In the last 9 months, my credit card information on my most used card was stolen three times and my credentials to log into websites were stolen likely three times as well. Like a good sheep, I changed my passwords, signed up for the credit monitoring service, and monitored my transactions. Should I worry a lot about this?
Heck no. The Russians have my credit card three times over and have not used it yet, my credit card company regularly disallows valid purchases, and sends me tons of emails when I spend over a certain amount, when I use the card internationally, and when the card is not present for a transaction (as if that matters). I am not responsible for invalid transactions and Home Depot will pay the $50 deductible if my credit card company tries to charge me. It is inconvenient but the economic impact is to the credit card issuers and retailers.
The US credit card industry and US retailers are learning Game Theory. Hackers had already broken through the security of magnetic stripe cards and simple PINs in Europe 10 years ago. Europe and many other countries went to smart cards with PINs ("chip and pin"). The US thought it could not happen here for some odd reason. The hackers, as game theory would tell you, simply switched to the most lucrative easy target: the USA.
Let's hope that the card companies and retailers get their act together and do two things:
- Deploy "chip and pin" cards and systems quickly.
- Harden the security of their enterprise data networks. Based on the news reports, their networks are woefully insecure.
We also need the internet standards folks to come up with a standard way to authenticate a user. A username and password were OK when the Bee Gees were "Stayin Alive", but 40 years later we need something better.