third of respondents said they are most concerned about it being stolen in a breach, with another 26 percent worried about it being shared with a third party.
In the midst of the growing pandemic, COVID-19 tracking, tracing, containment and research depends on citizens opting in to share their personal data. However, the research shows that consumers are not interested in sharing their information.
When specifically asked about sharing healthcare data, only 27 percent would share health data for healthcare advancements and research. Another 21 percent of consumers surveyed would share health data for contact tracing purposes.
As data becomes more valuable to combat the pandemic, companies must provide consumers with more background and reasoning as to why they’re collecting data – and how they plan to protect it.
Upcoming U.S. elections driving consumer awareness of data privacy
As the debate grows louder across the nation, 73 percent of consumers think that there should be more government oversight at the federal and/or state/local levels. While legislation can take years to pass, it’s important for businesses to overhaul their technology and processes now to quickly address consumers’ concerns and keep business running.
Businesses must drive data privacy action
Companies rely on brand loyalty to keep their operations up and running. While often referring to affordable costs and personalization as a means to keeping business moving, many overlook the importance of instilling a more personal sense of trust within their customer base.
When working with a business, 40 percent of consumers think the brand’s trustworthiness is most important when it comes to brand loyalty and 31 percent say it’s the brand’s commitment to protecting their data.
Evenly matched up with the 30 percent of consumers who believe customer service matters most, the results prove that data protection is just as critical to keeping customers coming back for more.
However, broken trust and lost responsibility for protecting that data have severe consequences, with 24 percent saying they have either stopped doing business or done less business with a company after it was breached.
As markets grow increasingly competitive in a fluctuating economy, it’s critical for businesses to keep customer loyalty high – and as such, be more open and transparent with how they’re using personal data.
“The global COVID-19 pandemic has underscored the importance of the trust relationship companies and governments need to build with consumers in an increasingly digital world,” said Jason du Preez, CEO, Privitar.
“The results of the survey affirm the growing need for brands to focus on building and maintaining this trust, starting first and foremost with protecting customer data. As more businesses utilize the cloud to enable data driven insights, a firm commitment to data privacy will help to ensure long-term loyalty, consumer satisfaction and shareholder value.”
Fraudsters are decreasing their schemes against businesses, but increasing COVID-19 focused scams against consumers online, according to TransUnion.
Fraudsters less targeting businesses
The percent of suspected fraudulent digital transactions against businesses worldwide decreased 9% from the beginning of the pandemic (“phase 1,” March 11-May 18) to when businesses began reopening (“phase 2,” May 19-July 25). In contrast, consumers targeted by digital COVID-19 schemes increased 10% from the early days of the pandemic (week of April 13) to more recently (week of July 27).
“With the rush for businesses to go digital as many were forced to go completely online almost overnight, fraudsters tried to take advantage,” said Shai Cohen, senior vice president of Global Fraud Solutions at TransUnion.
“They were most likely unsuccessful in their attempts and took their scams elsewhere as those businesses ramped up their digital fraud prevention solutions while providing a friction-right consumer experience. Conversely with consumers, fraudsters are increasingly using COVID-19 to prey on those persons who are facing mounting financial pressures.”
In contrast to the recent suspected fraud decrease against businesses, when comparing phase 1 (March 11-May 18) to right before the pandemic (Jan. 1-March 10), there was a 6% rise in suspected digital fraud against businesses.
Fraudsters shifting industries
When comparing digital transactions pre-pandemic to during the pandemic (March 11-July 25), suspected fraud against businesses remained relatively flat, increasing 1%.
“It appears fraudsters assume travel & leisure companies are scrutinizing transactions less in order to capture more revenue as the pandemic continues to severely negatively impact their business,” said Melissa Gaddis, senior director of customer success, Global Fraud Solutions at TransUnion.
“Another interesting note is that telecommunications, e-commerce and financial services companies – all industries that have fared relatively well during the pandemic – were targeted with the most digital fraud early in the pandemic but are now among the least targeted. This shows us that fraudsters initially targeted the hottest industries with the most money to be had early in the pandemic in order to hide behind the rush of transactions but have now made an obvious shift.”
Globally across industries, the countries with the highest percentage of suspected fraudulent transactions were: 1) Kazakhstan, 2) Greece and 3) Cyprus. In the U.S. overall, the cities with the highest percent of suspected fraudulent transactions were: 1) Livonia, Mich. 2) Akron, Ohio and 3) Jackson, Miss.
Consumers targeted by COVID-19 schemes
To better understand the impacts of COVID-19 on consumers, 8,265 adults in Canada, Colombia, Hong Kong, South Africa the U.K. and the U.S. were surveyed the week of July 27.
32% of respondents said they had been targeted by digital fraud related to COVID-19, with Gen Z (age 18-25) being the most targeted at 36%. Among consumers reporting being targeted with digital COVID-19 schemes globally, the top pandemic-themed scam is phishing with 27% saying they were hit with it.
Despite the survey showing Baby Boomers were the generation least targeted with digital COVID-19 scams, among consumers reporting being targeted they were the age group saying they faced the highest percentage of COVID-19 themed phishing scams.
