December 20, 2013

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

targetgoboom

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

A graphic advertisement for stolen cards sold under the "Tortuga" base.

A graphic advertisement for stolen cards sold under the “Tortuga” base.

A key feature of this particular dumps shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle.”

Indeed, shortly after the Target breach began, the proprietor of this card shop — a miscreant nicknamed “Rescator” and a key figure on a Russian-language cybercrime forum known as “Lampeduza” — was advertising a brand new base of one million cards, called Tortuga.

Rescator even created a graphical logo in the Lampeduza forum’s typeface and style, advertising “valid 100% rate,” and offering a money-back guarantee on any cards from this “fresh” base that were found to have been canceled by the card issuer immediately after purchase. In addition, sometime in December, this shop ceased selling cards from other bases aside from those from the Tortuga base. As the month wore on, new Tortuga bases would be added to shop, with each base incrementing by one with almost every passing day (e.g., Tortuga1, Tortuga2, Tortuga3, etc.).

Another fascinating feature of this card shop is that it appears to include the ZIP code and city of the store from which the cards were stolen. One fraud expert I spoke with who asked to remain anonymous said this information is included to help fraudsters purchasing the dumps make same-state purchases, thus avoiding any knee-jerk fraud defenses in which a financial institution might block transactions out-of-state from a known compromised card.

The New England bank decided to purchase 20 of its own cards from this shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s “shopping cart” offers the ability to check the validity of each purchased card. Any cards that are checked and found to be invalid automatically get refunded. A check of the cards revealed that just one of the 20 had already been canceled.

The bank quickly ran a fraud and common point-of-purchase analyses on each of the 19 remaining cards. Sure enough, the bank’s database showed that all had been used by customers to make purchases at Target stores around the country between Nov. 29 and Dec. 15.

“Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” my source told me. Incredibly, a number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including — wait for it — Target. My source explained that crooks often use stolen dumps to purchase high-priced items such as Xbox consoles and high-dollar amount gift cards, goods that can be fenced, auctioned or otherwise offloaded quickly and easily for cash.

My source said his employer isn’t yet sure which course of action it will take, but that it’s likely the bank will re-issue some or all of the 5,300+ cards affected by the Target breach — most likely sometime after Dec. 25.

The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards. Most online merchants require customers to supply the CVV2 as proof that they posses the legitimate, physical card for the corresponding account that is being used to fund the online purchase.

Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers. Not sure how credit monitoring helps with this specific breach, but at any rate here’s the rest of his statement:

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.

We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service.

We understand it’s been difficult for some guests to reach us via our website and call center. We apologize and want you to understand that we are experiencing unprecedented call volume. Our Target teams are working continuously to build capacity and meet our guests’ needs.

We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”

[EPSB]

Have you seen:

Non-US Cards Used At Target Fetch Premium”…An underground service that is selling millions of credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.
[/EPSB]


445 thoughts on “Cards Stolen in Target Breach Flood Underground Markets

  1. Terry

    I visited Customer Service in a NJ Target today asking about my Target card which was used in stores during the period in question. The Customer Service rep told me no stores in NJ were affected. Have you heard anything to this effect? I’m highly skeptical.

    1. Shannon

      Terry, this is false information.

      Target is most likely telling you this to ease your worries. I was told the same thing at my local store. However after reading this article I went to that black market store and searched my bank’s BIN and found numerous results. All the city and zip code info supplied with these results are exactly where the Target stores are located in my town.

      Also saw some things uploaded to the store with a Tortuga-world base… Not sure if that had anything to do with the Target breach though.

      1. Carmen

        Hi Shannon,

        I was reading the comments and came across yours about a Black market store, Can you share this linke to me.

        Thank you

        1. Shannon

          Carmen,

          It’s the same site that Brian mentioned in the above article. He doesn’t type it out as an actual url, presumably to stop any hits from a Google search. But you can find it above.

          1. Ed U

            Shannon, I just went to the dumps site, but closed the window in the middle of it “downloading.” I want to check if my card data is for sale, but don’t want to invite a Secret Service visit (I don’t think my dad’s Secret Service career will insulate me from any investigation!). Even with private browsing set on my Mac, will I have black helicopters circling over my home moments from now???

            Okay, all silliness aside, will I get traced if I go to the dumps site?

            1. Shannon

              I honestly doubt it. And it’s not like you’d be buying any of the information so you’re not breaking the law. Just be careful what you do online with a family member working for the government. My friend’s security clearance for her job doesn’t allow her to go to wiki leaks and things like that and if she gets caught, she will get fired.

