Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.
Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.
Original story;
According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.
Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.
Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.
“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.
It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”
Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.
In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.
This is likely to be a fast-moving story. Stay tuned for updates as they become available.
Follow-up reporting on the Target breach:
Cards Stolen in Target Breach Flood Underground Markets
New Clues in the Target Breach
A First Look at the Target Intrusion, Malware
A Closer Look at the Target Malware, Part II
Fire Sale on Cards Stolen in Target Breach
Card Backlog Extends Pain from Target Breach
Target Hackers Broke in Via HVAC Company
Email Attack on Vendor Set Up Breach at Target
Who’s Selling Credit Cards Stolen from Target?
Target Canada was likely not compromised because of a different point-of-sale system than US stores. No idea about the card reader and similarities.
Interesting, I wish the idea of Linux being hacked would be pushed more. Cyber security is going to be the most important issue over the next 50 years.
This is a great example of how hackers are getting access to everyones account information as well as what they call keylogging. There is a great software available to install on your home and work computers to keep theives from accessing your information. Please check it out at this link and lets save everyone the headache of having to deal with this kind of situation.
Here is the link, please check it out.
http://cyberwealth7.com/JandL
Thanks,
Jim
Spam. While keylogging is a concern, that has nothing to do with this topic.
Spam. While keylogging is a concern, it has nothing to do with this topc.
Whoops. Thought the first post was lost. Sorry, Brian, for the double-post.
Brian’s site is getting so popular that post take longer now E.M.H.; I’ve been double posting too. 🙂
Interesting Jim B; but I wonder what kind of reputation they have, as I’ve never heard of them? However I see extensive discussion on security forums everywhere about Rapport by Trusteer, which blocks all surveillance techniques by keyloggers, etc. during an SSL session. Also, if you use that in conjunction with a password manager like LastPass, then everything is encrypted from the get go, and is passed off to Rapport in the browser.
Now you would have an argument that what happens to your password manager logon, if you are not in an SSL session? That is a question, I’ve never asked the folks at LastPass. But since Keyscrambler Pro scrambles all of my keystrokes, I’ve been blowing this question off for now. I’m not thoroughly convinced I’m not vulnerable at that point; also I’m not sure that I shouldn’t be shutting the QFX product off while the SSL session is resident, and configuring Rapport to do all the key-log blocking. Rapport tests very well with AKLT on all six attack vectors, if my memory serves me correctly. QFX flunks the screen capture, and video surveillance part of that venerable test; but Rapport covers that very well as I just mentioned.
You got a mention on the CNN lead Brian. You are big time now. Hope you are taking appropriate precautions, I suspect you are attracting more unwanted attention from the likes of those who Swatted you earlier this year. 40 million cards hacked sounds like syndicate level activity to me.
40 million points of data, at 500 bytes of data per point, or about 2 gigabytes of data, takes less than 30 seconds to transfer over a 1 gigabit Ethernet wire, and less than 240 seconds to copy to a USB flash drive.
Which can be done unobserved by a mole while the other employees are on their lunch break.
Can anyone explain to me why Target would keep or store credit card data? It would seem to the layperson that when you swipe your card, a request is made to your bank, funds are authorized, you sign, and you’re done.
Target needs to come clean as to why they are keeping this information. It makes no sense.
Maybe you’ve never heard of refunds???
Like
Refunds don’t need full track data. To go back to the original question, the reason will depend on where in the payment chain Target was compromised. I would guess that this was an in-transit or temporary storage compromise (memory dump or batch processing table).
I’ve heard nothing in the reports so far that Target stored the track data… indeed to do so beyond the short time frame needed to obtain an authorization for the purchase from the card authorization networks would be a violation of the PCI data security standard that they (and any large retailer) are governed by according to their agreement to accept credit cards.
But… the data is allowed to be kept during the time it takes to authorize the charge. Though that is a short time, it is long enough for malware to find and capture that data.
I heard from a friend who worked in the Information Security department of Target that the company queued their transactions on their system and them send the authorization transactions to issues in early morning to get a better deal on tranaction processing fees.
Then who was phone?
Not necessarily the case. I have an AmEx card and they report ‘pending’ transactions almost immediately after the POS transaction, meaning they adjudicate with the credit card carrier real-time or NRT.
