2017 consumer cybersecurity confidence index consumer cybersecurity confidence inde 2 ... this...

BUSINESS-DRIVEN SECURITY™

2017 CONSUMER CYBERSECURITY CONFIDENCE INDEX

2RSA Ebook: 2017 CONSUMER CYBERSECURITY CONFIDENCE INDEX

Password breaches continue to plague many popular consumer websites. Last year, over three billion consumer accounts and passwords were compromised resulting in an outbreak of account takeover attacks that increased fraud losses to organizations by more than 60% from the previous year1. The prevalence of these attacks has directly affected confidence with 60% of consumers citing password breaches as the single biggest factor causing them concern about their online security.

In a survey of more than 2,100 consumers, commissioned by RSA and conducted by Harris Poll, cybersecurity was deemed a high priority for most. Despite high expectations, however, most consumers are still doing little to change their behavior with more

than one in four consumers stating they use the same password for most of their online accounts and 40% admitting to writing account passwords down on paper.

Other interesting findings examined in the survey include:

• How consumers perceive their level of security across the various web and mobile applications they interact with regularly

• What consumers are prepared to do to protect their digital identity

• The types of security methods consumers are most willing to adopt

This e-book will explore the impact of recent cyber attacks on consumer confidence, how consumers expect service providers to protect their personal information, and the organizations who scored highest (and lowest) in providing a safe online environment.60%

of consumers cite password breaches as the single biggest factor causing them concern about their online security

****


SECTION ONE: IT’S A DIGITAL LIFEDigital identities are exploding all around us. Over half the world uses a smartphone on a regular basis and 45% of all transactions now originate from a mobile device2. More than one in five of the world’s population has shopped online in the last 30 days3, social media now comprises two billion active users, and there are nearly three billion searches on Google every day4.

Think about going to the office, checking your bank account, making an online purchase, planning a vacation, or even buying a cup of coffee. So much of daily life is accessed and managed from a laptop or mobile device today. The frequency and methods of how consumers prefer to interact, however, appears to be truly generational with millennials significantly more likely to use a mobile device within their digital lives than others.

The Mobile Digital Life (by Generation)

0 10 20 30 40 50 60 0 5 10 15 20 25 30 35 40

Social media

Send/receive email

@

Millennials

35–54 years

Over 55 years

59% 39% 39% 39%

43% 32% 32% 32%

20% 18% 18% 18%0 5 10 15 20 25 30 35 40 0 5 10 15 20 25 30 35 40 0 5 10 15 20 25 30 35

Online banking

Shopping and E-commerce

Pay bills

37% 36% 31%

28% 26% 21%

12% 12% 8%


SECTION TWO: BEST AND WORST PERFORMERS IN CONSUMER SECURITYAs consumers embark on their quest for on-the-go convenience and “always on” access to their digital life, they also maintain high expectations for security. In fact, 93% of consumers stated a preference to be involved in choosing how their personal information and accounts are protected and 91% prefer service providers make security visible.

Consumer perceptions on security vary greatly, however, depending on the type of activity they are performing. It is no surprise that consumers give banks the best grade in terms of delivering the highest level of security, with 96% of respondents stating they feel banking websites and apps are very to somewhat secure. Social media scored the lowest, with 4 in 10 consumers stating that social media websites and apps deliver the least secure experience.

UKGermanyChinaCanadaSouth KoreaAustraliaa

96% Banking


91% Manage healthcare/insurance records


87% Online

shopping


63%Gaming

Least SecureMost SecureUKGermanyChinaCanadaSouth KoreaAustraliaa

61%Social media

@


SECTION THREE:TOP FACTORS AFFECTING CONSUMER CONFIDENCEThe number of U.S. data breaches hit an all-time record high of 1,093 in 2016, with hacking and phishing serving as the main cause in 55% of the incidents, according to the Identity Theft Resource Center. Many of these breaches were targeted at popular e-commerce and social media websites exposing more than three billion usernames, passwords and emails. It is therefore no surprise that 60% of consumers cited password breaches as their top concern when it comes to their online security followed by the increased use of location tracking (50%) and increased media coverage (45%).

Top Factors Affecting Consumer Confidence in Online Security

60%Password

breaches on popular websites

50%Use of location

tracking by web/ mobile applications

45%Increased media

coverage of cyber attacks

35%Expanded sharing

of personal information

UK Germany China Canada South Korea Australia aUKGermanyChinaCanadaSouth KoreaAustraliaa UK Germany China Canada South Korea Australia aUK Germany China Canada South Korea Australia a


The types of data consumers are most concerned about losing in a data breach has changed in recent years and is directly affected by the current threat landscape. For example, when RSA conducted this survey in 2014, 48% of consumers cited health and wellness information as one of the top five types of data they were concerned with being exposed. That same year, healthcare topped the list of most targeted industry by breach for the first time and was extensively covered in the media thus leading to the high concern among consumers about protecting information in their health records. Today, only 20% of consumers cite health and wellness information as the type of personal information they are most concerned about. The following chart represents how consumer concerns have changed over time.

