Maybe you’re overcome by politeness. Maybe people who stand behind counters represent childhood authority figures like teachers and principals and movie ushers. Maybe because it’s become routine. Whatever the reason, when a vendor asks for a phone number or email address to complete a transaction, there’s a tendency to comply without question.
However, there’s a big difference between the information merchants need for executing a transaction and the information merchants want for marketing. And, online or brick-and-mortar, personal information that’s compromised is costly to both customers and merchants.
One cybersecurity reporter hit the keys to tell how she deals with companies and clerks who want her email address. Nicole Perlroth writes on nytimes.com:
There is a temptation to think that major retailers like Target are more secure because they have more cash to spend on security. But the reality is that no company is entirely secure.
It’s hard out there for a paranoid cybersecurity reporter.
I’ve covered enough breaches, identity thefts, cybercrime and worse, to know it’s a terrible idea to hand over my personal data — even something as seemingly innocuous as my birthday or email address — to a store clerk, or a strange login page on the Internet.
But it’s getting hard to resist. I was in the middle of buying a swimsuit recently when the sweet lady behind the boutique counter asked me for my email address. I explained, as I have a hundred times before, that I’m a paranoid security reporter who makes it a general rule of thumb not to hand out information unnecessarily.
“We won’t spam you or anything,” she said, perplexed. “We just need it for our database.”
I knew then that the conversation was headed into a whole lot of awkward, as it had dozens of times before. The fact is, a boutique doesn’t need my email address so I can buy a swimsuit. The hotel I stayed in recently didn’t need my birth date, or my home address, or my driver’s license number, before I could check in. And Target doesn’t need to store your debit card PIN.
After news of Target’s breach first broke last month, a reader emailed complaining that after a recent purchase at a Target store in San Francisco, she was asked for her driver’s license after her credit card was authorized. “I gave it to her thinking she was only going to look at it, however she immediately scanned it through her register. I was a bit shocked and asked why she did that.
She said it is always done but ‘Don’t worry, it is secure.’”
That, we now know, is absurd.
There is a temptation to think that major retailers like Target– and now Neiman Marcus– are more secure because they have more cash to spend on security. It’s the same assumption users made thinking Snapchat was secure because it magically makes selfies disappear, or that LinkedIn knew how to protect data because it likes to talk up big data, or that Adobe could protect our passwords.
Actually, I take that back: Compromised Adobe PDF files have been used in far too many cyberattacks to mention here.
The point is that no company is secure. None of them. Not when they are up against an increasingly sophisticated, elusive enemy. But the problem is not just retailers, or technology companies or hackers, it’s us.
We regularly hand over data simply because we’re politely asked. We don’t read privacy policies, or ask companies whether our email addresses and passwords will be “salted” or “hashed,” encrypted with long or short keys, or whether those keys will be stored on separate systems from the ones they can unscramble. We don’t challenge major credit card companies to hurry up and adopt smart-chip credit cards. And we don’t stop doing business with companies that don’t take data protection seriously.
So we’ll all feign shock that the Target breach did not just affect 40 million people as it previously reported, but well over one-third of America’s adult population. And then, in a few days, we will likely go back to politely handing over our email addresses and birth dates.
But for now, the sweet lady at the boutique just has this: email@example.com.
Note: We went to www.stopaskingme.com and found just this on the website:
It seems like today people want so much information from you. You have to spend 1-2 minutes on the phone, after you get to talk to a human, before you can ever get down to business. They need name, account number, (again) last for of something or other and on and on.
There is a fine balance between good customer service and down right annoyance. Anyways, I love the look on these peoples faces when I give them my email address of some firstname.lastname@example.org. I can not tell you how many tech support people have bust out in laughter when I give them this email. Kind of lightens the whole mood and even has a calming effect when talking to some of the less, shall we say, less than helpful customer service reps.
ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Join the cybersecurity conversation by visiting the ThreatMetrix blog, Facebook, LinkedIn and Twitter pages.