The biggest sources of stolen banking information: online retailers?

Kaspersky Lab’s recent survey surprisingly found that e-commerce, online retailers and financial service providers are not just the biggest sources of stolen financial data, but also feel just a bit too lax about security. However, this has some severe implications.

A recent Kaspersky Lab survey surprisingly found that e-commerce and online retailer businesses are the two biggest sources of stolen banking information. Well, that’s probably quite obvious, but at the same time looks plain wrong.


Even worse, these segments are the least likely to deploy and update specialized anti-fraud measures to protect financial transactions.

The figures: 48% of e-commerce/online retail businesses and 41% of financial services organizations have reported losing some type of finance-related information to cybercriminal activities within a 12 month period. This means that almost half of the entities directly involved with other people’s financial transactions may and likely will lose some of this information over the course of a year.

Financial organizations are highly dependent on their clients’ trust; losing such data means losing this trust, which may be further burdened by costly legal penalties, not to mention removal and clean-up costs. As always, it’s much easier to not let the malware in than to eradicate it afterwards.

Still it’s quite strange that online merchants are that “relaxed” in their attitude towards IT security and technologies. According to the survey, just 53% of them reported to “make every effort to keep anti-fraud measures up to date,” which is 10% lower than the overall global average, and the lowest overall of any business segment.

Since the entire business model of online merchants is based on online and electronic payment processing, this reluctance to invest in anti-fraud measures seems highly counter-intuitive. Even counter-logical.

The situation in the financial services segment is a bit better: 64% of financial service providers said they make every effort to keep their anti-fraud measures always ready. A response rate tied for highest across all segments.

This enthusiastic response is the complete opposite of the attitudes in the e-commerce/online retail segment. Additionally, 52% of the financial services segment reported a desire to implement new technologies to protect financial transactions, compared to 46% of the e-commerce/online retail segment.

Kaspersky Lab’s survey also asked businesses that had experienced a serious data loss incident about steps taken afterwards to protect their customers.

Despite their differing attitudes, both the online retailers and financial services sectors took similar steps – implemented additional protections. The most common measure implemented was “providing secure connections for customer transactions,” which was done by 88% of financial services organizations, and 78% of e-commerce/online retailers.

Financial service providers are also more focused on providing specialized solutions for mobile devices than e-commerce/online retailers (75% vs 56%, respectively).

One more interesting finding: both financial service providers and e-commerce/online retailers following a data breach occasionally provided free or discounted versions of premium internet security software to their customers. But this was the most uncommon move among them: it looks as though these businesses prefer to invest in the security of their own systems, rather than investing in securing their customers’ devices.

It is also appropriate to mention here that there are a formidable number of users considered financial service providers (banks, etc.) directly responsible for their own security and expect them to reimburse losses, no matter the cause: they may have no security solution on their smartphones, and still expect that banks return the money lost to a fraudulent transaction. According to a survey this isn’t a mainstream point of view, but it’s still quite popular.

To sum things up, let’s point out a few points, seemingly obvious, but apparently not obvious enough:

  1. If your business is “close to others’ money”, malicious attempts on it will happen. No exceptions. So it is indeed strange to see that online retailers are that relaxed about security.
  2. Just like a fire in a household, an IT security incident (fraudulent transaction included) are easier to prevent rather to clean up afterwards.
  3. Incidents don’t need to happen to beef up your security. They don’t need to happen at all.
  4. Users feel better towards the businesses they work with, if those provide visible protection. Or at least make it clear to the users that their transactions are indeed well-protected. So free and discounted versions of security software is a good idea. However, it’s best to use a full-range protective suit that covers every transaction all along.