In identity theft, the hits have just kept coming since aggregator ChoicePoint revealed in February that scammers illicitly got data on 145,000 individuals from its databases. Within weeks, ChoicePoint became one target of a Congressional committee hearing in March on ID security, along with LexisNexis, where hackers broke into a subsidiary and made off with data on 32,000 names. Other recent data scares include the March theft of a UC Berkeley laptop that may have contained personal info on 98,000 current and former students, and a burglary at a California medical group in early April that exposed the financial and health records of as many as 185,000 patients. Even the Nevada Department of Motor Vehicles had to send letters to 8,900 clients telling them their private data was taken during a break-up at a North Las Vegas office a month ago—along with 1,700 license blanks.
With reminders of the insecurity of private information continually turning up on the nightly news, some experts say consumers are showing signs of changing their online behavior to protect their credit card numbers and other valuable data. And that may mean trouble for online retailers, especially small vendors and start-ups that have not yet built a fund of trust among shoppers.
An annual consumer survey conducted in mid-February by data protection firm RSA Security found that 25% of online shoppers say they have reduced their buying over the Internet in the past year because of concerns over identity theft. That proportion is up from 22% of consumers who said they’d cut back on Web shopping in 2004 for the same reason, and 19% who gave the same response in 2003.
“That’s an early warning sign,” says John Worrall, vice president for worldwide marketing at RSA. “That’s the canary in the coal mine. Every merchant ought to pay attention to that finding. “At a time when banks and online retailers are trying to get consumers to use the Internet more because of its economies of operation, here consumers are saying that they’re pulling back and choosing to use the Internet less.”
Some areas of e-commerce raise special security worries for customers. Banks and other lending institutions are trying to get consumers to move online in order to speed transactions and reduce paper-shuffling. But the RSA survey reveals that they may ever be able to address a portion of their prospective market: 21% of those polled said they have refused to conduct business with a bank or other financial institution through the Internet. RSA could not correlate that response to previous surveys, since the question was added this year.
Worrall points to the 43% of respondents who said that they have refused to provide online merchants with personal information as an indication that consumers are sensitive to managing their data and willing to withhold it when they don’t see a need to provide it.
The RSA survey was conducted just before the latest wave of identity thefts hit the front pages. And Worrall admits that the heightened fear may prove to be a temporary reaction to news stories, and may drop back as the headlines fade.
But the Tucson-based Ponemon Institute, a privacy consulting firm, has conducted a monthly study of consumers’ security fears since August 2004. The late-February flight of that survey found a large jump in the number of consumers who were “unsure” whether they would become victims of ID theft, either on or off the Web—from 34% in January to 58% in February. That figure held steady in the late-March monthly survey, in which 56.5% of respondents said they did not know if their identity information would be highjacked.
Combined with the 13% who said in March that they believed their IDs would indeed be stolen at some future time, that means that seven out of 10 consumers had doubts about the security of their private information in March. That compares to just over four in 10 who felt the same worry about their personal data in January 2005.
Meanwhile, the portion of respondents who said they believed they would not fall victim to identity theft fell from 57.3% in January to 34.5% in February and 30.5% in March.
“I’m not sure if these results are due to permanent attitudinal shifts, or a short-term shift due to significant coverage of the topic in popular print, television and the Web,” says Larry Ponemon, head of the Institute. “We will continue to report this over time.”
But if the results do reflect a persistent concern among consumers about the safety of their data, Ponemon says it’s to be expected that such widespread anxiety will have some impact. “When we start believing that everything is insecure, we start changing our behavior to reflect that impression,” he says. “If we start assuming that every e-mail is suspect, we rely less on e-mail. We may not go to our online banking site as much as we used to if we feel threatened, or we shop less online than we would otherwise. We adjust our behavior, even when that change may not really be warranted.”
And Ponemon and Worrall both agree that behavioral changes like cutting back on online shopping may indeed not be called for. While incursions have been made on e-commerce databases in the past, the high-profile highjackings that have made the biggest news in the past few months have occurred among non-retail organizations that collect private data. Consumers have no direct control over how well groups such as hospitals, banks, colleges, data providers or the DMV manage and protect their information. And in fact, relatively few of the recent incidents even used the Internet. Some were straight burglaries or thefts of equipment; in the ChoicePoint case, fraudsters used “social engineering” to impersonate legitimate businesses requesting consumer data.