Personal Information Consumers are Most Concerned About Losing in a Data Breach

Bank accounts or credit card data

Social Security number

Password or PIN

Home address

Date of birth

Email address

Information about family/friends

Health & wellness information

0 10 20 30 40 50 60

80%

79%

62%

73%

62% 71%

40% 34%

38% 12%

31% 18%

29% 42%

20% 48% 2017 2014

“�The types of data consumers are most concerned about losing in a data breach has changed in recent years.”


SECTION FOUR:CONSUMERS NEED TO CLEAN UP THEIR SECURITY HYGEINEThe prevalence of password breaches has led to a surge in account takeover attacks. Total losses from account takeover reached $2.3 billion, a 61 percent increase from 2015, while incidence rose 31 percent, according to the 2017 Identity Fraud Study conducted by Javelin Strategy & Research.

With billions of fresh credentials available for sale in the dark market for mere pennies and credential checking tools, such as Sentry MBA, making it easy to test thousands of username and password combinations across multiple websites in minutes (see chart), the need for sophisticated malware to harvest credentials has dwindled.

In fact, consumers are making it quite easy for fraudsters to conduct account takeover because they are doing very little to change their behavior. Despite the number of

password breaches announced last year, only 28% of consumers admit to changing their passwords when they hear about popular websites being breached or hacked and one in five consumers state that breaches have done nothing to change their online habits.

Consumers continue to engage in risky behavior with 40% claiming they write their passwords down on paper and more than one-quarter still use the same password for most of their online accounts. It is likely that

ONLY 28% of consumers admit to changing their password after a major breach is announced.


consumer protection policies, such as zero-fraud liability, contribute to a disregard of appropriate identity management. Among respondents, 73% state they are very to somewhat aware of the consumer protections available to them in the event of an identity fraud incident.

Credential testing costs by business type (Source: RSA Anti-Fraud Command Center)

$2.08

$0.21 $0.42$0.12 $0.12

$2.08

$16.66

Major retail chain

Stock photo site

Major retail chain

Major fast-food chain

Media download site

Social media site

Gaming site

“�Consumers continue to engage in risky behavior with 40% claiming they write their passwords down on paper.”


SECTION FIVE:PASSWORDS ARE NOT DEAD YETDespite the well-known vulnerabilities associated with the long-standing username and password combination, it is still the primary method of consumer authentication used by a majority of online providers today. While the cybersecurity industry has long known passwords are dead, in the consumer world, they are not quite dead yet simply for the fact that user experience dominates. Trying to change a method of identity verification that consumers have adopted and used for over two decades is not an easy task.

Risk-based authentication, pioneered and popularized by the financial services industry over a decade ago, has continued to gain momentum in other industries in recent years. The appeal of risk-based authentication for consumer-facing portals is that it offers strong security and fraud protection for consumers while still allowing them to maintain the only user experience they have known. Risk-based authentication operates by measuring the risk of an activity based on attributes such as the user’s device, behavior and location, and it will only prompt a user for additional identity

verification in less than five percent of logins and transactions on average.

The growing popularity of mobile commerce is helping to propel a change in consumer attitudes, and new authentication methods are catching on. It is estimated that 770 million smart mobile devices were equipped with fingerprint sensors as of 20165 indicating a rapid increase, adoption, and acceptance of biometrics among consumers. Most biometric methods are supported as step-up authentication options within risk-based authentication systems, and some are even in use today.

770M smart mobile devices were equipped with fingerprint sensors as of 2016


The changing landscape is being driven not only by organizations looking to secure their digital channels, but also by industry and government such as EMVCo’s 3D Secure 2.0 technical standards and the European Banking Association Payment Service Directive II (PSD2) which recommend the use of risk-based authentication and transaction analysis coupled with biometrics for securing banking, payments and e-commerce transactions.

So even if consumers aren’t ready for the change, it is coming.

Passwords: Not Quite Dead Yet What Alternative Authentication Methods are Most Acceptable to Consumers?

UK Germany China Canada South Korea Australia a

48%Fingerprint recognition


46%SMS/Text of a one-time passcode sent to your mobile device


33%Eye recognition


28%Facial recognition

21%Voice recognition


“�The growing popularity of mobile commerce is helping to propel a change in consumer attitudes, and new authentication methods are catching on.”


CONCLUSION: RSA IS CHANGING THE FACE OF CONSUMER SECURITYRSA has been paving the way in offering innovative security and fraud prevention technologies in the consumer market for over a decade. We understand the challenge that organizations face as they attempt to protect their customers and reduce fraud while making every possible effort to eliminate friction from the user experience. Consumer security solutions must be built to inspire confidence without the inconvenience.

With over 8,000 global customers, more than 2 billion consumers protected, and average fraud detection rates up to 95%, RSA boasts the expertise and experience to help organizations on their journey to defend the digital world.

For additional information on RSA’s Consumer Security solutions, visit www.rsa.com/fraudprevention.

SOURCES:1 2017 Identity Fraud Study, Javelin Strategy & Research, February 20172 RSA Adaptive Authentication Data Science Analysis3 Digital in 2017: A Global Overview (www.wearesocial.com) 4 Internet Stats and Facts for 2016 (www.hostingfacts.com)5 Mobile Eats the World, Goode Intelligence, RSA, and EyeVerify, February 2016

http://www.rsa.com/fraudprevention

2017 consumer cybersecurity confidence index consumer cybersecurity confidence inde 2 ... this...

Documents