“Phishing shows fraudsters aren’t after a quick hit, but rather looking for the long haul,” said Gaddis. “Once a fraudster steals consumer credentials, the wave of disruption they can cause with a stolen or synthetic identity is endless from compromising multiple online accounts to significantly impacting credit scores.”
54 percent of Americans have opted for virtual visits during pandemic, a CynergisTek survey reveals. Of those, more than 70 percent of respondents plan to continue to use telemedicine post-pandemic.
However, healthcare providers should note that privacy and protection of sensitive health data was a major concern for telemedicine users and breaches could prompt patients to switch doctors.
“The rapid growth of telehealth has accelerated to a level we wouldn’t have expected to see over a 10-year timeframe,” said Caleb Barlow, president and CEO of CynergisTek.
“However, major vulnerabilities are emerging around privacy and security standards for video conferencing and messaging apps when used for telehealth (such as consumer technologies like Zoom), which can be easily infiltrated – providing hackers with additional opportunities to breach highly-sensitive information.”
Delaying in-person visits, spurring rise of telehealth
During the pandemic, 56 percent of Americans have considered postponing non-emergency medical appointments until the COVID-19 pandemic ends. When put in a hypothetical situation where they would need medical care during the pandemic, the types of appointments Americans are postponing include:
- Vaccines: 25 percent of Americans would postpone annual vaccines such as a flu shot until the pandemic was resolved.
- Annual physicals: Nearly 40 percent are considering postponing physical exams for adults and child wellness exams.
- Dental and vision exams: 45 percent of consumers said they would postpone their dental/orthodontics check-up amid the COVID-19 pandemic, followed by 43 percent postponing an eye exam.
- Elective cosmetic procedures: More than 40 percent report considering putting off elective cosmetic services and surgeries (i.e. Botox, breast augmentation, etc).
- Elective surgery: 35 percent report considering pushing out surgeries like hip and knee replacements until after the pandemic.
As Americans weigh their comfort level on what medical services require in-person visits with a physician or healthcare provider, telehealth options have skyrocketed as a popular alternative, providing convenience and access at a time when many are canceling appointments out of an abundance of caution.
According to the survey, while 39 percent of Americans opted for in-person visits, more than 54 percent of respondents opted for telehealth options with phone consultations and video visits being the two most popular. When examining consumers’ willingness to using telehealth post COVID-19, the survey found:
- Of those who have used telehealth options during the COVID-19 pandemic, 73 percent report they will continue virtual visits after the pandemic passes.
- 79 percent of male respondents who have used a telehealth solution during the COVID-19 pandemic will continue using them post-COVID, compared to 67 percent of females.
- Millennials are statistically more likely than any other generation to continue using telehealth options after the pandemic has passed (81 percent), followed by Gen X (79 percent).
- In a hypothetical situation where they needed medical care, 25 percent of Americans would not consider using a telehealth solution for any of the appointments or procedures types presented – this number is significantly higher among Baby Boomers (41 percent) and the Silent Generation (59 percent).
Embracing telehealth and balancing security needs to protect patients
While urgent visits require in-person consultation, Americans are looking to telehealth to fill in the gap for more routine types of care.
In a hypothetical situation where they’d need medical care or advice, nearly 30 percent of respondents would also look to telehealth for chronic care check-ups (29 percent) or annual physical and children’s wellness exams (27 percent).
While patients are embracing telehealth, providers must prioritize security when rolling out phone and virtual services or else they risk potential breaches of sensitive patient data.
A recent report found an increase in nefarious attacks targeting video conferencing tools like Zoom, reinforcing the need for healthcare providers to reassess their security posture and fortify their defenses to reflect this new reality, potentially losing their patients’ trust and business.
48 percent of respondents said they would be unlikely to use telehealth solutions again if their personal health data was hacked due to a telemedicine-related breach.
- Women are more unlikely than males to use telehealth solutions again if their health information was involved in a telemedicine-related breach (54 percent of women vs. 41 percent of men).
- Baby Boomers and the Silent Generation are the two groups most unlikely to return to telehealth solutions if their data was involved in a telehealth-related breach (62 and 65 percent respectively).
“We find ourselves in a very unique scenario, where consumers had to almost accept telehealth overnight,” said Russ Branzell, CEO of the College of Healthcare Information Management Executives.
“The progress has been amazing to see in creating easier access to care while reducing the burden on both providers and patients. However, we must remain vigilant in our efforts to protect and secure telehealth and other digital health technologies.
“With the opportunities of digital health also come inherent security risks – but digital health’s risks are manageable. It is important for healthcare providers to take data privacy and security seriously in order to ensure that digital health platforms like telehealth remain an essential part of the future of patient care.”
“We appreciate that this is a new development and healthcare providers are balancing all the new demands the pandemic has created,” said David Finn, Executive Vice President of Strategic Innovation of CynergisTek.
“However, the first step is to assess how the data is encrypted and who is authorized to access this data. From there, IT teams should work closely with leadership to fill in the security gaps on telehealth solutions that protect patients while also providing the convenience.”
Based on responses from 1,000 U.S. cardholders who are familiar with contactless credit/debit card or “tap and pay” technology, a new Entrust Datacard survey reveals that 75% of U.S.-based payment cardholders prefer contactless cards as their primary payment method over chip insert, card swipe, mobile pay and cash.