            2. Josh

              I can answer this for you Ed:

              No, you’ll be fine.

              Source: I was a seasoned “carder” in a former life.

  2. Brian

    I was just on Target’s site and found an FAQ about this problem. Are they clueless about things like the security code on credit cards? This is right off of their site.

    Is the CVV code the same as the three-digit code on the back of my card?

    No, the CVV code is not the same as the security code on the back of your card. As of now, we have no indication that the three-digit code on the back of the card has been impacted.

    1. Heron

      There are two CVV codes. CVV1 codes are stored on the magnetic stripes of cards, and those were compromised. CVV2 codes were not compromised. Those are the printed codes you give to merchants when making purchases online or by phone.

    2. Robert

      The CVV is encoded in the magnetic strip on the card and is sent for “card present” transactions. The CVV2 is the three digit number on the back of the card and when used designates a “card not present”transaction.

      1. grintch

        So, if I scrape the CVV2 number off the back of my card, and memorize it, for security reasons, in case it gets physically stolen or something, will I invalidate my card?

        I realize this won’t help in a case like the Target situation.

        1. Broadwing

          You would technincally make it harder for them to use online, but it wouldn’t flat out invalidate the card, no. A REALLY on the ball cashier might think it weird the card’s been altered, but what are the chances of that – and in the meantime you’d be doing it to yourself.

          And it wouldn’t, as you say, protect you from a data breach, which is probably the biggest deal these days.

  3. jlk

    So far, haven’t seen suspicion directed to agencies of U.S. government.

    Why not NSA (or NSA rogues)? In addition to manipulating stock market, why not another clever heist?

    Why not IRS (or IRS rogues)? Instead of depending only on taxes, why not commit some covert theft)?

    Consider: Target this year, Walmart next year, etc.

    1. Me

      This was my very first thought. You’ll notice there is absolutely ZERO words in any article relating to finding out who perpetrated it. All that’s talked about is the cleanup. People need to legitimately and seriously ask themselves….what kind of organization other than the government could target every single store in one of the country’s largest chains in such a covert fashion?

      1. subs

        wtf?
        At least a paranoid conspiracy theory should make some logical sense.
        Explain please why you think the government would/might be being this?
        That makes no sense.
        Why would they do such a thing?

    2. subs

      wtf?
      At least a paranoid conspiracy theory should make some logical sense.
      Explain please why you think the government would/might be being this?
      That makes no sense.
      Why would they do such a thing?

      1. Daniel Hoffman

        My greatest concern isn’t the NSA operating in an official capacity. People who work for the NSA have an impressive set of tools at their disposal if they go rogue.
        That the NSA has been collecting data that appears to be corporate espionage is worrisome. They could easily front run earnings reports, downgrades and upgrades.

        On another topic: Target made it very hard for my wife to cancel her account. They lied and said nobody involved has had their accounts useby hackers yet. After being on hold for two hours…yay speakerphones!…. the rep put her on hold another 20 minutes after failing to talk her out of cancelling her RedCard.

  4. Trisha

    How does this affect the customers that use their Target Red Card *debit card* that is tied directly to their checking account?
    Should they be worried?

    Also, I have read two different versions. Was the security codes captured and the pins? One place says yes, one no???

  5. Me

    It’s sad that in this day and age security companies and governments literally just watch online theft and have no means to stop it. “Hey your card information was stolen, but we saw that it ended up at this website. Just thought you’d like to know!”

  6. Norman Rice

    Why not show your driver license or any ID before excepting your credit card? If you not you are very stupid ! If the law say’s no, let them pay for it. Good luck.

    1. grintch

      I write in the signature space on my cards “ASK FOR I.D.”
      I’ve been asked maybe only 3x in my life, usually at smaller stores.
      I think most places don’t really give a sh*t.

      1. Paul

        The reason for the signature on the back of the card is not to identify you as the cardholder, it’s to make sure you agree to the terms and conditions of the card.
        In theory a retailer could refuse to accept a card with no signature on it.

    2. Old School

      On the back of my VISA card, the small print below the signature area says “not valid unless signed authorized signature”. I just ignore that and put “PHOTO ID REQUIRED”. Granted, I am not following the rules and I could be hassled, but in the years that I have used my cards this way, I have never had a problem. Read Keyser Söze’s comments in this article on this subject.