So the dilemma with CC transactions is the track data supposedly has to get transferred to the appropriate approval authority to get an authorization code like you layout. You hope, we all hope, that this is done with the least exposure possible of the track data through encryption of the communications channel, storing the data encrypted if storage is required, etc.. But for the system to work the card data has be to exist in its plain text form a couple of places. One is at the POS card scanner, another is potentially in a central card processor system at the merchant, and finally when it arrives at the authorization system for approval. So if I am the bad guy, I have three potential places where I want to have my tools harvesting the data. Once I get it though, I need to get it out. From an incident response perspective, answering the 5 W’s is a start, but figuring out initial vector into the system that held the data in plain text, how they could persist almost three weeks undetected, and how they were able to get the data out will be the most telling parts of the investigation. Sadly, even if Target or any merchant claims to be PCI DSS compliant, an adversary in the right place is still going to get the card data.
There certainly can be issues with the credit card authorization system along the lines that you describe, but it doesn’t HAVE to be that way.
I’ve implemented systems where the card numbers/track data are NEVER in clear text from the time the card is swiped until the data has left the retailer’s network.
This end-to-end encryption is much more secure because it prevents the retailer from ever having the actual card number available to them. The data isn’t decrypted until it is on a third-party payment gateway, at which point the encrypted info is transformed back into clear text and then forwarded on to the card authorization networks.
Is it still in clear text at some point? Yes, but that is only on a much more isolated/secured network – much safer than having the clear credit card numbers out on tens of thousands of point of sale PCs and card swipe terminals.
Encryption of card data has slowly been migrating further and further back in the authorization flow… from the POS PC, to the retailer’s card payment servers, to payment card gateways. Ultimately, I believe this will continue to move – next to the merchant/acquiring banks and then into the card authorization networks themselves… and finally to the card issuing banks.
Each step of that migration costs a lot of money… and it is typically only major breaches like this and the negative publicity caused by them that make the entire retail/credit industry willing to pay the money to take the next step.
The data is stored on the magnetic strip on all credit cards, not only Targets. The data the article says was taken from the magnetic strip which is read when you swipe the card at any place.
Not only that. It looks like they were snatching the data as it was transmitted from the card reader to the POS Payment system. They don’t necessarily have to keep the data for it to be stolen.
Should target card holders cancel? Get new cards? Thanks for your incredible work and getting this information out!
It’s not just Target Cards, track data is from any debit or credit transaction: ANY card used at Target may be jeopardized depending on how much data was lost.
Most computers are not set up to log file copy transactions, so it’s likely that it is impossible to find out what was copied or not, and Target will just recommend anyone concerned to check their bank statements and report unusual activity.
Personally, I’d pre-empt that announcement and just order a new card. If a thief tries to use the old card data, it’ll be declined.
Data on what one should do with their card. Thanks.
Is it conceivable to sue Target in small claims court for the inconvenience & time spent to re-establish new CC account numbers due to a security breach?
You could try but you would be hard pressed to demonstrate any significant losses as the banks should settle all fraudulent charges, so you will only be able to sue for the time involved. The courts generally don’t have much interest if there are no other damages.
Doubtful. Past data breaches have had little repercussions on corporations. Even if a class action lawsuit was formed, the end result will be paltry. $10 to all affected people, probably in the form of a Target Gift Card, isn’t enough when you lost hundreds or thousands from this kind of theft.
And remember that not all banks offer reimbursement. Even if they do, if a customer doesn’t report fradulent transactions to their bank within 24 hours of discovery, the odds of getting that money back begins to approach 0%.
Why are so many people SUE happy ?? Why don’t people push for stricter laws instead. MONEY is not the solution to our inconveniences especially when someone hasn’t even suffered a loss yet!
It’s not about soaking Target for a payday. It’s about making large corporations like Target which handle crucial data for huge segments of the population take the security of their customers’ data seriously BEFORE a major breach occurs.
OP post isn’t about windfall profits, hence the ‘small claims’ jargon. It sounds more like educating corporate responsibility in securing customer private transactions and sensitive data. That type of responsibility is expected from a major retailer.
Pins on debit cards were compromised. My son purchased a pair of glasses at the Target optical department in Liberty MO using his debit card. He said 6 minutes after he paid the local bank called to see if he had just charged $360 in Brooklyn NY, which of course he hadn’t. It was a debit transaction. Anyway the bank immediately shut the card down. Thank goodness for local banks!
