December 20, 2013

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

targetgoboom

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

A graphic advertisement for stolen cards sold under the "Tortuga" base.

A graphic advertisement for stolen cards sold under the “Tortuga” base.

A key feature of this particular dumps shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle.”

Indeed, shortly after the Target breach began, the proprietor of this card shop — a miscreant nicknamed “Rescator” and a key figure on a Russian-language cybercrime forum known as “Lampeduza” — was advertising a brand new base of one million cards, called Tortuga.

Rescator even created a graphical logo in the Lampeduza forum’s typeface and style, advertising “valid 100% rate,” and offering a money-back guarantee on any cards from this “fresh” base that were found to have been canceled by the card issuer immediately after purchase. In addition, sometime in December, this shop ceased selling cards from other bases aside from those from the Tortuga base. As the month wore on, new Tortuga bases would be added to shop, with each base incrementing by one with almost every passing day (e.g., Tortuga1, Tortuga2, Tortuga3, etc.).

Another fascinating feature of this card shop is that it appears to include the ZIP code and city of the store from which the cards were stolen. One fraud expert I spoke with who asked to remain anonymous said this information is included to help fraudsters purchasing the dumps make same-state purchases, thus avoiding any knee-jerk fraud defenses in which a financial institution might block transactions out-of-state from a known compromised card.

The New England bank decided to purchase 20 of its own cards from this shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s “shopping cart” offers the ability to check the validity of each purchased card. Any cards that are checked and found to be invalid automatically get refunded. A check of the cards revealed that just one of the 20 had already been canceled.

The bank quickly ran a fraud and common point-of-purchase analyses on each of the 19 remaining cards. Sure enough, the bank’s database showed that all had been used by customers to make purchases at Target stores around the country between Nov. 29 and Dec. 15.

“Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” my source told me. Incredibly, a number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including — wait for it — Target. My source explained that crooks often use stolen dumps to purchase high-priced items such as Xbox consoles and high-dollar amount gift cards, goods that can be fenced, auctioned or otherwise offloaded quickly and easily for cash.

My source said his employer isn’t yet sure which course of action it will take, but that it’s likely the bank will re-issue some or all of the 5,300+ cards affected by the Target breach — most likely sometime after Dec. 25.

The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards. Most online merchants require customers to supply the CVV2 as proof that they posses the legitimate, physical card for the corresponding account that is being used to fund the online purchase.

Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers. Not sure how credit monitoring helps with this specific breach, but at any rate here’s the rest of his statement:

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.

We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service.

We understand it’s been difficult for some guests to reach us via our website and call center. We apologize and want you to understand that we are experiencing unprecedented call volume. Our Target teams are working continuously to build capacity and meet our guests’ needs.

We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”

[EPSB]

Have you seen:

Non-US Cards Used At Target Fetch Premium”…An underground service that is selling millions of credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.
[/EPSB]


445 thoughts on “Cards Stolen in Target Breach Flood Underground Markets

  1. mike

    Brian, when you say one “bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.” does that mean that once a block is bought that it’s off the market and others can’t buy the same block?

    1. Mia

      This is something I have a hard time believing. if someone was unethical enough to steal the card numbers in the first place, why would they NOT sell the numbers more than once?

      The only reason why they might not make a habit of it is that their customers want to buy “good” numbers and if the number has already been shut down, the person gets declined when they attempt to use it. But what recourse would they have other than not to buy another “number” from that guy? That seller would probably only change his name and keep going anyway…

      I simply cannot imagine that “buying your number” would effectively take it off the market for good.

      1. JB

        If the bank buys the numbers, they will know which ones to cancel.

      2. Chris

        It’s not about ethics, it’s about business. These guys are running a criminal business, and they’re very good at it. It’s not good business to sell the same number to multiple people (see Brian’s responses).

      3. joebob2000

        If you have between 1 million and 40 million stolen numbers, and you want to continue to get $20 to $40 for _each_ number, you keep them nice and pure. If the perceived value starts to go down in a few days, he will be sitting on a ton of numbers that will go for cents instead of dollars. Why risk it when he still will probably have to shut down and flee to Ecuador (with untold millions) before he gets through all the numbers anyway?