Contactless cards are here to stay
According to the survey’s results, 83% of respondents believe contactless cards are here to stay and 61% believe it’s at least somewhat of a priority to have a contactless feature on their credit or debit card. This prioritization is most prominent among Gen Z, Millennials and Gen X when compared to Baby Boomers.
In fact, 20% of Boomers reported they never use the contactless payment feature on their debit or credit card when making a purchase while this percentage is less than 10% for each of the other respective generations.
However, while contactless cards are gaining momentum with many in the U.S., the majority of consumers are still unaware of their card replacement options should they not have a contactless chip, or the card is lost or stolen.
Time for banks to educate their customers
With respondents citing sanitation (70%) and speed (67%) as benefits of contactless cards, now is the opportune time for banks to educate their customers on the benefits of replacing their card with a contactless card from their bank.
“As many Americans deal with financial setbacks and heightened concerns around health and safety in the face of COVID-19, the value we are placing on contactless payments has increased markedly,” said Tony Ball, senior vice president for instant payment card issuance at Entrust Datacard.
“Consumers want the ability to shop at their convenience, but also want to minimize personal contact with point of sale devices. Contactless cards are rising in popularity as a result.”
For faster card replacement, visiting a branch is best
Out of the 71% of respondents who cited losing their payment card, 84% notified their bank via phone while only 22% visited a physical bank branch in hopes of getting a replacement card right away.
73% of respondents who notified the bank by phone had to wait 1-7 days for a new card to be delivered by mail. By contrast, 58% of respondents who notified the bank at the branch got a new card instantly.
Instant payment card issuance unawareness
Despite contactless cards growing in popularity, many consumers are unaware of whether or not their banks or credit unions offer instant issuance or replacement of contactless debit or credit cards.
According to the results, 64% of respondents said their banks offer instant card issuance and replacement (63%), yet around one-fourth were unsure of whether their bank offered these options (27% and 24%, respectively) suggesting both an education and marketing opportunity for banks on card issuance solutions.
Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.
“From the impacts of phishing and other well documented COVID-19 scams like unemployment fraud, it’s clear that fraudsters have the data and increasing opportunities to create synthetic identities and utilize stolen identities,” said Shai Cohen, senior vice president of Global Fraud & Identity Solutions at TransUnion.
“Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.”
To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.
It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:
Top global online COVID-19 scams targeting consumers
Online COVID-19 scams targeting consumers by country
“Although the schemes may vary by country, a new approach to identity verification that supplements traditional authentication methods is needed to defend against their impact,” said Cohen. “The key is creating a friction-right experience where consumers are confident they are dealing with a legitimate organization or business.”
A Trend Micro research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The report urges users to take action to stop their devices from enabling this criminal activity.
The importance of home routers for IoT botnets
There has been a recent spike in attacks targeting and leveraging routers, particularly around Q4 2019. This research indicates increased abuse of these devices will continue as attackers are able to easily monetize these infections in secondary attacks.
“With a large majority of the population currently reliant on home networks for their work and studies, what’s happening to your router has never been more important,” said Jon Clay, director of global threat communications for Trend Micro.
“Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale. For the home user, that’s hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we’ve seen in past high-profile attacks.”
Force log-in attempts against routers increasing
The research revealed an increase from October 2019 onwards in brute force log-in attempts against routers, in which attackers use automated software to try common password combinations.
The number of attempts increased nearly tenfold, from around 23 million in September to nearly 249 million attempts in December 2019. As recently as March 2020, Trend Micro recorded almost 194 million brute force logins.
Another indicator that the scale of this threat has increased is devices attempting to open telnet sessions with other IoT devices. Because telnet is unencrypted, it’s favored by attackers – or their botnets – as a way to probe for user credentials.
At its peak, in mid-March 2020, nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week.
Cybercriminals are competing with each other
This trend is concerning for several reasons. Cybercriminals are competing with each other to compromise as many routers as possible so they can be conscripted into botnets. These are then sold on underground sites either to launch DDoS attacks, or as a way to anonymize other attacks such as click fraud, data theft and account takeover.
Competition is so fierce that criminals are known to uninstall any malware they find on targeted routers, booting off their rivals so they can claim complete control over the device.
For the home user, a compromised router is likely to suffer performance issues. If attacks are subsequently launched from that device, their IP address may also be blacklisted – possibly implicating them in criminal activity and potentially cutting them off from key parts of the internet, and even corporate networks.
As explained in the report, there’s a thriving black market in botnet malware and botnets-for-hire. Although any IoT device could be compromised and leveraged in a botnet, routers are of particular interest because they are easily accessible and directly connected to the internet.
Recommendations for home users
- Make sure you use a strong password. Change it from time to time.
- Make sure the router is running the latest firmware.
- Check logs to find behavior that doesn’t make sense for the network.
- Only allow logins to the router from the local network.
The global pandemic has seen the web take center stage. Banking, retail and other industries have seen large spikes in web traffic, and this trend is expected to become permanent.
Global brands fail to implement security controls
As attackers ramp up efforts to exploit this crisis, a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.