      1. DP

        Anybody who thinks a minimum wage cashier is qualified to make decisions regarding the security issues involving the use and acceptance of a credit card during a point of sale transaction is ignorant. However that’s the exact position they are placed into by their retail employers. Most cashiers simply choose the shortest path of work for themselves before the ultimate goal of not being bothered by customers, and that path usually means quickly processing the transaction with the least necessary identification verification possible. Pay for your purchases in cash, and get a receipt.

        1. Rick

          It’s a valid point, but I’ve used my U.S. Mag in Australia and Europe from McDonalds to Target to hotels and every single clerk took the time to ask to see a photo I’d and they matched my name to that of the card. I hope the most Americans regardless of their pay can match and compare to printed names.

          I agree I don’t expect them to know if the id is valid or the card, but it is 100 times more difficult to try and mass produce govt issued IDs for every card you can purchase I the underground markets.

          One simple check. Oh you don’t have any ID and the card your using looks like a hotel rom key. That task would not seem too difficult. I insist they ask for mine and when they do I thank them for checking.

      2. Griffey

        I can’t even remember a time that a Target cashier (or any cashier) asked to see my credit card when I make a purchase, let alone an ID. I take it out my wallet and swipe. Depending on the amt of the purchase at Target, I don’t even have to sign the screen.

  7. housecat

    So does this mean that Target stores its customers’ credit and debit card information? It would explain how they print out customized coupons based on prior purchases. And how they inadvertently provided a gold mine of card info for crooks. I’m considering taking my regular business elsewhere.

    1. flowerchild

      i believe the coupons are only generated based on what products you’ve just purchased.

      1. housecat

        I’m still getting coupons for Brita Water Filters, which I haven’t purchased in a year.

    2. TJ

      Here’s an experience I had at Target a few years ago that really concerned me about the information that Target stores in relation to its customers’ purchases:

      I had purchased a pedometer that stopped working within a few month, so while shopping at Target one evening I walked over to the customer service desk just to inquire about the possibility of a replacement. With neither a receipt nor any packaging, the clerk asked if I had used a credit or debit card for the purchase and if I had that specific card available. I handed the clerk my VISA card who swiped it and told me within a few seconds that she had found the purchase. She then told me I could exchange the pedometer for another one or she could simply issue a refund.

      At first I was really impressed — then I felt a creepy sensation when I realized that Target was actually storing a record of everything I had purchased there with my credit card. That experience was the first thing that came to mind when I read Brian’s first story about the Target data breach.

  8. housecat

    One more thought, after reading Norman’s comment:

    Why not require that all credit & debit cards have a drivers license-type photo of cardholders on the front? It would make verification a breeze, at least for in-store transactions. A good deterrent for crooks who spoof cards.

    1. n3wt

      For the same reason that it is silly to write “Ask for ID” on your credit card. They have your credit card mag strip data. Think of what that means. Well, that means simply they can make a credit card with *your* data and *their* signature *AND* *their* photo.

  9. Terri Morey

    I appreciate this article. I used my Visa card in Target on Dec. 4 for around $24. On Dec. 16th I received a call of possible fraud on my card. Within minutes someone had used a clone of my card in a Target store 3 hrs. away, $20,000. My first thought was obviously someone had skimmed my card, but then this Target breach was announced.

    Even though I won’t be responsible for the fraudulent charges, every single consumer pays for fraud like this within the cost of every purchase we make.

    1. cfarmer

      If a compromised card is used at a Target store, such as your case, who pays for the transaction? Target or the bank that issued the credit card?

      1. Terri Morey

        As far as I’ve been able to find out from other retailers, they have budgets set aside for loss. Target just happens to be the store where the cloned card was used, so the loss will come out of their pocket, which in turn comes out of all our pockets.

    2. voksalna

      $20,000? My first thought is how did this go through and not get the card blocked — there’d be little chance of this not getting flagged as fraud on a properly implemented card network — it should set off a number of fraud alerts (and most of these ‘solutions’ are purchased or heavily invested in to prevent issuer loss).

      Your issuer was slacking, unless you regularly spend tens of thousands of dollars at a retail store all at once.

  10. Kade Ja-Latefah

    It is not that merchants don’t care in asking for an ID, but that it is against the policy of VISA. Probably other cards too. Just as it is against their policy to limit purchases- yes you should be able to charge any dollar amount-even tho a merchant says “no charges under $10” or whatever. The tragedy is that many small credit unions and banks will lose thousands of dollars each and perhaps can’t recover. Target and other retailers need to ELIMINATE the swipe machines and go back to on register swipes!!