PINs are *NOT* necessary to use debit cards at most merchants. Your post only suggests the Brooklyn thief had your card number *BEFORE* your son used it at Target.
True. I forgot about the fact that you don’t actually need your PIN. I personally never use a debit card because I don’t want the money coming directly out of my account. But pretty coincidental that it happened 6 minutes after he used his card and had never had a problem before that. I forgot to mention that it was at a Target store where the $360 was charged. The bank happened to be next door to Target so he immediately left and went next door. The person at the bank told him that he was the second person this had happened to in the last week. I called the store manager to alert him and he acted like I was a lunatic.
The reason I suggested it’s MERE coincidence is it’s highly UNLIKELY your card number was (a) uploaded from your Target in Missouri, (b) downloaded to the thief, (c) duped to a card blank, and (d) used at a store in Brooklyn (Target or otherwise) in *JUST* 6 minutes. For one, uploads from 40,000+ compromised PIN pads at 1,700+ Targets to a server NOT connected to Target or a card network, in realtime, should have raised HUGE red flags SOMEWHERE. It’s more likely the Brooklyn thief had your card number BEFORE your son swiped it at Target. (That says nothing about THIS thief.)
In order to use your Target Debit Card at Target you do need your pin number , you don’t need a pin on a bank issued visa/debit card.
@ Disco:
Target most likely is not storing the credit card info, it is not like they have a file on everyone that has bought something and can access your account numbers. What most likely happened is that the attackers were able to intercept the swipes of cards from hardware devices to the POS or from the credit card gateways to the processor, both of which if true are pretty serious as Target I’m sure meets Payment Card Industry (PCI) requirements, so it will be interesting to see where the breakdown was and what caused the breach.
But Chris at 10:42 am makes a good point. When you request a refund, they don’t need to see your card. Some stores do, but Target does not. They simply put the refund amount back on your card by looking up the transaction. So they’re definitely storing something.
There are many ways to implement such a system that do not require storing the actual card number. Many systems are designed to create/store a one-time use token with the transaction – and that token can later be used to process a refund through the credit card processor.
I agree with Brian that it is unlikely that Target is storing the actual card number… almost certainly they are not storing the track data.
But at the same time, I’ve seen/heard of dumber things that I was sure just couldn’t be when it comes to credit authorizations and retailers.
Yes, you could use a one-way hash like the way passwords are verified. But that doesn’t mean Target is doing it that way. They very well could be storing the entire CC number for any reason or for no reason. The only people who know are Target themselves, not any person on this site speculating about it.
Agreed… and I am not trying to defend Target here – at least from anything other than the speculation you speak of.
Stating that Target is likely storing full account information because they don’t require a card swipe to process a refund is just as much speculation as anything.
My post was to point out that there are secure/reliable ways to implement that sort of functionality WITHOUT needing the full account number to be stored in Target’s systems.
I still agree with Brian that given the size of Target’s operations, it would be unlikely that they are storing the data because of the requirements to submit to/pass PCI audits. Storing the track data in the way that is described would be a significant violation of PCI requirements.
What Wombat94 said. Given their size, Target has got to be at Level 4 compliance, and that means a yearly overall audit PLUS quarterly security checkup done by a third party. It’s hard to imagine Target passing any of that if they were holding that info in violation of PCI standards.
However the compromised occurred, it had to have been somewhere between the swipe at the POS terminals and before the batch processing for approvals. While it’s not impossible for it to have been elsewhere, it’s unlikely because that presumes storage being done in violation of the standard.
They would have to be Level 1, not Level 4 (level 1 implies millions of card transactions, Level 4 hardly any) which requires annual checks and quarterly external scans of public facing websites.
Whoops. I got that backwards, that is right, Level 1 is the correct one. That’s my mistake.
Wombat,
I don’t know if they still do, but Target used to store your CC in some form to provide trasaction lookup for lost receipts. This was years ago and I hope they stopped.
As far as tokenization is concerned, you cannot determine from the card which token was used, (at least in a good token, some try to mimic a card and are actually reversible), thus losing the trans lookup feature.
Additionally, to speak to the transit, there are readers that encrypt at the magnetic head, therefore the data is encrypted in transit to the POS. A good system would then just forward this to the Acquiring processor who has the decryption keys for the brand of reader (Engenico or verifone).