In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge. What this report indicates is that data risk is everywhere and effective controls are rarely applied.
Key findings highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks.
This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today.
Websites expose data to an average of 17 domains
Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records.
While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, the analysis shows that this data is exposed to nearly 10X more domains than intended.
Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.
No attack is more widespread than XSS
Standards-based security controls exist that can prevent these attacks. They are infrequently applied.
Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:
- Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
- 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019. However…
- Only 1.1% of websites were found to have effective security in place – an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.
Many people are using COVID-19 quarantine to get projects done at home, meaning plenty of online shopping for tools and supplies. But do you buy blind? Research shows 97% of consumers consult product reviews before making a purchase.
Fake reviews are a significant threat for online review portals and product search engines given the potential for damage to consumer trust. Little is known about what review portals should do with fraudulent reviews after detecting them.
A research looks at how consumers respond to potentially fraudulent reviews and how review portals can leverage this information to design better fraud management policies.
“We find consumers have more trust in the information provided by review portals that display fraudulent reviews alongside nonfraudulent reviews, as opposed to the common practice of censoring suspected fraudulent reviews,” said Beibei Li of Carnegie Mellon University.
“The impact of fraudulent reviews on consumers’ decision-making process increases with the uncertainty in the initial evaluation of product quality.”
Fake reviews aid decision making
A study conducted by Li alongside Michael Smith, also of Carnegie Mellon University, and Uttara Ananthakrishnan of the University of Washington, says consumers do not effectively process the content of fraudulent reviews, whether it’s positive or negative. This result makes the case for incorporating fraudulent reviews and doing it in the form of a score to aid consumers’ decision making.
Fraudulent reviews occur when businesses artificially inflate ratings of their own products or artificially lower the ratings of a competitor’s product by generating fake reviews, either directly or through paid third parties.
“The growing interest in online product reviews for legitimate promotion has been accompanied by an increase in fraudulent reviews,” continued Li. “Research shows about 15%-30% of all online reviews are estimated to be fraudulent by various media and industry reports.”
Platforms don’t have a common way to handle fraudulent reviews. Some delete fraudulent reviews (Google), some publicly acknowledge censoring fake reviews (Amazon), while other portals, such as Yelp, go one step further by making the fraudulent reviews visible to the public with a notation that it is potentially fraudulent.
This study used large-scale data from Yelp to conduct experiments to measure trust and found 80% of the users in our survey agree they trust a review platform more if it displays fake review information because businesses are less likely to write fraud reviews on these platforms.
Transparency over censorship
Meanwhile, 85% of users in our survey believe they should have a choice in viewing truthful and fraudulent information and the platforms should leave the choice to consumers to decide whether they use fraudulent review information in determining the quality of a business.
The study also finds that consumers tend to trust the information provided by platforms more when the platform distinguished and displayed fraudulent reviews from nonfraudulent reviews, as compared to the more common practice of censoring suspected fraudulent reviews.
“Our results highlight the importance of transparency over censorship and may have implications for public policy. Just as there are strong incentives to fraudulently manipulate consumer beliefs pertaining to commerce, there are also strong incentives to fraudulently manipulate individual beliefs pertaining to public policy decisions,” concluded Li.
When this fraudulent activity information is made available to all consumers, platforms can effectively embed a built-in penalty for businesses that are caught writing fake reviews.
A platform may admit to users that there is fraud on its site, but that is balanced by an increase in trust from consumers who already suspected that some reviews may be fraudulent and now see that something is being done to address it.
40% of consumers hold business leaders personally responsible for ransomware attacks businesses suffer, according to a research from Veritas Technologies.
Furthermore, research shows the public often wants restitution from businesses that fall foul of ransomware – with 65% of respondents wanting compensation, and 9% even wanting to send the CEO to prison.
Simon Jelley, vice president of product management at Veritas Technologies, said: “As consumers, we are increasingly well-educated about ransomware, so we’re unforgiving of businesses that don’t take it as seriously as we do ourselves.
“The two most essential things that businesses should have in place, according to their customers, are protection software (79%) and backup copies of their data (62%). Now, it seems, if businesses don’t get these basics right, consumers are ready to punish their leadership.”
Paying and not paying ransoms
The research, covering six countries and 12,000 consumers, also appears to show a paradox when it comes to paying ransoms. 71% of people want companies to stand up to cyber-bullies and refuse paying ransoms to get data back.
However, when the issue becomes more personal, with a direct threat to their own data, many people change their minds and want the businesses they buy from to negotiate. When it comes to financial data, 55% of respondents want suppliers to pay the ransom to facilitate the return of records.
Jelley said: “It may seem that businesses are in an impossible situation with consumers telling them both to pay – and not to pay – ransoms. However, what we, as customers, are really saying is that we want businesses to escape the dilemma by avoiding the situation in the first place.
Consumers expect businesses to have the technology in place to restore their data without negotiating. That’s the win-win solution and, considering the likely brand damage and loss of customers that come with failing to put this into practice, the risk is simply too big for companies not to have this aspect of their systems in place.”
In fact, the study shows how some consumers quickly lose patience with companies that risk data through ransomware attacks. 44% of consumers would stop buying from a company that had been the victim of such a crime.