      4. E.M.H.

        When you’re selling to criminal gangs, you risk retaliation if you sell the same product to more than one of them and get discovered. It’s negative incentive, true, but the negative incentive to avoid getting capped by a criminal is, in my mind, far more compelling than any sense of business propriety these thieves may have.

        1. 0xi

          If you think anybody selling card info online is worried about getting capped by their clientele, I have bad news for you that most of the internet already knows.

          1. E.M.H.

            Your reply makes no sense. I was replying to Mia’s post about selling to more than one buyer, thus increasing the risk of one of the buyers ending up with a number already useless *because* it was used and closed by another criminal.

      5. Dave

        For the same reason Al Capone only sold good beer: customers won’t buy bad product a 2nd time.

    2. 0xi

      Usually yes, people don’t want to buy cards that others already have, still that probably won’t stop anyone from selling the same card information twice unless they are called out on it.

  2. Bob

    Hey Brian, two questions: Do the card shops sell the same card information multiple times? If not, wouldn’t it be cheaper for the banks to buy their cards back at $20-$40/piece vs. paying for the fraud if/when those cards are used illegally?

    1. BrianKrebs Post author

      This shop in particular is highly rated, and one the biggest no-nos you can commit in this business is selling the same card more than once. These guys are pros, and they have access to more dumps than they know what to do with. There is no reason for them to try to cheat people, as doing so would very quickly ruin their cred in the underground.

      As I state in the story, customers can check cards to see if they’re still active, and will get money back/refund if a card is already canceled. The surest way to have all of your customers complaining about all or most of their purchased cards coming back as canceled is to try and sell the same card to multiple buyers.

  3. Liquidretro

    So if you know you shopped at Target during this time, and used a CC and Debit Card, would it be wise to replace at least the debit card? The debit card was used as a credit card so no pin was used.

    1. Old School

      IMHO, replace all cards used at Target. You will then be able to sleep at night. To prevent a repeat of this mess, use your debit cards for ATM withdrawals at machines in bank lobbies or bank parking lots. These machines most likely will not have skimmers and the area should be safe. This description of safety does not apply to Brazil because of the high level of crime in Brazil.
      When you change your cards be sure to change the account information with businesses that are sending bills to your credit card. For example, in Illinois, the tollway system uses a driver’s credit card to fund an account used to pay tolls. Do not use a debit card for any automatic withdrawals. Lastly, read everything Brian has written on the subject.

  4. Ken

    Curious if the card issuers will start contemplating chip and pin – preferably with the pin being a Google authenticator, SecurID token or Verisigns.

    Due to scope of this breach assuming this is not some mass pin entry device compromise, but rather a targeted attack against back end systems that waited patiently until the highest transaction volume of the year to start harvesting?

    Also nice to know if any of the big commercial end to end encryption or tokenization solutions were in use.

    1. C0ll3ct0r

      Chip & Pin is a 2015 card association “mandate” domestically. However, the obstacle continues to be the requirement to change the swipe terminals to accept this technology. Retailers are on the hook for replacing that equipment which likely runs in the $$Billions. Issuers can produce cards with Chip and Pin, but if the Retailers can’t accept it, they’ll continue to rely on mag stripe = stuck in rut.

      1. andy

        A significant amount of retail business is from CC. Not being able to accept them would put retailers out of business. They have every incentive to upgrade if the card industry mandates chip and pin.

        1. C0ll3ct0r

          And vice versa. I think the NRF has a bit more leverage. Expect to see an extension to the mandate.

    2. Xeiran

      Can’t comment on PINs, but I can say chip cards are *far* more difficult to make a fraudulent copy of; pretty much every other first world nation converted years ago, largely because their governments mandated it. Here in the USA our government never forced the issue, and card companies have thus far found it cheaper to eat the cost of fraud than to force change on the merchants.

      But no more. As an IT person at a smaller financial institution, VISA approached us roughly a year ago to talk about converting to chip, and told us that plans were to finish converting to combo chip & magstripe cards by sometime in 2015 (sorry, can’t recall exactly when). At that point, consumers can still *use* magstripe if need be, but any merchant or financial institution still *accepting* magstripe will become liable for all subsequent fraud; VISA will no longer eat the cost after that.

