I need your credit card. The last five words anybody wants to hear when on an all-inclusive holiday. Yet these very words were said to me during my recent summer vacation at a well-known all-inclusive resort so that I could be entered into a prize draw to stay at the resort on another date.
Sounds ridiculous doesn’t it? If you hand over your credit card, the sales agent will "only write down the last four digits" and then you stand a chance of winning another vacation! And yet despite my absolute shock and subsequent refusal, I was quickly made to feel not only obstructive but the only person that was not participating in such a wonderful opportunity.
Throughout this year we have witnessed some of the largest and most public data breaches, with reports of hundreds of millions of payment cards not only stolen, but also sold off in underground forums. The most recent breach has seen customers who visited certain locations of P.F. Chang’s China Bistro restaurants during specific time frames potentially have their credit or debit cards compromised.
Such has been the publicity of cyber security stories that even my parents had approached me about "the Heartbeat thing" (a.k.a. Heartbleed) and asking me advice on how not to "download the virus the police warned us about" (a.k.a. GameOver Zeus/Cryptolocker). Despite public awareness "that computer hackers are stealing data from big companies" there seems no understanding on the importance on simply not handing over such data.
The principle is very simple, if you do not hand over your data to a particular company, then if (or when) that company is breached your data will not be part of the haul that cybercriminals re-package and sell-off. Admittedly this is not so simple when buying groceries, or going for a meal, but for prize draws it’s easy.
Two years ago I witnessed and wrote about my absolute disbelief when I saw consumers handing over personal data for chocolate, and commented that the disparity between the actual value of personal data and perceived value was at its widest. I was very wrong!
The willingness to hand over credit cards, address information, and even email addresses to anybody who asks is staggering. Other forms of data we should question about handing over include:
- Personal data: Information that can be used to uniquely identify me
- Financial data: Information such as payment card information
- Contact information: This includes not just online communication methods but also offline such as telephone numbers
The above three are of course only a small snapshot, and of course there is no simple answer about what data I should, or should not share. It is important to ask two simple questions: does this website or person really need my data? And do I really feel comfortable about handing over my data?
If the answer is not immediately yes, then refuse. It may lead to an angry sales representative, but as I personally experienced only last week they will get over it pretty quickly (usually when the next customers walks in).
By Raj Samani, EMEA chief technology officer at McAfee