  11. Manda

    Guys.
    If you used your card- just pay the $5 to get a new one. It’s worth the sanity.
    Those of you who write CID on your card- that’s fine, but that doesn’t stop the problem.
    I work in retail management.
    I have caught many thieves with multiple stolen cards. The don’t just steal your info- they embed it into multiple cards. They build fake id’s too. Sometimes, the cards swipe one name and read another. They look real. But they aren’t.
    As long as companies continue to collect info off of purchases made by consumers, these problems will always arise. Just be careful where you swipe, and if you see something wrong- report it and have your bank info changed.
    Change passwords and PIN numbers atleast every few months.

  12. Patoka

    My brother’s credit union cancelled and reissued him a new card after they found he had made purchases there in the time frame. They even had a separate line in the branch for anyone who had made Target charges.

    1. Griffey

      I’m really surprised AmEx hasn’t done something (like Chase)

  13. MrMr

    Why is Target storing credit card information?

    I go through a song and dance with my credit card processor to make sure my transactions are secure.

    I have a point of sale computer, but it’s not attached to my credit card machine. When I slide my customer’s credit cards the card information just goes into the card machine then dials over the phone line to the processor. This is as secure as it can be. Nobody can steal my customer’s CC numbers. Why doesn’t Target do this?

    Have they taken the security test with NPC to verify their process is secure? Obsessively they are not secure.

    What steps are they going to take to make sure this doesn’t happen again? How many other companies are doing what they’re doing so they can be breached too?

    https://i.imgur.com/n2ZnKLF.jpg
    https://i.imgur.com/n2ZnKLF.jpg

    1. JWS

      In Target’s case, the card data goes from the card reader to the POS terminal (“cash register”), which forwards the data to an in-store server. The data may also pass through more servers in Target’s network before it gets forwarded to the bank. Then the bank sends the response back through Target’s network to the POS terminal.

      Those Target servers through which the data passes wouldn’t normally save it. The server(s) that normally would forward the data without saving it apparently have been infected by malware which forwards it to the crooks.

    2. Uugh

      I wouldn’t put all that much trust into the unit just because it’s on a phone line, and not attached to a computer. Look up the card hack on the verifone units. 🙁 I don’t know details, I just read press releases on some of this junk. My view is, where there is a will, there is a way. It’s a matter of how bad someone wants the item.

      I am sure Target has an extensive set of policies and procedures in place for security. Any corporation that large will, and they will audit them to ensure they are being followed. I also wouldn’t judge their security levels based on a test from a processor.

      I feel for anyone doing network security. It’s not a position in the computer field I would want to do. Talk about sleepless nights.

    3. Chlte

      This is my question too – I was under the impression that the data stays encrypted all the way to the Payment Network (MC, Visa). I would think the retailers only need a few of the the account number digits, date of transaction and amount to be able to reconcile their payments with the Networks. The un-encryption in the process should only be at the MC/Visa operation. Guess I expected too much!

      1. Anonymous

        As a field technician who deals with POS and credit card payment systems, I have some insight.

        I have never done any work for Target, however, I have been offered multiple positions for their POS upgrades and Windows 7 migrations. I haven’t taken any because A) the pay is shit compared to other projects and B) fellow technicians have told me the working conditions are shit, too.

        It’s becoming commonplace in the industry to disable “E2EE” on the PIN pads themselves. E2EE is “end-to-end encryption”. I’ve done this for multiple nationwide chains, either via software upgrade, or terminal replacement. Not all of the merchants are retail. Some of them were restaurants, convenience stores, etc. E2EE was causing the merchants many issues with payment processing, the most significant of which is timeouts — the PIN pad will just hang for ~30 seconds before failing, and require the customer to swipe again. E2EE also prevents the merhcant from storing first name and last 4 digits, which PCI allows them to do for customer tracking.

        Different PIN pads have different levels of security, and different connectivity options. By far the most secure are direct ethernet attached devices, where they’re on their own VLAN, and communicate directly with an embedded VPN-style device, where all communication is encrypted before leaving the VLAN segment. However, this style is few and far between.

        Most merchants are still using USB or RS232 attached devices, where the host OS is responsible for providing a device driver, and a software application is responsible for communicating with the device, encrypting the data, TCP/IP communications with the payment network, etc. The application also uses an IPC method to communicate with the POS application. Some merchants use VLAN trunking — POS is on, say, VLAN 10 and EFT processing is on, say, VLAN 20, and the respective applications are only allowed to bind to their respective virtual network interfaces. This isn’t a bad solution.