But that powerlessness to prevent ID theft at the high echelon may make them all the more determined to implement data safeguards at the lowest levels—including being more wary about handing over their credit card numbers to online retailers. Consumers’ perceptions of security may be separate from the reality, but that doesn’t mean that they can’t pose a problem for Internet merchants. The 2005 RSA survey found that an overwhelming majority of consumers (61%) say they are “very” responsible for protecting against identity theft—followed in descending order by their bank (52%), law enforcement (30%), and the federal government (22%). Only 19% of respondents said merchants were “very” responsible for protecting personal information.
“Clearly, consumers consider themselves the first line of defense,” Worrall says. And the implication is that they will do what is in their power to mount that defense—even if the practical impact on the problem is small.
That doesn’t mean other parties interested in the growth of e-commerce and broader Internet use aren’t offering help. Last February, Microsoft, eBay, PayPal and Visa announced the launch of the Phish Report Network to share information and educate the public about phishing, the growing online scam that combines fraudulent e-mail and spoofed Web sites to snare personal info. Microsoft has been particularly active in pursuing phishers and recently filed 117 “John Doe” lawsuits in federal court against anonymous Web site operators allegedly engaged in the scam.
Technology may provide some relief too. EarthLink’s free ScamBuster tool alerts users when a URL contained in e-mail is on a black list of spurious addresses used by phishers. Both AOL and online broker E-Trade have begun offering subscribers a two-part security system that combines their password with a security key whose code changes every 60 seconds. And later this year, Microsoft reportedly plans to test a software feature that will let users store personal information on “Info-cards” on their hard drives and send or receive that information to trusted Web sites in encrypted form.
But as fast as technology counters new threats, criminals can adapt to attack from new angles. Already the Web has seen the advent of “pharming”, which automatically directs visitors from a real Web site to an apparently identical fake site, where credit card numbers and other personal information are collected. Scammers don’t need to entice individual consumers to open e-mail and click on suspect links; instead they can crack into the domain name servers that direct Web traffic and insert false IP addresses to re-route visitors.
While both Worrall and Ponemon agree that consumer education about identity theft is crucial, it’s hard to see how the average Web surfer is going to be able to detect and protect against such high-level thievery.
In the end, consumers who are worried about protecting their identities may be forced to combine that education with a certain level of trust. As to how online merchants win that trust from first-time visitors, Ponemon suggests a prominent display of “trust signals” on the Web site, such as the seal of a privacy protection organization like TRUSTe. They should also encrypt transactions using the secure socket layer protocol, producing that little gold key in the lower right of the browser.
These outward signs are important, but many such signals can be spooked by ID thieves as easily as they reproduce a corporate logo. More important, Ponemon suggests, are the policy changes that convey the impression that a Web retailer is handling personal information responsibly:
* Don’t ask for more information than you need on the first registration, or at the first transaction. That adds to your responsibility for protecting it, and it raises doubts in the mind of the new visitor about how well you can control its use.
* If users need password reminders, make them log off and wait to receive them in the e-mail addresses they have on file. Don’t include their user ID and password in the same e-mail. And don’t rely on prompt question on the site: ID thieves have little trouble finding out someone’s mother’s maiden name.
* Have your data security policy prominently displayed on the site, and make it as readable and lucid as your lawyers will allow. Ponemon says he would like to see the development of a “food-label” privacy policy set out in terms a reader could understand at a glance: “Do we share your information with third parties? Yes. Click here to find out more.”
* When bad things happen and identities are stolen, take the initiative and inform the consumer. The price of keeping quiet is too high; Ponemon’s research indicates that the average victim of ID theft tells 17 acquaintances. No business wants that kind of word of mouth.
Protecting the security of users’ data is important because it’s the right thing to do, Ponemon points out. But it’s equally important to be seen doing that right thing. That’s what builds trust among customers, especially new visitors to a start-up online retailer or a small merchant without strong brand backing.
“Small companies are going to have to work harder than the established Web names to win and keep consumers’ trust,” he says. “As people become more sensitized to these security issues, they’re going to be less likely to patronize the unfamiliar vendor and rely more on those with whom they have an existing relationship of trust. It’s going to be a lot harder to become the next Amazon or eBay, because consumers are going to be a lot less trusting right from the start.”
