One persistent disconnect over the past decade and more, for me, has been what I see in terms of warnings about identity theft and news accounts of massive (tens of millions) data theft from government and companies including names, addresses, phone numbers, e-mails, and even social security numbers. Taking all that at face value, it feels like there must be a massive amount of identity theft going on and huge fraud numbers.
And yet, listening to friends and acquaintances, I don't hear of more than two or three people a year having to deal with identity theft and its ilk. My quandry is not that I believe identity theft to not be occurring, but that it seems to have such little real world impact. Till now, I have assumed that the reconciliation between news reports of data thefts and my personal observations of few instances of identity theft must lie with some non-normal distribution curve of those affected. Perhaps there is a lot of identity theft occurring but it is concentrated among the poor or the elderly or the very rich. But frankly, I didn't think that was a particularly good explanation, just the most probable one.
Stolen Consumer Data Is a Smaller Problem Than It Seems by Nathaniel Popper offers an alternative explanation.
Enormous numbers like these can make it feel as if we’re living through an epidemic of data breaches, in which no one’s bank account or credit card is safe. But the actual effect on consumers is quite different from what the headlines suggest. Only a tiny number of people exposed by leaks end up paying any costs, and for the rare victims who do, the average cost has actually been falling steadily.The risk remains real but my take away from Popper's reporting is two-fold. 1) The funnel between data hacking and data exploitation is far more constricting than we think. Only a small fraction of what is stolen can be used. 2) The fraud system is dynamic like a biological system with attackers and defenders in a constantly evolving system of offense and defense. Security is a way of data life not a static condition.
How could that be? For starters, several laws protect consumers from bearing almost any financial losses related to hackers (though not the headaches of having to enter new credit card numbers into Amazon and elsewhere). Instead, banks and merchants, like Target, must bear the cost. But even their losses have been dropping in recent years, as data security experts have learned new strategies to prevent intrusions from turning into theft.
“The bad guys are getting good,” said David Robertson, the publisher of The Nilson Report, a data provider for the card industry, “and the good guys are getting even better.”