      VISA can finally get away with it because in actuality, by 2015 a majority of larger merchants will have either already switched over, or will finish switching over, their POS systems to handle chip, like Target – it’s just not active yet in many cases. By then, it is expected that only smaller businesses will still be hanging on to magstripe-only systems.

      Once VISA forces the issue, I expect most other card companies will quickly jump on the bandwagon with similar policies.

      1. JCitizen

        Personally I see it as a way to foist the cost of infrastructure and liability onto the consumer and other institutions besides the card issuer. Not good. There are two technologies that if implemented together would have been vastly cheaper, even if the POS tech would have been slightly modified; but it is probably too late now that VISA came to the table – it could easily be argued that just the savings in fraud could pay for the upgrade; but I feel like it is going to be a ruse to put all liability on the customer, and everyone else gets off scott free, even though, there will still be ways to defeat this expensive technology. I’d sooner lose money on cheaper tech that is almost as secure, than even a modest failure at high cost. How many times have we seen that in policies forced down our throats? I still feel like the EU has enjoyed a relatively fraud free experience so far, because all the low hanging fruit was elsewhere. Once Chip ‘n Pin gets ubiquitous, the new end game will come into play. And there are endgames for this system.

  5. Lisa

    I would be happiest if my banks proactively went ahead and issued new cards to those affected. It would go far toward public relations. So far, my banks have been tight lipped. So, should forty million of us now ask for new cards?

    1. Infosec Geek

      Lisa, in order to issue new cards they must cancel the old ones. New cards would not arrive until after Christmas meaning there is no chance of their customers using those cards for Christmas shopping. In other words, no revenue for bank. I’m sure their internal bean counters have calculated the cost of lost revenue versus the cost of fraud losses and decided that as a service to their customers they’ll absorb the risk of not replacing cards immediately. Merry Christmas from your bank. 🙂

      1. Brie

        Infosec Geek, in cases where banks determine that reissuing the cards is the best course of action, the reissue will take place and clients will have a set amount of time to receive the new cards, activate them, and switch over any automatic transactions before the compromised cards are closed out on a specified and pre-communicated date.
        Meanwhile, clients are encouraged to watch their accounts for any unusual activity.

      2. alsoInfoSecGeek

        Perhaps you’ve heard of FedEx? Its been around a while.

  6. Francis, the talking mule

    I’m shocked that we have not heard from the Tea Party airheads droning on about how the free market can solve all of the world’s problems.

    I’m also amused that the people who posted so vociferously against any kind of penalties in your bug bounty posts are strangely silent now, yet your previous Target post has garnered almost 500 responses so far, most demanding action or pleading for help.

    Nice work, Brian.

      1. Francis, the talking mule

        To slightly paraphrase Descartes: I think, therefore I am not a Tea Party member.

      2. Name is required

        TeaParty members don’t use credit cards nor debit cards?

    1. FrancisFliesToTheSecondFloor

      way to drag politics into a tech conversation. You read like a internally angry person. So much anger… so mad… have to fill every conversation I take part in with quips mocking other people… what a poor, poor soul!

      1. Francis, the talking mule

        A few articles ago, I wrote a lengthy comment on Brian’s bug bounty. You and a few other teabaggers left comments, changing the subject to reflect your favorite topic, that of your fantasy of a world without government That’s right, *you* were the one to “drag politics into a tech conversation,” not me. You read like a internally stupid person.

    2. Lily

      Because the government can fix all this – they can just pass some new laws! Then the thieves are stopped in their tracks!

  7. FI IT

    This may be a stupid question:

    I work in IT at a financial institution. What is the risk of creating a Rescator account just to do a bin lookup?

    1. Steve

      Out of curiosity, I looked at the rescator site. Now google is giving me an “unusual traffic from your network error”. Could be the site has malware on it. This may qualify as a ‘risk’.

  8. Humberto

    Mention of “When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.”

    Were they able to specify which stores or region was vastly affected? Was this a datacenter breach or a more wide spread “random” hit on a wide net of stores?

