It happened again. Checking into the hotel, I was asked if I can provide my credit card to cover additional expenses (not unusual). However, the receptionist simply wrote my credit card information down on a piece of paper and put it into an unlocked drawer. This, of course, led to a very awkward conversation in my best Spanglish regarding Principle 9 of the PCI-DSS standard.
This is only the tip of the iceberg, because in the physical world and the cyber one we are bombarded with requests for information that we wouldn’t share with our parents, let alone a salesperson or an application form.
From the hotel that requested the last four digits of my credit card to enter me into a prize draw, to a recent application for premium bonds that required my bank account number and sort code to be written onto the form and handed to post office staff. These were just the latest reminders for me personally that 2014 truly was the year cybercrime came home to millions of kitchen tables as well as boardrooms.
In the recent 2015 threat predictions by McAfee Labs, the volume of crime leveraging a digital component is expected to rise. While this trend appears to be on an upward curve (with some exceptions), the reality is that we are witnessing the evolution of traditional crime. A bank robber today is more likely to use a keystroke logger than a gun.
However, in the midst of this transformation, there appears to be a discrepancy between the physical world and the digital world.
For example, many people – and certainly those of you reading this – would decline a request made via email that seems to be from their bank asking for their login credentials. In fact, huge sums are spent to teach employees, and citizens about basic cyber hygiene: choose complex passwords, regularly change that password, don’t click on links in emails, and so on.
But such approaches fail to address the fundamental issue: getting the person who owns the data to understand the value of it, and why it is coveted and targeted. This lack of understanding creates a level of exposure in the physical (and digital) world that can be very easily avoided.
Identity theft continues to grow, and while significant awareness activities are undertaken to ensure people are aware of the attempts to gather information through digital means, an application form, hotel promotion, or even simply checking in ups the level of risk.
The intention is not to create an environment of fear, but merely provide simple steps to reduce the risk of fraud.