People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”
So let’s put these questions to rest. Then we can move on to the real risk.
First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.
No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.
Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.
The real risk of identity theft and credit card fraud
It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.
Database data loss
If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.
We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.
Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.
The advantage goes to data thieves like Rogelio Hackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.
“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.
Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.
Read this for the state of cybersecurity:
A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …
To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:
-
http://bit.ly/eDcD2s – Blockbuster Video – Employee and applicants’ records containing names, contact details, Social Security and personnel matters found discarded
http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning
http://bit.ly/dTAmUX – Qdoba Mexican Grill – Customers’ card numbers acquired and misused
http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers
And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?
Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.
More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.
I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:
1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.
2. Do look at DataLoss DataBase or at least skim its Twitter feed to get an idea of how much information is lost daily.
You are right Bambi. Like I tried to point out, personal practices like password selection have no impact on the security of corporate databases.
But think of database attacks like a bank robbery and individual attacks on passwords like pick pocketing. Obviously all criminals would prefer the bounty from robbing banks but most are willing to settle for the scraps of picking pockets.
I just didn’t want your readers to give up on good personal security practices because they can’t take turns guarding the ‘bank vaults’.
You wouldn’t be a customer of any of these, would you? Updated list of companies whose client databases were compromised in the great Epsilon hack:
Kroger
JPMorgan Chase
Capital One
Citi
New York & Company
US Bank
Barclays Bank of Delaware
Barclay’s L.L. Bean Visa card
Brookstone
McKinsey Quarterly
TiVo
Walgreens
Ameriprise
Marriott Rewards
Ritz-Carlton Rewards
Disney Destinations (The Walt Disney Travel Company)
Benefit Cosmetics
Home Shoppers Network (HSN)
AbeBook
Best Buy
Best Buy Canada Reward Zone
Borders
City Market
Dillons
Food 4 Less
Fred Meyer
Fry’s
Hilton Honors
Jay C
King Soopers
QFC
Ralphs
Verizon
Visa
AIR MILES Reward Program (Canada)
Beachbody
bebe
College Board
Eileen Fisher
Ethan Allen
Lacoste
Red Roof Inn
Target
1-800-FLOWERS
Ann Taylor
Viking River Cruises
BJ’s Visa
World Financial Network National Bank
Victoria’s Secret card
Express card
Catherine’s card
TripAdvisor.com
TIAA-CREF
TD Ameritrade
Smith Brands
Scottrade
Robert Half International
MoneyGram
Marks & Spencer
Eurosport Soccer
Eddie Bauer Friends
Dell Australia
Charter Communications
ExxonMobil card
Home Depot card
NTB card
The Place
Crucial
Stonebridge Life Insurance
Tastefully Simple
Chadwick’s
Dressbarn
Fashion Bug
Giant Eagle
J.Crew
Lane Bryant
Maurice’s
PotteryBarn
RadioShack
Sears
Smile Generation Financial
The Limited
United Retail Group
Avenue
Jessica London
OneStopPlus
Value City Furniture
GlaxoSmithKline Consumer Healthcare
Woman Within
Stage
Trek
Sportsman’s Guide
Shell
Reeds Jewelers
Radio Shack
QualityHealth
Quality Food Centers
PotterBarnKids
PacSun
Palais Royal
Polo Ralph Lauren
MyPoints Reward Visa
KingSize Direct
Justice
J.Jill
Gander Mountain
Giant Eagle Fuelperks
Domestications
David’s Bridal
Crate & Barrel
AshleyStewart
Abercrombie & Fitch
Hi there, Bruce! I think most of us are scared into being careful with our credit cards and ATM behavior. My point above is that we as individuals and card-users can be extremely careful, but we can’t control how securely our data is kept by businesses. Our security is in their hands and mostly out of our control.
The most important things you can do as a card holder is use good passwords/PINs/secret question answers and be very careful about who you share them with or where you type them in.
It’s true that this won’t have any impact on databases being stolen from the merchants or processing companies, but individuals are still targeted quite often with ‘phishing’ in emails, web pages, and even phone calls.