There a more than three places to grab unencypted PANs. I believe when the data is sent to Visa/MC it should be reencypted, but acquiring processors send it as ASCII text through the DEX (Visa) connection, ie. unecrypted. On the other side it goes thorugh several hands again – Issuing processor, issuing bank or sponsor and may or may not be encypted.
The fact that we don’t have more exposure is actually amazing.
Target does store the full card number. That’s how they’re able to process merchandise returns without a receipt; they look up the transaction by the combination of CC number and product bar code to verify the original purchase.
Well, there you go.
@J. Peterson
What are you basing your statement on? Do you have specific knowledge that that is how they perform this function?
There are other ways to perform the same function without needing the account number stored in their systems.
ACTUALLY, The information pertaining to dates is incorrect, This has been going on as far back as LEAST August. Someone on here mentioned transactions being made on Dec. 13th and 14th at a Target in Flushing, NY. The same thing happened to me on both days, and from the Target Location in Flushing, NY as well with one of my bank cards. BUT, in August the SAME THING happened to me where a DIFFERENT BANK and bank card(used literally 4 times for any type of purchase) was used at the same Target in Flushing , NY. Back in August, I thought that those fraudulent transactions were due to some people at a new doctor’s office I provided my information to scamming. After hearing about this, I checked my bank statements and both cards were used at a Target(NOT IN FLUSHING, NY) with one transaction going back to March, 2013. NOW, it all adds up. It doesnt matter when you swiped your card or which Target you swiped it in, EVERYONE SHOULD BE CAUTIOUS AND CONSIDER GETTING NEW BANK CARDS. People are evil and greedy. Please careful everyone.
Why are you re-posting the SAME misinformation you posted here earlier? All that proves is the thief USED the stolen card data at Target in Flushing; he could have stolen it ANYWHERE. That has NOTHING to do with THIS breach.
To answer your question, the repost was an accident, because I did not see it post originally. Accidents DO happen. This IS a public discussion. My point to the posting is to say that the dates where people swiped their cards between black friday to whatever date in December, is not valid. Sorry you got annoyed about something being reposted.
The REAL problem is you’re confusing where the stolen numbers were USED with when & how they were STOLEN. Just because the thief USED the cards at a Target store does *NOT* mean he STOLE the numbers from Target (in Flushing or elsewhere), nor does it prove THIS breach began before 11/27.
RBBrittain-Now I get it, I bet you’re the IT person that worked on Targets security and transaction processing!
Nope; I’ve never worked at Target (and I’ve been retired on disability since 2009), though I do have a REDcard debit card. I have, however, worked with both finance & computers; my posts are based on what I know from my own personal experience. Folks who don’t know how these things work tend to assume certain incidents are related when they’re NOT. Just because she had a past incident involving Target does NOT make it part of THIS incident, as she is claiming.
You are correct RBBrittain; but please don’t beat people up because of the posting delay here at KOS. There is a lag time involved, and folks are just repeating everything thinking the post didn’t stick. Thanks for you accurate points hear on KOS! 🙂
I wasn’t questioning the repost as much as the WRONG CONCLUSIONS in BOTH posts.
Are you a Target rep?
No; the problem is her post mixes apples & oranges. Just because (a) the thief used her stolen card numbers at one Target and (b) both were once swiped at a different Target does *NOT* necessarily mean the numbers were stolen *AT* Target — much less her claim that the breach occurred before the date Target has admitted to.
True, but ironically, the credit card thief who took her card number probably had his stolen card number taken by this more massive operation.
Is there no honor amongst thieves?
Do you work for Target?
Chris at 10:42 am makes a good point. When you request a refund, they don’t need to see your card. Some stores do, but Target does not. They simply put the refund amount back on your card by looking up the transaction. So they’re definitely storing something.
Just to keep on first page:
Rescator.la = main site selling Target cards
Kaddafi.hk = secondary site selling Target cards
Lampeduza.la = forum where administrator, Rescator is operating his ‘senate republic’
All are free to register and join.
Base Name for cards: Tortuga
While we are at it, here is some contact information:
trayan@lampeduza.org
flavius@lampeduza.org
rescator@lampeduza.org
ICQ: 100845 17700 10576
Why do you keep bumping this? Posting it once should be enough for Mr. Krebs himself (and law enforcement); unless you’re willing to hand YOUR money to known thieves, there’s NO reason anyone else should go there.