Patterns that emerge from country to country
- In China, people have the highest tendency to change their minds on negotiating with cybercriminals, when it’s their own critical information. While 80% of respondents believe businesses shouldn’t negotiate in general, when it becomes a personal issue of recovering their own data, that number drops sharply to just 16%.
- Brits have the strongest feelings about standing up to cyberbullying demands, with 81% believing businesses should not negotiate with criminals.
- The French seem to be the most forgiving respondents from surveyed countries, with 24% wanting to blame company heads, 55% believing only criminals can be blamed for ransomware attacks, and only 36% considering dropping a company’s services after an attack.
- Inversely, the Japanese and Chinese are the least forgiving, with 49% and 51% dropping company services after an attack, and China looking to blame business heads directly (66%).
- Germans are most vociferous about harsh punishment for leaders following an attack, with 29% of those who blame the leaders seeking a prison sentence.
- In contrast, in the United States, the most common attitude for those blaming leaders is to seek fines as punishment (41%).
A vulnerability (CVE-2020-12695) in Universal Plug and Play (UPnP), which is implemented in billions of networked and IoT devices – personal computers, printers, mobile devices, routers, gaming consoles, Wi-Fi access points, and so on – may allow unauthenticated, remote attackers to exfiltrate data, scan internal networks or make the devices participate in DDoS attacks.
UPnP is a set of networking protocols that allows networked devices to automatically discover and interact with each other when on the same network.
UPnP is intended primarily for residential and SOHO wireless networks. It is designed to be used in a trusted local area network (LAN) and so the protocol does not implement any form of authentication or verification. That’s one of the reasons why some UPnP devices are shipped with the protocol turned off by default and it’s on administrators to enable it, if needed.
The development of the UPnP protocol is managed by the Open Connectivity Foundation (OCF), a standards organization whose goal is to promote the interoperability of connected devices.
About the vulnerability (CVE-2020-12695)
CVE-2020-12695 (aka “CallStranger”) was discovered by security researcher Yunus Çadırcı and privately reported to the OFC in late 2019.
“The vulnerability (…) is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices,” Çadırcı explained.
More technical details are available here but, in short, the vulnerability can be used to bypass DLP and network security devices to exfiltrate data, scan internal ports, and force millions of Internet-facing UPnP devices to become a source of amplified reflected TCP DDoS.
The Open Connectivity Foundation fixed the vulnerability and updated the UPnP specification on April 17, 2020. They also contacted some affected vendors (those included in Çadırcı’s report).
A Shodan search shows that there are around 5,5 million Internet-facing devices with UPnP enabled out there.
Among the confirmed vulnerable devices are computers running Windows 10, Xbox One, Belkin WeMo home automation devices, printers manufactured by Canon, HP and Epson, Samsung smart TVs, routers and modems manufactured by Broadcom, Cisco, D-Link, Huawei, Zyxel, and more.
CMU’s Software Engineering Institute has also published a vulnerability note for CVE-2020-12695 and will be updating it to list affected devices and links to available patches. They’ve also noted that, in general, making UPnP available over the Internet should be avoided.
“Device manufacturers are urged to disable the UPnP SUBSCRIBE capability in their default configuration and to require users to explicitly enable SUBSCRIBE with any appropriate network restrictions to limit its usage to a trusted local area network,” they advised.
“Vendors are urged to implement the updated specification provided by the OCF. Users should monitor vendor support channels for updates that implement the new SUBSCRIBE specification.”
Çadırcı noted that because CallStranger is a protocol vulnerability, it may take a long time for vendors to provide patches.
“Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source,” he added.
He advised enterprises to check whether devices they use are vulnerable and provided a script that can help them do that, as well as laid out several mitigation actions they can perform.
“We see data exfiltration as the biggest risk of CallStranger. Checking logs is critical if any threat actor used this in the past,” he noted. “Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet-exposed UPnP devices so we don’t expect to see port scanning from Internet to Intranet but Intranet to Intranet may be an issue.”
The combined consumer and enterprise WLAN market segments rose 2.3% year over year in the first quarter of 2020 (1Q20), according to IDC. The enterprise segment fell 2.2% year over year in 1Q20 with $1.3 billion in revenue.
The impact of COVID-19
The first quarter of 2020 began showing the impact of the COVID-19 global pandemic on the enterprise WLAN market. The novel coronavirus began spreading in China early in the quarter then expanded into Europe and North America later in the quarter. The subsequent lockdown of economies represented a headwind for the enterprise WLAN market.
A driver for the enterprise WLAN market is the new Wi-Fi 6 standard, also known as 802.11ax. Across the enterprise market, Wi-Fi 6-supported dependent access points (APs) made up 11.8% of unit shipments and 21.8% of revenues. The previous generation standard, 802.11ac, still made up the majority of shipments (80.9%) and revenues (76.2%).
Meanwhile, the consumer WLAN market grew 5.5% year over year in 1Q20. Within the consumer market, 62.5% of shipments and 79.4% of revenues were for 802.11ac products. APs supporting the older 802.11n standard still made up 36.9% of unit shipments and 17.6% of revenues, not surprising given the price sensitivity seen across many emerging markets.
