The fast growth of social-networking sites containing users' personal information is drawing concern from some payment data-security experts who say the risk of exposing consumers' sensitive data is rising. And mobile-payment devices pose similar risks because many developers lack data-security expertise, they say.
In many cases, consumers are putting their personal data at risk. Some 52% of social-networking site users within the past year have posted personal information to such sites as Facebook and MySpace, including their full birth dates or home addresses, according to survey data Consumer Reports released this month. Such data could increase users' risk of becoming victims of identity theft or other cybercrimes, the organization says.
Consumer Reports polled 2,000 adult social-networking site users online during January, finding that 38% had posted their full birth dates on such sites within the past year; 13% posted their children's names and 8% posted their full street addresses. Some 9% of respondents said they had been the victim of some type of scam, identity theft or cybercrime within the past year.
Consumer Reports urges consumers to restrict their sharing of personal information and to use sites' privacy controls for better data protection. But that may not be enough, as social-networking sites evolve to include more purchase data and mobile payment applications mushroom.
The flap last month surrounding the social-networking site Blippy, which inadvertently exposed certain customers' credit card data through a glitch, underscores the potential for more data breaches within social-networking sites and related applications, several experts say.
Blippy, which launched last year, invites users to register their credit cards with the site so others could track their purchases. Blippy typically removes the actual credit card numbers and other sensitive data before posting users' purchases. But in a technical oversight earlier this year, the company briefly exposed certain users' raw transaction data, compromising card security (see related story).
Blippy could have averted the incident through adherence to core data-security principles, including the Payment Card Industry Data Security Standard, several data-security experts tell PaymentsSource. Blippy vowed after the incident to hire a chief security officer and to invest in "regular third-party infrastructure and application security audits."
But because Blippy considered appropriate security only after data were exposed is an alarming trend, as social-networking and mobile-payment applications continue to grow, Nagraj Seshadri, security technologist for data-security firm Sophos Inc., tells PaymentsSource. "In many cases, security is an afterthought and is bolted on in response to a breach," he says.
In a move reflecting growing concern about exposing sensitive data on social-networking site, Blippy rival Swipely emphasized at its May 11 launch that it plans to deploy "bank-grade encryption" of credit and debit cards customers register to broadcast details about their purchases with others on sites such as Facebook (see related story).
And many mobile-payment technologies share the same risks as social-networking sites by potentially exposing sensitive customer data, Seshadri warns. "Mobile-payment technologies are rapidly evolving, and the security implications are still not fully understood," he says.
Because of the wide variety of devices using new mobile-payment applications, many do not follow a common security standard. "As more data become electronic, there is a growing risk to consumers' data being exposed either directly or via malware or sloppy handling."
Data breaches caused by sloppy data handling, such as in Blippy's case, are "more common than most people would believe," Markiyan Malko, program manager at credit card processor Merchant Warehouse Inc., tells PaymentsSource.
The fast growth of mobile-payment devices also poses significant risk of data exposure, he says, noting "these applications have saturated the market in such a short time because anyone with any type of development skills can freely produce and sell them."
A qualified third party should validate mobile-payment software, and companies should encrypt stored sensitive data, according to PCI data-security standards. However, not all developers are following proper security channels, Malko says.
As mobile applications continue to rise in popularity, so will the risk of data breaches, says Gary Palgon, vice president of product management at data-security and encryption firm nuBridges Inc. "The pervasiveness of entry points such as mobile applications only increases the probability of a breach," he notes.
With application development, "programmers are not well versed in security, nor do they have the proper tools or methodology to inspect applications and make them secure," Palgon says. Both independent companies and third-party application providers should to educate employees and "put tools in place to audit for security and institute a methodology to make it successful," he says.