After receiving a link to this article in my email this morning, I became concerned, since I did actually shop in a Target on Black Friday…however, when I tried to log into my account, the RedCard services are unavailable….a bit suspicious.
I guess I will be calling them.
That’s NOT suspicious; the RCAM site is obviously swamped right now (as are the phone lines). Go back later.
Same here. Can’t get to Red card site and it says it has an untrusted cert! Not good. Their 800 number is flooded and I just get busy signal.
Having been at ground zero of a similar large breach several years ago, this sounds very familiar.
Someone with knowledge of the POS system most likely created malware to capture transactions coming into the server. In the instance I was involved in, no data was deemed to be “stored” on the server. However, their was a temporary, text based cache file that held the card data. All the malware had to do was capture that data and FTP it out.
Being a system admin, my guess is that every device out there has the same local administrator account and password for ease of deployment. They probably captured this at a single store and it was easy from there.
It also means that they do not have a proper security posture, which is typical in retail. The malware probably wouldn’t have been caught by Antivirus, but their NOC should have been alerted to connections to strange IP addresses. My guess is that they don’t really take security seriously because they’ve never been breached before.
They are going to have a very rough next 5 years in their IT and security departments.
I agree with your thought. This smells like an insider threat. Now, when will the next big retailer get hit? They proved they can do it, now how ever they did it is a commodity now. Now watch all the zero day POS malware fly. It’s going to be an interesting new year.
Thanks for reporting this massive breach. I’ve been checking my accounts religiously since I heard, but of course the Target Redcard site is overrun and their phone lines are busy. How do y’all feel about LifeLock?
Instead of Life Lock, just get a Credit Freeze. Much cheaper and locks your credit down with an password/pin
http://consumersunion.org/research/security-freeze/
I am an ~29+ year veteran of IT and business, worked for some of the largest companies in the world (IBM, RockWell, HoneyWell, etc.) as an engineer, project manager, and manager, built datacenters, worked in datacenters all over the world, worked with and oversaw employe, worked across the spectrum in security, storage, convergence, wireless, VOIP, systems, networks, LAN, WAN, etc., blah, blah, blah.
When I went into Target one time to purchase some biking shorts for running, I discovered they had the most cockamamey inventory system. So I contacted Target corporate IT and had a long chat with some a$$hole there who listened intently to my suggestions and then basically told me to eff off.
Some of the most inept IT systems yet arrogant employe I have ever experienced.
This comes as no surprise to me…a beer company with a champagne arrogance.
Welcome to the world of retail. They don’t want to spend money on anything unless it brings in profit. Security will definitely relate to more profit.
That’s supposed to say “NOT” relate to more profit.
I think this will hit Target’s bottom line as I suspect a large # of their customers will cancel their RedCards as a result of this and never go back to them.
Does mentioning all the companies you work for as well as your job titles somehow make what you say more valuable? I can tell you this, if you got on the phone and tried to tell someone in an IT department that all about yourself as you did above, that’s an automatic ignore in most cases. The arrogance is on your part when you start a conversation like that, flashing your credentials does not help your cause and only makes you seem conceited.
Here’s a question, the Target in my area just recently upgraded their Card reader machines (although it was before this breach). Not knowing enough about POS devices, is the reader machine the same as the POS device?
Good question. In my opinion the type of POS device in Targets are a physically separate device; but I would define them together as a system for point of sale. However, I’ve seen POS readers that are self contained in brick and mortar stores that are totally separate from the electronic cash register. The clerk simply enters it as a sale on the register when the card is approved through the reader. So it is arguable which device is the POS device in those instances.
Wellsfargo has a fraud prevention unlike no other bank, they alerte you when fraud charges attempted and made. I was able to get video of the low level crooks using fake card to make purchases, because I called the stores and requested the video be saved for police. They may catch the low man or men in this case but this is big crime, big organization with many heads? Hope security become quicker at tracking the crime and getting the mob bosses?
If you have a Target credit card and you’re trying to check your online statement for fraudulent activity, good luck. I’ve been trying all morning and the website is not responding.