“Wireless connectivity remains an important technology for organizations around the world as more users and devices than ever rely on mobile devices to connect to bandwidth-intensive applications,” said Brandon Butler, senior research analyst, Network Infrastructure at IDC.
“The WLAN market is not immune to the impacts from the pandemic that has been sweeping across the world over the last few months. Results from the market’s first quarter of 2020 show the early effect of the pandemic and subsequent lockdown, which will continue to impact the market into the second quarter of 2020.”
The geographic perspective
From a geographic perspective, the WLAN market saw strong growth in the Middle East and Africa region, which increased 8.4% year over year in 1Q20. The United Arab Emirates was up 12.0% and Turkey’s market grew 15.7%. North American markets fared well in the quarter too: The USA market grew 6.9% in 1Q20 while the Canadian enterprise WLAN market was up 10.6% in 1Q20.
The market in the People’s Republic of China declined in 1Q20 by a significant 23.0%. The broader Asia/Pacific region, excluding Japan and China, was off 10.6%, with India declining 13.6% and Australia down 15.6%. Japan’s market fell 2.8%.
European markets had mixed results, with Central and Eastern Europe up 1.8% year over year, driven by Russia’s enterprise WLAN market growing 6.0% and Poland increasing 6.6%. Western Europe was off 6.2% with declines in the United Kingdom (-3.9%), Germany (-7.7%), and France (-9.8%).
“The enterprise WLAN market saw mixed results across geographies, based largely on the spread of the COVID-19 pandemic,” noted Petr Jirovsky, research director, Worldwide Networking Trackers.
“The pandemic initially hit Asian countries, which resulted in many regional economies slowing investments in WLAN technology. Given the pandemic has now spread across the rest of the world, IDC expects impacts on the enterprise WLAN market to continue into the second quarter of 2020.”
Key enterprise WLAN vendor updates
- Cisco’s enterprise WLAN revenues decreased 6.7% year over year in 1Q20 to $611 million. Cisco remains the market share leader, finishing the quarter with 45.7% share, up from 44.6% for the full year 2019.
- HPE-Aruba revenues rose 14.2% year over year in 1Q20. The company’s market share increased from 13.8% for the full year 2019 to 14.4% in 1Q20.
- Ubiquiti saw its enterprise WLAN revenues rise 24.8% year over year. The company’s market share stood at 9.5% in 1Q20, up from 7.0% for the full year 2019.
- CommScope (formerly ARRIS/Ruckus) revenues declined in 1Q20 by 4.7% year over year. The company held 5.2% market share in 1Q20.
- Huawei’s revenues declined 15.0% year over year in 1Q20; its market share stood at 3.8% to end the quarter.
When hungry consumers want to know how many calories are in a bag of chips, they can check the nutrition label on the bag. When those same consumers want to check the security and privacy practices of a new IoT device, they aren’t able to find even the most basic facts.
Not yet, at least.
A team of researchers in Carnegie Mellon University’s CyLab have developed a prototype IoT security and privacy “nutrition label” that performed well in user tests. To develop the label, the team consulted with a diverse group of 22 security and privacy experts across industry, government, and academia.
The team also developed an IoT label generator for manufacturers to use to easily create labels for their devices.
“Survey results show that the vast majority of people are concerned about the security and privacy practices of devices, so we need to provide them with this information,” says CyLab’s Pardis Emami-Naeini, the study’s lead author and a recent Ph.D. recipient in Societal Computing in the School of Computer Science.
“The display of this information should be concise and understandable, akin to a nutrition label on food products.”
A recent survey conducted by the Economist Intelligence Unit found that 89 percent of participants are uncomfortable with their personal data being shared with third parties without consent. Ninety-two percent of participants said they think it is important to inform consumers when personal data is being collected.
“Despite these concerns, people cannot find information about the privacy and security practices of devices at the moment of purchase,” says Emami-Naeini.
How does the IoT security label work?
The team’s label consists of a primary layer meant to be displayed on the outside of a device’s box, which conveys the most important information such as the type(s) of data the device collects, for what purpose, and with whom the data is shared.
By scanning a QR code on the primary layer, consumers have access to a secondary layer of the label online that contains additional information such as how long the device retains data, and how often it is shared. Combined, both layers display 47 different pieces of information about a device’s security and privacy practices.
Serving as a backdrop to the development of an IoT security label, privacy regulations are calling for more transparency in how consumer data is collected and used. The Cyber Shield Act hopes to create a set of standards for IoT devices and then give labels to products that meet those standards. Similar efforts are moving forward internationally in the United Kingdom, Finland, and Singapore.
At the end of 2019 there were 7.6 billion active IoT devices, a figure which will grow to 24.1 billion in 2030, a CAGR of 11%, according to a research published by Transforma Insights.
Short range technologies, such as Wi-Fi, Bluetooth and Zigbee, will dominate connections, accounting for 72% in 2030, largely unchanged compared to the 74% it accounts for today.
Public networks growth
Public networks, which are dominated by cellular networks, will grow from 1.2 billion connections to 4.7 billion in 2030, growing market share from 16% to 20%. Private networks account for the balance of connections, 10% in 2019 and 8% in 2030.