        The largest issue comes from the fact that these systems are almost exclusively running Windows XP. Windows 7 migrations are on-going, but I’d say only about 5-10% of retail POS systems are currently running Windows 7. A lot of the migrations have been put on hold due to various issues. Add this to the fact that these systems are centrally managed, and each day, when turned on, grab their OS image, or at least start-up scripts from a central network TFTP server, or whatnot, using a system such as CCM or SCCM. I know Target is migrating to SCCM.

        All it would take is an exploit of the SCCM server, injection of an arbitrary piece of code which mirrors each swipe in unencrypted form to another IP, and it’s game over. Every POS device system-wide, compromised, by compromising one machine.

        There is also always the possibility of it being an inside job, especially when Target (or Target’s contractor, not going to mention names) refuses to pay their IT team anything near considered a decent wage for the job (not going to name specific numbers, but Target’s jobs pay about 50-70% of what the industry standard for these type of jobs is). My guess is someone from a larger group worked with someone on the inside to pull this off.

        These stores need to realize Microsoft isn’t helping them out at all, and need to switch to Linux. I know of a few retailers who are using Linux for their systems, and they’ve never had any security incidents. Not only does Microsoft charge outrageous licensing fees, their software is shit, it’s poorly maintained, patches are infrequent and delayed, it’s insecure, the code can’t be audited, customized, or hardened. The list could go on.

        But the time is now, especially with the joke of what is Windows 8 coming out. POS systems aren’t play toys. They aren’t living room toys for looking at porn late at night when your wife is asleep. They aren’t general purpose computing devices. They’re very task specific, and only need to do one thing: handle sales of goods. They should be built and used as such.

        1. Anonymous

          Oh, and just to add onto my previous post.

          Once again, not naming names, I have done quite a bit of work for a certain retailer who uses Internet Explorer 6, on their Windows XP powered POS systems, to sell their customers products that they don’t have in-store from their website.

          That’s about as smart as securing a bank’s vault with a “pop-lock” privacy lock you’d use on a bathroom door.

          1. Uugh

            Funny on the IE6 comment. I still see groups (Healthcare Networks) who are still running IE6, and use the excuse that legacy applications will not work in 7+. Amazes me at how many are still not updated.

      2. Uugh

        It all depends on the developers and requirements of the company. What should be done is that the registers utilize an SSL/SSH connection to an internal server to process the transaction. So during transmission on the internal network the data is encrypted. Once it reaches a server, they would decrypt the transaction, then run internal processes on it for storage means (Target seems to utilize Oracle, but one never knows unless they work there). After that the server would then send a request to the gateway and most likely get a tokenized transaction key back. They might utilize this for returns, thus why it needs to be the same card. It’s not actually the PAN / Track data that is stored in most cases (If it is, they are not PCI).

        The issue is that, the application itself (The POS system) almost never talks directly to the gateway. So there is going to be a central cluster of server’s that manages the transactions and decrypts the communication to store it in a central database. So there is always a weak spot in the system. In this case, I would imagine it will be the terminals that were at fault.

        You also never know, it could also be that the people who did it utilized a backdoor in the encryption during transmission. It’s not like our government isn’t paying companies to inject backdoors in the algorithms that everyone utilizes. Just because they know the hole, does not mean someone else will not.

  14. Izzy

    Buying back cards from a black market? Why? Just reissue new cards…

    1. stine

      Because they, from what I gather, were trying to validate that the card #s were theirs.

  15. MrMr

    As I’m thinking here. I’m reading the prior posts, and notice someone says the article never mentioned how they were breached. Isn’t that interesting. How did someone grab “quality dumps” of credit cards? Actual whole slide dumps of the card.

    Sounds to me like they installed covert software at the main hub that processes all credit cards. Maybe every CC machine talks to a central computer for verification. All it takes is a breach of that central machine to grab all transactions of all the branches nationwide. Maybe it was an inside job. :/

    1. stine

      I agree, but if you read Cringley’s column, he suggests that their card readers were the point-of-release.

  16. Ern

    It’s amazing that the rest of the world has moved to ‘chip-and-pin’ EMV while the US is still using the mag-stripe – it’s no wonder the fraud level is so high in the US!

  17. Simon Waters

    Interested in the legality of buying back the card information.

    I wouldn’t want to hamstring fraud investigators, but in the UK financial institutions would be very wary indeed of sending money to known crooks in such a situation since it is abetting a crime. Not a lawyer, and there are plenty of legal defences for the action, but I just think they would be (rightfully) doubtful about such a course of action.