I am a victim of this incident and I will not totally agree with the fact that the credit card information have been stolen from the
device. I have my target credit card and I have not used it for any purchase online or at store, yet my card information has been compromised. To be more specific I got a email stating my email address have been changed. Actually the person has added a period(.) in my email address but Gmail servers doesn’t care about the periods(.) whether they have it or not. So I received the mail stating your email address has been changed. In case if the person has added another letter I would not have got. After that I received the order confirmation email for two orders to the changed email id which I didn’t. So I called Target and closed my account. This incident happened on Dec12,2013 11:20 AM EST.
Is anyone now working for corporate Target who used to work for TJX??
Trying to get all this straight. My wife has a Target Red debit card that is deducted right from our checking account. Should we cancel our RedCard account or change our checking account number at the bank? Thanks for the great info on this.
–Bob
Bob, I was wondering the same thing. My bank told me I need to contact target directly to find out if my checking account number and bank routing number are stored in a different part of their system than that which was compromised. The gal at the bank said she tends to think we are safe as Target debit cardholders. However, as you can imagine, getting a hold of anyone at target today is virtually impossible.
RED card holders should be very concerned. The thieves were able to setup a successful ACH debit against the checking account our RED card is attached to. We got hit for 4 small transactions on 12/09, the same day we were at our local Target shopping.
I called the bank and they put a hold on any ACH transactions from Target going forward. But the thieves had the ability to setup ACH transfers on Targets behalf (the transactions still say Target ACH Debit) then they weer funneling money through them possibly or just leveraging the link between Target and our bank via the RED card. Just hope they don’t have enough info to create other ACH transfers through another merchant.
Almost sounds like an inside job
From what you described, the thieves may have used the magstripe data from your REDcard, and at least guessed your PIN; that’s enough to buy stuff at Target without breaching their ACH database. (Target hasn’t admitted to a PIN breach yet, but given where it apparently happened it’s not unthinkable.) Assuming the breach actually occurred at Target, I’d have the REDcard cancelled & reissued.
*IF* you get NON-Target ACH debits (or fake checks using your routing & account number), only *THEN* would I consider changing your bank account number. So far, all indications are they had store-level breaches (perhaps same passwords at each store); the REDcard ACH database is maintained at corporate level. Only THAT database would allow non-Target purchases.
(Ironically, checks may be LESS secure than REDcard debit at Target right now. Target uses an “e-check” system, which captures routing & account numbers from your check at *store* level to generate ACH debits; as I said above, REDcard debit stores ACH data only at *corporate* level. Though “e-check” doesn’t use the PIN pad, I suspect the breach involves store servers and possibly even registers; if so the thieves COULD have stolen ACH data from checks.)
Since the RCAM (REDcard Account Management) site is being hammered right now, I’d start with your bank’s online banking and see if there’s anything suspicious since 11/27. If there is, call your bank first and follow their instructions, then call Target. If not, check back with RCAM later in the day (and periodically thereafter) to see if anything suspicious shows up there; if so, call Target (they MAY be able to catch it before it gets to your bank).
At a bare minimum I suggest changing your REDcard PIN, whether on RCAM (I did that early this morning) or by phone. If anything suspicious shows up from Target (on RCAM *or* as direct debits from “Target Debit Crd” at your bank), have your REDcard cancelled & reissued. Unless your bank insists on it, I would *NOT* change your bank account number *unless* your bank account has suspicious checks OR non-Target direct debits.
At the moment, all Target has admitted to is basically magstripe data — *not* PINs, and *not* bank account numbers. That would be enough for credit cards (including REDcard credit) and *any* outside debit card (especially Visa/MC, but even “PIN-only” debit can be used without a PIN at some places), but REDcard debit *always* requires a PIN. Though magstripe & PIN would be enough to buy stuff at Target, the thief would have to breach a Target corporate server to access your bank account info (routing & account number) to do anything beyond Target; so far there is NO indication of that.
What about possibility of a privacy issue? Target requires customers to swipe their Drivers License at various times like when buying alcohol, spray paint and IIRC, making returns.
There is a lot of info on those DL stripes…
Was the breach just Credit and Debit cards?
Personally I’m not concerned , everything in the media now days is hyped up and people feed on it , I know there’s been a breach but I can assure you there’s probably many all the time we don’t e hear or know about. This is going to be resolved and if you are worried then you shouldn’t have any credit or debit cards.
So, now everyone is busily cancelling their debit cards which means everyone will not get their replacements until WELL after Christmas due to the holiday mail. Just lovely.
You should be able to get a new card on the spot be going into your local bank’s branch.