  9. D

    Interesting tactical timing for the hackers since this time of the year gives them the maximum number of cards, maximum camouflage due to high levels of card volume, but also hesitancy from issuers to reissue immediately due to holiday shopping and not wanting to upset customers.

    I’ve seen speculation about the potential for this being an inside job or at least inside assistance, even from industry analysts. I am not convinced of this until I see evidence.

    In working in the industry, I know that Target invests very heavily in security and better quality security personnel – much more so than many other retailers. I have to believe this would follow over to IT/Info Sec. Certainly not a guarantee of anything.

    At the end of the day, any entity can be hacked…period. Not a matter of if, it’s a matter of when…and then comes reputation management and damage control.

    1. DefendOurFree

      I’ve been speculating if this is part of #opBerserkChristmas (Anonymous/hacktivists) operation.

      Excerpt from their press release:

      “We are announcing our newest operation: #opBerserkChristmas — this operation entails carding many gifts for the children and less fortunate at politician, government employee/official and
      corporate expense.”

      ::shrugs::

  10. D

    FI IT, before accessing Rescator, you may want to go through TOR or another obfuscator first. It’s believed that some of these card forums check up on people accessing them.

    1. FI IT

      D – I did, and took a few other measures as well. Your advice is definitely appreciated.

      Interesting, I looked up my institution’s debit BIN, but it’s listed as a major bank we have no connection with.

  11. AM

    After reading this I’m kind of shocked this doesn’t happen more often in these kinds of high volumes. Not that I’m complaining, but why doesn’t this seem to happen more often? Better yet, why aren’t these companies staying on top of things and working on better and better security?

  12. Defende Regnum

    As an IT guy at a local bank, I am thinking that FI IT’s idea is not a bad one.
    Lisa…. a mass re-issue of cards can be a nightmare… the consumer always blames the issuer (the bank/credit union) and never the retailer, even if like Target they are in the news. (Been through this before with TJX and Hannaford).

  13. DS

    I have a Target Debit Card which is hooked up to my bank account and withdraws money using ACH transactions. The card can only be used at Target. Would they only have the number on the card or would they have more information such as the routing and account number?

    1. Heron

      If it’ll help you sleep at night, go ahead and ask for a replacement card now.

  14. Tao

    “The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards. Most online merchants require customers to supply the CVV2 as proof that they posses the legitimate, physical card for the corresponding account that is being used to fund the online purchase.”

    Note that most online merchants indeed require CVV2, but many still let a purchase go through even though a provided CVV2 is invalid. In other words, this bank should still be concerned even though CVV2 associated with their issued cards are not stolen.

      1. BrianKrebs Post author

        This is a very easy detail to screw up. I have not seen anything from Target saying CVV2 was taken; even the card shop selling this info says CVV1 in all of the cards for sale.

      2. E.M.H.

        Are we sure that’s accurate? Target’s own release said that it was only the CVV1s that were compromised, and the CVV2s were not.

        1. EdH

          the actual quote is above, probably my misinterpretation. My bad.

          1. E.M.H.

            No, no, that’s no problem. Things are being reported in a confusing manner because few realize the difference between the cvv1 and cvv2. Heck, without my org’s mandatory training, *I* wouldn’t have (and I still needed to go back and review it to remember the difference).

            It’s not a problem at all. Too many news reports are too easy to misread; I’ve done it before myself.

  15. JCitizen

    With this large volume of stolen booty being dumped on the criminal market; I’m surprised the price hasn’t dropped quite a bit – it seems like it was reported as lower in the past.

  16. arglondon

    This makes one think that there should be a hard push for chip and pin cards, but the economic structure doesn’t support it. The big cost for chip and pin is the replacement of the terminal infrastructure, and that’s paid for by Acquirers. But fraud and counterfeit losses are paid for by the Issuers. So there is no economic convergence unless and until it’s driven by the payments organisations.

  17. c0mm0

    Anyone know if Target’s Red card is affected?

