The bad guys have your credit card info -- so what?

Cyber criminals can already access your financial data, and credit card breaches can be beneficial in the long run

I'm constantly perplexed by the sensational headlines claiming this or that breach resulted in millions of credit cards being stolen. After all, cyber criminals can access your financial information, including your credit card data, almost at will.

As a matter of fact, I'm almost happy when my credit card gets caught up in a large, publicly known data breach. That means I'll get free credit monitoring for one or more years and my credit card, which has more than likely been compromised several times since it was issued, will be replaced with a new one and will be a bit more secure -- until the next breach.

[ Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Each year, tens to hundreds of millions of private records are compromised. You can see for yourself what's publicly known. That same source, Privacy Rights Clearinghouse, claims that 863 million records have been breached since 2005.

As high as the credit card abuse rates may seem, not everyone is a victim every year. Readers often ask me if what I say is true and my credit card number has probably been stolen, why hasn't it been abused? Two likely reasons:

  1. Your credit card issuer, or someone else in the financial transaction loop, spotted the fraudulent activity and stopped it before you were aware of it.
  2. The bad guys sell hundreds of millions of credit card numbers each year and yours simply didn't get sold.

Besides, they can't commit fraud against hundreds of millions of cards at once. Otherwise, someone in power would actually do something to minimize online credit card theft.

We don't spend money to kill gnats. Today's Internet thieves thrive only because they know they're merely a nuisance to the credit card issuers -- just overhead, a cost of doing business. If fraud actually caused substantial damage to credit card issuers and banks, the entire system would be transformed.

The larger truth is that cyber criminals have penetrated nearly every company and are able to access your credit card information whenever they want. Many of these compromised companies are in the credit card business or have indirect access as auditors, overseers, credit rating or reporting agencies, and so on. For example, the HVAC company's trusted access led to Target's recent breach problems.

All this naturally brings us to the question: How much should you worry about using credit cards or doing online transactions?

Not much, other than being aware of the system's fragility. What I'm writing about has been true for nearly a decade. We've been living in this corrupted world for a while, and the financial industry, broken as it is, functions pretty well. When a breach gets noticed, people get new credit cards and free credit card monitoring. Yes, a small percentage of people are inconvenienced each year due to fraud, but society has apparently decided the percentage is acceptable, just as we've reconciled ourselves to a certain measure of crime in the real, physical world.

The good news is that banks and other holders of financial information are starting to take steps, albeit years late, to make financial crime more difficult to pull off. Banks and credit card companies have spent millions of dollars on systems that can recognize and preempt financial fraud. I get reader emails all the time describing how their first notification of stolen or abused financial information came from a bank, before the reader realized something was wrong. Years ago, most people made this discovery when a credit card or loan application was declined. That's progress.

Besides, what are your options? Try using cash only, and your life will be more disrupted than if you were a victim of cyber criminals. All of us simply have to live with the system as it is today. Despite the rampant breaches, it works -- mostly.

Ultimately, I believe that one big criminal event, caused by a coding error that opens a huge security hole, will expose the fragility of our financial system. The results will be catastrophic, and the financial industry will finally do something to reduce fraud significantly. Until then, we wait, and worrying beyond the usual vigilance is pointless.

This story, "The bad guys have your credit card info -- so what?," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022