LOL. The last time I went to my local branch for any service (I needed to get a cashier’s check cut), their check printing machine was broken. I highly doubt they would be able to whip out a new debit card (w/new account number) for me on the spot.
Mine can whip out one on the spot. Just didn’t want anyone to be without access to their funds.
HA! HA! You mean they don’t parachute in like the TV commercial? 😀
No parachuting. Gotta step ‘into the wild’ and climb for it. http://www.youtube.com/watch?v=CIjGaDUp6FY
That depends on your bank for Visa/MC debit; it definitely will NOT help for REDcard debit as those are issued by Target itself. Indeed, part of the reason I am *not* suggesting everyone get new REDcard *debit* cards right now is that will lead to massive delays that can probably be avoided with a sufficiently secure PIN. (REDcard *credit* cards, however, SHOULD be cancelled & reissued; they do *NOT* require a PIN so they can be spoofed with magstripe data alone.)
It would be great to get a list of compromised locations so that credit/debit card companies can monitor or proactively reissue cards that were used at those stores on the dates affected.
I think they said most Targets, so I believe that might be almost everywhere.
Love it when you scoop the media giants. Great work Brian!
Does this situation only include people hacking your card number, or all your personal info? I ask because I shop at Target weekly using a card, and last week another creditor called me about an account that had been opened in my name, with all my info, including my SSN, which I had no idea about. Just wondering how an identity thief got it!
You may want to go through Brian’s previous posts on doxing: https://www.google.com/#q=blogurl:http://krebsonsecurity.com+dox&tbm=blg
What does this mean for people who use non-Target debit cards at Target, though? There’s so much focus on the Redcard, but I think the general public isn’t quite understanding that it’s ALL bank credit/debit cards that are affected.
I thought I used my debit card very conservatively and responsibly – no online purchases, and using it at only two stores: the grocery and… Target. Now you can’t even trust a big retailer’s point of sale? Cripes.
In your case I would DEFINITELY call your bank and have the card cancelled & reissued if you used it at ANY Target between 11/27 & 12/15. With magstripe data, the thieves could easily make duplicate cards and hit your account even without a PIN. (If they have PINs, they could even hit the ATM with them.) Even if they haven’t hit you up yet, odds are SOMEONE will; reportedly the numbers are already for sale on fraudsters’ websites.
IMO, the folks who just read the media understand it’s ALL credit/debit cards; magstripe capture alone implies that. The main reason a lot of the posts here involve REDcard debit is (a) it’s a unique system that’s not fully understood, so folks are naturally more fearful, and (b) the level of damage there depends on exactly WHAT data the thieves may (or may not) have beyond magstripe.
You may want to visit your bank, and change the PIN associated with your debit card. If nothing else, keep a close eye on your checking account, to make sure there’s no fraudulent activity.
It’s good that you know not to use your debit card online.
Thanks for this Brian! I mean, for the article, not the inconvenience. That I leave to the cretans, Target IT and financial card services…
I called my bank up and had my card/pin cancelled. Nothing odd on the account but I did use it the week of the 6th. And I never really shop at Target but was just this once for a particular gift.
Thanks Target! I have to get to my bank this weekend and get a new card printed. Oh, and asked to bring my Target receipt to confirm…that way I am not charged a lost card fee.
BK, something’s up with your site. When I got ready to post this comment, RBBrittain’s comment appeared above the “leave a comment” box, and his/her screen name and email address were in the “name” and “email” fields.
My Opinion Only –
Besides this major scheme, all the other minor schemes are still in effect, which will include 1) physical loss of card 2) card skimmed elsewhere and clone used at Target 3) card skimmed at Target and used elsewhere 4) Target Red Card used on compromised website 4) credit card used on compromised website and used at Target. These routine minor schemes will reduce visibility and make identifying the major fraud root cause more problematic.
This major scheme is 1) for during the Black Friday period 2) ANY AND ALL credit cards, RED, debit cards, stored value devices, 3) PHYSICALLY used inside a brick/mortar Target store. You want to cancel any applicable card and have it reissued. Seek identity theft protection as once the initial wave of hijacked cards are cancelled, the bad actors may try to develop profiles and prepare other accounts by combining Track 1 and Track 2 data, with information available in public records via online reconnaissance (www.ancestry.com etc). This is My Opinion only….