    1. Bob Smith

      What’s to prevent the crooks from selling the same credit card info to more than one buyer? So even if a bank buys back the credit card info, are they really clearing it out of the thieves records? Why would anyone trust that a group that sells stolen credit card info would be honest in telling you that you are the only person buying any particular card info?

  18. Fredster

    It seems like these “card shops” are financial terrorists. If they are domestic, why doesn’t the FBI arrest them; if off-shore, why doesn’t the US send in Seal teams to take out the guys running these shops, by whatever means necessary?

    I personally would like to see off-shore stolen credit card shops hit with an American cruise missile.

    1. Nick Hentoff

      Because the FBI is too busy chasing down housewives and college students who have “stolen” illegally downloaded songs and movies for the entertainment industry.

    2. voksalna

      Financial terrorists? Really? And here I thought the financial terrorists were the banks and mortgage lenders. Be careful how you throw the term ‘terrorist’ around or it’ll lose any power.

      I won’t even qualify the whole SEAL team and cruise missile thing. You may want to see a psychiatrist, friend.

  19. Harold

    If we know so much about the black website card emporium, why can’t something be done? Notice that most cybercrime originates from either China or the old Soviet Bloc. Think our leadership might be looking the other way for some reason??

  20. Old School

    Be sure to read the article, I just cherry picked a few quotes. Two of the three quotes are related to this blog.

    http://www.nytimes.com/2013/12/21/business/in-apology-and-a-sale-target-tries-to-appease.html

    “Target, one of the nation’s largest retailers, tried to assuage consumers’ worries by saying that the company so far had found no evidence that secret security PINs or codes were exposed. Target has already said that credit and debit card numbers, names and other data had been hacked from cards during a brisk time in sales — Nov. 27 through Dec 15. ”

    “Craig Johnson, president of Customer Growth Partners, a retail consulting and research firm, said Target’s handling of the news had been “less than nimble,” because while the company became aware of the problem on Dec. 15, word first reached its customers days later when a blogger broke the news. ”

    But the security blogger Brian Krebs, who first broke news of the Target security breach, said the high-value cards of some Target customers were selling for as much as $100 on exclusive black market sites.

    1. Heron

      Brian Krebs is being quoted in just about all of the articles about the breach, since he broke the story.

  21. robster

    Suppose the crooks who did this ended up being eliminated form the rest of the population, would anyone be upset ?

  22. sharon

    You performed a real service to the public in outing Target on this huge fraud. I’m usually a Wal-Mart shopper because I don’t like to overpay. Unfortunately, Wal-mart had sold out of a popular Christmas toy. so I looked for it at Target, which was out of it, also, and made the mistake of buying some Christmas candy while I was there right during the fraud period.
    I wonder if you’ve been able to find out exactly what Target did or failed to do that enabled this massive fraud to occur. Target keeps telling us they have fixed the problem, but they refuse to tell us exactly what problem they have supposedly fixed, so who would believe them? Until they come clean with every bit of information about this, no Target PR or discounts, etc., would entice me back to their stores. However, maybe, their devoted red card customers will overlook their failings.
    Also, can your contacts in the card industry tell you how the losses are allocated when the merchant who enabled a fraudulent transaction by not securing the card data on a legitimate transaction is not the nerchant who accepts the transaction conducted with the resulting counterfeit card? I’m sure the devil is probably in the details, but any general discussion might still be enlightening. In the end, it’s always the consumer who bears all losses, one way or another, so the assumption that consumers aren’t harmed because fraud liability is the bank’s immediate loss is too simplistic.

    1. P Crowley

      In some ways, it is kind of sad that Target isn’t going to have much liability other than for the data breach at all.

      Credit card fraud has been enabled, but please understand that credit card fraud happens all the time. Mostly it is online where no card is needed, but machines for making cards have gotten around to the point where it is pretty simple for gangs to make cards up as needed for offline shopping.

      So, what happens when there is fraud? Well, usually when someone uses a US card to buy something from, say, France, the credit card company eventually notices this and decides it is fraudulent. They call the card holder and tell them they are doing a chargeback. I get a call like this at least once a year.

      The merchant that accepted the card then gets the chargeback. There is a fee associated with this, usually around $25. The person that made the fraudulent charge is usually long gone, often with their merchandise. The notification to the merchant could be a week after the fact. The key here is that the merchant has insurance for this – it is pretty much in every business insurance policy. Obviously larger retailers have better coverage for this sort of thing.

