In early September, the AP reported that a hacker plead guilty to theft of credit card numbers. (The full story, by Denise Lavoie, can be found here.) The story provided some detail on how the hacker obtained the credit cards. It turns out that the hacker(s) searched for open or otherwise poorly protected wireless networks used by a corporation to transmit credit cards internally. Once a weak or open wireless network was found, the hackers installed a program to collect the credit card number used for in store purchases.
In this case, it was less safe to make a purchase using your physical credit card than it would have been to make the same purchase over the Internet.
Why? Because credit card numbers are not generally protected when they are transmitted within a corporate network, and they have not been for years. One of the first reported stories of a case where a hacker broke into a corporate wireless network to steal credit card numbers was reported in 2004.
What can a consumer do in the short term? No too much other than have a second credit card that you can use if your primary credit is shutoff due to fraudulent use. It is difficult to tell whether a store where you make a credit card purchase is protecting your credit card number. While you can ask the store employees, you might not get a reliable answer because they may just not know. And, if your credit card number is discovered to be “compromised” by a hacker, you are usually protected. For example, US federal law (specifically, the FDIC regulation 6500, section 226.12), cardholders liability is limited to $50 for fraudulent purchases.) It is inconvenient to have your credit card compromised since your credit card will be shut off and you will need to obtain a new one. This is a downtime of 2-5 days on average.
The corporations that are not protecting the credits card numbers in transit can do more to protect those numbers, of course. They can encrypt the data that is transmitted internally, and they should look to have their wireless network implementations assessed for security concerns.