In revenue terms, the total IoT market in 2019 was worth $465 billion, a figure which will rise to $1.5 trillion in 2030. Services, including connectivity, will account for 66% of spend, with the remainder accounted for by hardware, in the form of active IoT devices, modules and gateways.
The consumer sector to dominate in terms of connected devices and finance
The consumer sector will dominate in terms of connected devices, accounting for 65% of all connections, up from 62% in 2019. Of the enterprise segment in 2030, 34% of devices will be accounted for by ‘cross-vertical’ use cases such as generic track-and-trace, office equipment and fleet vehicles, 31% by utilities, most prominently smart meters, 5% by transport and logistics, 4% by government, 4% for agriculture, and 3% each for financial services and retail/wholesale.
The single biggest use case is Consumer Internet & Media devices, accounting for 1/3 of all devices in 2030. The next largest is Smart Grid, including smart meters, representing 14% of connections. Connected Vehicles, dominated by connected cars, is the third biggest category, representing 7% of the global installed base.
In financial terms, the biggest vertical sector is consumer, generating $652 billion in revenue, or 43% of the total market value. Cross-vertical applications account for 24%. The remaining 33% is sector-specific applications across sectors such as energy, transport, retail and healthcare.
“One of the benefits of building a highly granular set of forecasts is that we can uncover striking trends, such as the huge $500 billion revenue opportunity associated with a diverse range of niche vertical-specific applications,” said Transforma Insights Founding Partner Matt Hatton.
Geographically, China, North America and Europe dominate, accounting for 26%, 24% and 23% respectively of the total value of the IoT market in 2030.
A large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online, FICO reveals.
As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics.
Do you use a password manager?
The study found that a large percentage of Americans are not taking the necessary precautions to secure their information online. For example, only 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and 4 percent use a single password across all accounts.
Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high risk strategies such as writing their passwords down in a notebook. If you’re a security leader and your organization is still not using a password manager, find out how to evaluate a password management solution for business purposes.
“We’re seeing more cyber criminals targeting consumers with COVID-19 related phishing and social engineering,” said Liz Lasher, vice president of fraud portfolio marketing at FICO.
“Because of the current situation, many consumers are only able to access their finances digitally, so it’s vital to remain vigilant against such scams and take the right precautions to protect themselves digitally.”
A forgotten password can affect online purchases
The study shows that consumers struggle with maintaining their current passwords as 28 percent reported abandoning an online purchase because they forgot login information, and 26 percent reported being unable to check an account balance.
Forgotten usernames and passwords even affect new account openings, 13 percent said that it has stopped them from opening a new account with an existing provider.
This is a notable trend as consumers are more willing than ever to do business digitally. The study found that the majority of respondents would open a checking (52 percent) or mobile phone (64 percent) account online, while an overwhelming majority of respondents (82 percent) said they would open a credit card account online.
Consumers trusting physical and behavioral biometrics
However, while there is significant room to improve how consumers protect their login credentials, the survey also found that Americans are becoming more trusting of using physical and behavioral biometrics to secure their financial accounts.
The survey found that 78 percent of respondents said they would be happy for their bank to analyze behavioral biometrics – such as how you type – for security and 65 percent are happy to provide biometrics to their bank; while 60 percent are open to using fingerprint scans to secure their accounts.
Additionally, when logging into their mobile banking apps, respondents are now considering alternative security measures beyond the traditional username and password. The five most widely used security alternatives are:
- One-time passcode via SMS (53 percent)
- One-time passcode via email (43 percent)
- Fingerprint scan (39 percent)
- Facial Scan (24 percent)
- One-time passcode delivered and spoken to mobile phone (23 percent)
“Digital services are currently playing a critical role in daily life. It is a good time to evaluate how we protect ourselves and our information online,” said Lasher.
“Customers have been happy to adopt security such as one-time passcodes, and are now showing that they are willing to adopt additional options, such as biometrics, to protect their accounts.
“There are no magic bullets and the ability to layer and deploy multiple authentication methods appropriate to each occasion is key. Financial services organizations and consumers need to continue to keep security best practices top of mind to help combat fraudsters now and in the future.”
With a growing portion of consumers having now fallen victim to card fraud, anxiety about the security of our digital accounts is spiking, according to a survey by Marqeta.
The survey talked to 4,000 consumers across the United States and the United Kingdom about consumer attitudes toward card fraud in an increasingly digital economy.
According to the survey, card fraud has had a pervasive, repeat impact on a large number of American and UK consumers, an issue of skyrocketing importance with the digital economy providing a crucial lifeline to the many millions of people currently sheltering-in-place:
- 46 percent of US consumers surveyed had fallen victim to card fraud in the past, with 20 percent of consumers hit inside the last 12 months.
- A sizable portion of US consumers had been repeated prey for fraudsters: 16 percent had been impacted twice, while 10 percent were hit three (or more) times.
- Each fraudulent transaction had a sizable average ticket price: 33 percent of Americans who were victims said more than $500 was charged to their accounts.
