People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”

So let’s put these questions to rest. Then we can move on to the real risk.

First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.

No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.

Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.

The real risk of identity theft and credit card fraud

It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.

Database data loss

If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.

We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.

Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.

The advantage goes to data thieves like Rogelio Hackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.

“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.

Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.

Read this for the state of cybersecurity:

A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …

InformationWeek (04/06/11)

To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:

http://bit.ly/eDcD2s – Blockbuster Video – Employee and applicants’ records containing names, contact details, Social Security and personnel matters found discarded

http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning

http://bit.ly/dTAmUX – Qdoba Mexican Grill – Customers’ card numbers acquired and misused

http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers

And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?

Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.

More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.

I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:

1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.

2. Do look at DataLoss DataBase or at least skim its Twitter feed to get an idea of how much information is lost daily.