      The fraudulent charge never appears on the cardholder’s bill. The cardholder’s bank charges $25 for their handling to the merchant, not the cardholder. So where does Target fit into this? Not at all. They are completely out of the picture.

      The problem with this is that the fraudulent purchaser could (but often isn’t) standing there watching this process in the store and they are often still walking out with their “purchase”. Sometimes it is denied quick enough that they can’t complete the transaction but this is usually the 2nd or 3rd attempt with the card. So why aren’t they arrested? Because nobody has lost anything, so nobody has what is called “standing”.

      My wife had a card stolen (physically) by her mother’s caregiver in Florida. From talking with this person we knew she had a relative in Illinois. We got a call a few days later from the credit card company about a purchase being made in Illinois – the caregiver stole the card and mailed it to Illinois. We talked to the store manager who had the people standing there. We talked to the police who very clearly said they would not do anything unless the credit card company wished to press charges – they did not. Nothing happened, other than the card got cancelled and a new one was sent overnight.

  23. Larry Mac

    Interesting that you got a statement from the company during the day yesterday. I have Target Red Card and didn’t get any notification until early today (seems they hit the “send” button at midnight, CST). The email only has a bullet point summary of what’s in the article, and there’s no mention of a discount (not that I plan on going anywhere near retail today or tomorrow).

  24. Bunch of idiots

    most of the comments are from people who are just idiots . they keep asking the same questions again and again and again . and the other half of the commentators are equally stupid cos they keep answering that same stupid questions again and again and again. No wonder America is such easy target for cyber criminals it looks like that the of Americans are dump as f… k witch is a good thing in the way ..

    1. Ed U

      Ironically, while lambasting others for a lack of intelligence, you’ve erroneously failed to capitalize the first letter in a sentence and used the homophone for “which.” 🙂 I’m finding these repetitive Q & A entries very useful; as per my comment somewhere above (or would that be below?), finding answers elsewhere on other websites is not very helpful, due to the news organization’s minimization of this story.

  25. Ed U

    A couple thoughts:

    Before finding this website, but after reading about this on yahoo earlier this week, I was thinking that some online security specialist working at Target might have just enough integrity to have THOUGHT about how they could take financial advantage of their position, but never ACT on it. However, some overseas crook offers said Target online security specialist enough dough to gain inside access just once, and it ends up being too much for the specialist to resist, even though s/he wouldn’t do that on their own. Enough money to pay off a McMansion and Audi R8 in the garage could be just enough to convince said specialist to share data or access codes, no?

    Secondly, this news is buried in yahoo and google, and isn’t popping up at the top of the news list very much. Miley Cyrus’ new single, gay marriage in Utah, and the latest Obamacare news is constantly headlined, but 1/3 of every U.S. adult’s credit card data stolen isn’t as newsworthy? What’s up with that?

    1. voksalna

      While I try not to be xenophobic, Americans tend to be stupid when it comes to what they consider ‘news’ (and history and geography and current events in general that might impact them personally; Miley Cyrus is water cooler talk; Americans want to be happy and safe), and news outlets tend to care more about gossip and page hits — and often these pages are populated by page hits themselves, which means if people don’t click it it falls off the page.

      1. JCitizen

        I really! Well I think your’s is a tiny little country who is afraid of their shadow; and shudders at the thought of it! HA! How does that make you feel! 🙂

        Little baby boy country? AAaww!

        1. voksalna

          If I were capable of giggling, I would giggle. 🙂

          My point was not to insult America. There are things I like about America. My point was that the news algorithms are tailored to give people more of what they are interested, regardless of what is important. That is in fact the basis of the entire profit-model: making what you are interested in seem the most important thing. Every engine does this, that does any sort of algorithmic popularity ranking. The news sites people visit say a lot more about who people are and what they are interested in than anything else. What I think would be interesting is splitting this down the middle so that people don’t just have their biases as to what is interesting confirmed. People would probably learn more and expand their horizons. The internet is great for propagating confirmation bias.

          1. JCitizen

            Thanks voksalna! I have a feeling your input will be valuable here on KOS! 🙂

  26. Shane

    So I read all the comments but am still confused on something.
    At least for the cards that Target controls, Red Card debit and credit cards, why doesn’t Target cancel and reissue the impacted cards?
    I have a red card (credit) and did use it at my Target during the unfortunate time frame. It would seem much easier to cancel the cards and reissue new ones rather than undergo the stress of wondering if my card will have fraudulent charges on it.