Consumers prefer digital security over convenience
While increasingly common, consumers were reluctant to accept fraud as a fair cost for their increasingly online existences: 69 percent said the stress of card fraud wasn’t a fair trade-off for digital conveniences, while 59 percent said that they didn’t see it as a built-in part of the modern economy.
An overwhelming majority of people surveyed – 87 percent – said they would be happy for online transactions to take longer to complete if their information was better protected.
“Our new survey shows that being a victim of fraud is not an unusual experience for consumers today. There’s an almost fifty-fifty chance you have been impacted, with a growing number of people hit multiple times. With consumers forced to do business almost entirely online throughout COVID-19 quarantines, we are all even more vulnerable.
“Consumers are putting financial services providers on watch. They don’t see convenience at the point of sale as being worth it if they’re not being protected,” said Vidya Peters, CMO at Marqeta.
Card fraud causing growing concerns
The growing threat of card fraud, with people either impacted or likely knowing someone who has, is becoming a major point of anxiety for consumers: 55 percent of US consumers said they worried regularly about card fraud, with 21 percent of people saying they worried about security every time they entered their details online.
Despite this, consumers admitted to complacency, which plays a big part in giving fraudsters the jump. More than half of all fraudulent transactions (52 percent) reported in the survey took place within half an hour of a card going missing, but less than a third of consumers (29 percent) said they noticed immediately when their card was stolen, and less than half (42 percent) canceled their cards right away. Fifty-two percent of consumers surveyed said that they could do a better job in protecting their card information.
“There’s a real catch-22 inherent in consumer behavior today, that presents an opportunity for banking and payments innovators. There’s a rising tide of anxiety about being a victim of card fraud, but yet a complacency and lack of awareness of how to protect yourself,” Peters continued.
“Given the new possibilities brought about by modern card issuing platforms today, there’s a chance to create digital-first product experiences that consumers love while providing the strongest fraud prevention controls possible.”
The device people use to communicate online – a smartphone, desktop, or tablet – can affect the extent to which they are willing to overshare intimate or personal information about themselves, according to University of Pennsylvania researchers.
Do smartphones alter what people are willing to disclose about themselves?
A study suggests that they might.
The research indicates that people are more willing to reveal personal information about themselves online using their smartphones compared to desktop computers. For example, Tweets and reviews composed on smartphones are more likely to be written from the perspective of the first person, to disclose negative emotions, and to discuss the writer’s private family and personal friends.
Likewise, when consumers receive an online ad that requests personal information (such as phone number and income), they are more likely to provide it when the request is received on their smartphone compared to their desktop or laptop computer.
Why do smartphones have this effect on behavior?
Co-author Shiri Melumad explains that “Writing on one’s smartphone often lowers the barriers to revealing certain types of sensitive information for two reasons; one stemming from the unique form characteristics of phones and the second from the emotional associations that consumers tend to hold with their device.”
First, one of the most distinguishing features of phones is the small size; something that makes viewing and creating content generally more difficult compared with desktop computers. Because of this difficulty, when writing or responding on a smartphone, a person tends to narrowly focus on completing the task and become less cognizant of external factors that would normally inhibit self-disclosure, such as concerns about what others would do with the information.
Smartphone users know this effect well – when using their phones in public places, they often fixate so intently on its content that they become oblivious to what is going on around them.
The second reason people tend to be more self-disclosing on their phones lies in the feelings of comfort and familiarity people associate with their phones. Melumad adds, “Because our smartphones are with us all of the time and perform so many vital functions in our lives, they often serve as ‘adult pacifiers’ that bring feelings of comfort to their owners.”
The downstream effect of those feelings shows itself when people are more willing to disclose feelings to a close friend compared to a stranger or open up to a therapist in a comfortable rather than uncomfortable setting.
As Co-author Robert Meyer says, “Similarly, when writing on our phones, we tend to feel that we are in a comfortable ‘safe zone.’ As a consequence, we are more willing to open up about ourselves.”
The analysis: Smartphone pushing you to overshare?
The data to support these ideas is far-ranging and includes analyses of thousands of social media posts and online reviews, responses to web ads, and controlled laboratory studies. For example, initial evidence comes from analyses of the depth of self-disclosure revealed in 369,161 Tweets and 10,185 restaurant reviews posted on TripAdvisor, with some posted on PCs and some on smartphones.
Using both automated natural-language processing tools and human judgements of self-disclosure, the researchers find robust evidence that smartphone-generated content is indeed more self-disclosing. Perhaps even more compelling is evidence from an analysis of 19,962 “call to action” web ads, where consumers are asked to provide private information.
Interacting with firms
Consistent with the tendency for smartphones to facilitate greater self-disclosure, compliance was systematically higher for ads targeted at smartphones versus PCs.
The findings have clear and significant implications for firms and consumers. One is that if a firm wishes to gain a deeper understanding of the real preferences and needs of consumers, it may obtain better insights by tracking what they say and do on their smartphones than on their desktops.
Likewise, because more self-disclosing content is often perceived to be more honest, firms might encourage consumers to post reviews from their personal devices.
But therein lies a potential caution for consumers–these findings suggest that the device people use to communicate can affect what they communicate. This should be kept in mind when thinking about the device one is using when interacting with firms and others.