    It’s targets shopping debit card directly linked to your bank account that gets you 5% off, but can only be used at target obviously

  18. Marie

    I have the same ? as DS above. I used a Target Debit card which can only be used at Target, but is hooked up directly to debit the money from my bank account. If compromised, can the card be duplicated to be used as a debit card to my bank anywhere, or strictly copied and used at Target? Should I cancel the card or just change the pin?

    1. Ameyls

      I’m not an IT person, but I’m responding to this question, since I had the same concern. Basically, the Target debit card works like a check card: when you make a purchase with it, Target registers it as a purchase on your Target account and then sends a request for money to your bank (an ACH transaction). If someone steals your Target debit card number, they do not have access to your bank account number. All they have is a number that corresponds with your Target debit card, which can only be used at Target. Even if they created a replica card to be used at Target, they would not have your PIN, so they wouldn’t be able to use it. So, any information captured from Target debit cards is essentially useless.

      This is basically the explanation I got last night when I finally got through to Target customer service (after 55 minutes on hold). I also called my bank to confirm that Target is correct about how the relationship works, and they are. That said, I still requested that Target issue me a new card, just to be on the safe side.

  19. John

    My wife has been trying to cancel her Target Red Card for two days and can’t get through as the phones are busy. Target website says this:

    If I call you, what are your hours of operation?

    Agents are available to take calls from 7am to 11pm daily.

    They already have a PR Nightmare on their hands you’d think they’d at least be smart enough to open the lines 24/7. In the meantime I have contacted our bank to request a Permanent ACH Stop Payment for “Target Debit Card ACH” transactions.

    1. DefendOurFree

      If you log into your Target account online, you can set up a notifier to your email/cell phone of any transactions that occur. It is on the left of your account summary view and says, “Set Alerts”.

      1. c0mm0

        those alerts are not available for anything other than a new message is available.

        1. DefendOurFree

          I saw the alert for the new message. There are also fields to fill in for transactions, credits and limits. I set mine up this morning.

          1. c0mm0

            i tried IE and firefox and do not see any custom alert settings other than new message

              1. stop posting

                Yours is a target CREDIT CARD, not the RED DEBIT CARD linked to checking accounts

  20. ct

    My Am Ex was used at Target during breach period. I would assume Am Ex will replace my card at some point. In the meantime I have changed fraud alert settings on my account. I will now receive email alerts for all transactions over $10. Previously I had it set at $500.

  21. QHoster

    I am not sure how still there are a lot of merchants accepting credit cards without the CVV2 code.

    1. AM

      Most of the time I use my debit card stores don’t even ask to see it. My name is clearly female. If they would take a few seconds to look at the name on the card and then the person, maybe a few of the fraudulent users might be caught.

  22. Greg

    We made a purchase at Target on 11/23. I imagine the chances are good that the card is out in the wild now. No evidence of fraud yet.

    Would it make sense to just have the card replaced?

  23. WolfL

    Just a hint for the investigators. I would closely look at anyone short selling target stocks. More money to be made there than selling the numbers

  24. Banyan

    Is there any evidence of fake Target websites being created?

    I can see a nice secondary scam being launched to collect even more data in the guise of cancelling or re-issuing a possibly compromised card.

  25. PeeTee

    Thanks for the clear reporting Brian. The media has done (as usual) a mixed job of reporting and panic-mongering. Here in Target’s hometown, the local news last night opened with a multi-angle report with security experts and local opinions.

    Sadly they directed people to “freecreditreport.com” to check their credit reports, not the approved (and really free) “annualcreditreport.com”.

    1. KimK

      Hmmmm seems to me that by directing people to creditreport sites, etc that with the klutzy security I have noticed on the legitimate sites, a org with the ability to hack target servers/database, etc may well have used a trojan to ‘ hack’ those systems and . . . . need I say more ??

  26. Solar-Powered-Sea-Slug

    They report that the data for 40 Million cards was taken…does that imply that Target had 40 million total credit card transactions at that time?

    Another words, did the hackers get the numbers to *every* credit card used during the breach period?

    Sadly, it sounds that way…

  27. 0xi

    This is an insanely large heist to have been done by ATM skimmers… especially considering how much attention has been directed to it. Some people are definitely going to see prison time for this one, I just wonder how many people were involved.

Comments are closed.