    1. Deb

      I’ve been wondering the same myself! Considering it is impossible to get through to Target’s customer service numbers and I’ve tried for 3 days, and one cannot cancel the card via their website (when you can get to it), seems Target doing the work would be a) prudent, b) good customer experience, and c) more cost effective since Target will most likely in the end be responsible for the majority if the fraudulent charges anyways.

      1. P Crowley

        Why would Target be responsible for fraudulent charges?

        The way it works in the US is the merchant that takes the card is responsible – but the merchant has insurance, so it doesn’t really hurt anyone. This got negotiated from the dawn of credit cards back in the 1960s – the selling point to the politicians was that the cardholder would never be held responsible.

        Now, for debit cards it is a completely different matter. If you use a debit card and someone gets your number and PIN, the bank will often – out of generosity, if nothing else – eat the charge and not make you pay. This is why Chase was limiting debit cards to $100 starting when this was finally disclosed. They do not have an agreement with merchants that lets them charge it back to them.

        So why isn’t Target dealing with this more proactively? Probably because they figured out it doesn’t matter. People are going to be angry, for no reason once they see there is no loss. Canceling and reissuing all the cards would be expensive for them and might not do much to mitigate the impact of this. And they have virtually no liability even if someone uses a bogus card in their store – they have insurance for that.

        They may not have data breach insurance, but sooner or later the “zero impact” of this is going filter down through the courts. Sure, information was disclosed and fraudulent charges have been made. Who paid the bill? Oh, nobody? Well, forget about the lawsuit then.

    2. Heron

      It’d be more expensive to replace all of the cards than to offer free credit monitoring and advise people to keep a close eye on our accounts.

      You’re certainly within your rights to request that your own card be replaced.

    3. AlphaCentauri

      Because Christmas.

      Target doesn’t want to lose sales because its customers are waiting for replacement cards. Other retailers don’t want to lose sales because 40 millions Target shoppers are waiting for replacement cards. News media don’t want to lose advertisers who are losing sales because customer are waiting for replacement cards.

      December 26, expect a lot of replacement cards in the mail.

      1. JCitizen

        HA! HA! Target is SOOOoo screwed! I shouldn’t laugh, because I like them better than a lot of the traditional retailers. However, now we have Menard’s, Lowes, Home Depot, etc. etc. (also many who aren’t just hardware)! Competition is good, and it is a dog eat dog world!! They should have been paying attention! (And hiring people like us to guard the perimeter) 🙂 Heh! Heh!

  27. Bunch of idiots

    Fuck you Krebsky you know that its true .deleting my comments wont change anything .If you think you know something trust me you know nothing until we tell you .Its not even a Breadcrumbs .

  28. Heron

    Lonny, getting a new debit card should be enough. Choose a different PIN, too.

  29. Heron

    When the site is busy, new comments aren’t appearing right away. Please don’t double-post comments.

  30. Jay

    All –
    I find it interesting that the CEO of Target knows how many cards usually end up as true identity theft are tied to breaches of this size or this type.
    Fact is, that no one really knows for sure. You can never be sure that a card snagged in the Target breach, used as a cloned card, wasn’t a card that was skimmed by another POS at some other retailer, or snagged out of some other breach, or in a hundred different ways to get card numbers. In my opinion, a CEO who just announced that approximately 40 million of his/her customers debit card (which almost always include pin number with traditional skimmers) and credit cards were naked in the wild, should stay out of the “assumption” business during a reputational fire storm.
    Other interesting statement, is that they have removed the problem. Stated in that manner, in my opinion, probably means it was viral. A skimming malware at this scale is a game changer in the retail POS fraud arena. Not speculating, just seems applying logic here. 40 million cards, at almost 2000 stores…….seems like that would be fairly cumbersome as a physical attack with traditional skimming switch and skim techniques.

    1. P Crowley

      You have pointed out the one thing that might cost some folks some money – debit cards with PINs. Unlike credit cards, the agreements for PIN-based debit card sales are different. You also have the cash withdrawal problem.

      Banks with people that have used debit cards are going to be angry about this, because often they are on the hook for it – unless they want to pass it along to the cardholder. Until recently it was customary to pass fraud down to the cardholder with debit cards, but recently banks have tried to make debit cards more attractive by pretending to follow the same rules are for credit cards. Except there are no rules like that, so they can do whatever they want. The result is likely to be some banks trying to sue Target because they actually lost money, and maybe a lot of money.

      Cardholders? Naa, they aren’t going to lose anything.

Comments are closed.