First Target got targeted, then Home Depot (likely) got burglarized — digitally, that is. Big companies are increasingly susceptible to database breaches. And when it happens, millions of customers are exposed to the risk of identity theft — an estimated $27.4 billion-plus industry in the U.S. alone.
At the root of the problem is antiquated technology, security experts say. The United States, unlike the rest of the developed world, still stores credit card information in outdated magnetic strips, making it easier clone cards. Other developed countries use microchip technology, which is harder to duplicate, thereby eliminating much of the incentive scammers have to steal data in the first place, according to experts.
Magnetic strips are the reason that nearly half of all credit card fraud occurs in the United States, despite the fact that only a quarter of all global credit card transactions happen here.
"If we used chip and PIN technology like most of the world does, [thieves] wouldn't be stealing this massive amount of information so easily," Brett Stone-Gross, senior security researcher at Dell Secure Networks, told Fusion.
Pilfered personal information then gets sold on black market Internet sites where duplicate credit cards are readily available.
Stone-Gross said his security firm researched these "dark marketplaces" and found that cloned credit cards go for $4-8, while a data packet of personal information needed to commit full identity theft goes for about $25.
U.S. credit card technology is antiquated, but it's too widespread to replace easily. As a result, credit card companies have long found it easier to treat the symptom of the problem rather than deal with its root cause.
"For the moment, it is still considered less expensive for companies to deal with fraudulent activity than it is to replace all the existing point of sale devices, upgrade the technology, and reissue all the credit cards," Stone-Gross said. "It is basically built into the business model of credit companies."
Credit card companies and banks assume full liability for money lost through fraudulent transactions, but in the case of full-blown identity theft, the victim is left to his or her own devices. The process of recovering one's identity can be costly, complicated and time-consuming.
Younger Americans are particularly at risk of these breaches because they're more likely to throw plastic, even for small purchases under $5, according to a recent CreditCards.com survey.
Some research suggests that overall crime has dropped nearly 10 percent over the past 20 years, thanks in part to online banking and an increasingly cashless economy. But at the same time financial losses due to identity theft and large-scale security breaches have eclipsed the total losses caused by all household burglaries and property theft combined, according to the Bureau of Justice Statistics' report.
"The FBI has come out and said that over 1,000 large companies have been breached by the kind of malware that leads to these breaches," Stone-Gross said. "It is something that is obviously very concerning from a security standpoint."
Starting in October 2015, both Visa and Mastercard will start requiring the use of the new chip-embedded cards in the U.S. Once that system is up and running, the industry will undergo a "liability shift," as Mastercard's Carolyn Balfany put it to the Wall Street Journal earlier this year.
"If a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card," Balfany said. "And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable."
Until then, keep a super tight grip on your stack.
Daniel Rivero is a producer/reporter for Fusion who focuses on police and justice issues. He also skateboards, does a bunch of arts related things on his off time, and likes Cuban coffee.