20
Dec 13

Cards Stolen in Target Breach Flood Underground Markets

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

targetgoboom

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

A graphic advertisement for stolen cards sold under the "Tortuga" base.

A graphic advertisement for stolen cards sold under the “Tortuga” base.

A key feature of this particular dumps shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle.”

Indeed, shortly after the Target breach began, the proprietor of this card shop — a miscreant nicknamed “Rescator” and a key figure on a Russian-language cybercrime forum known as “Lampeduza” — was advertising a brand new base of one million cards, called Tortuga.

Rescator even created a graphical logo in the Lampeduza forum’s typeface and style, advertising “valid 100% rate,” and offering a money-back guarantee on any cards from this “fresh” base that were found to have been canceled by the card issuer immediately after purchase. In addition, sometime in December, this shop ceased selling cards from other bases aside from those from the Tortuga base. As the month wore on, new Tortuga bases would be added to shop, with each base incrementing by one with almost every passing day (e.g., Tortuga1, Tortuga2, Tortuga3, etc.).

Another fascinating feature of this card shop is that it appears to include the ZIP code and city of the store from which the cards were stolen. One fraud expert I spoke with who asked to remain anonymous said this information is included to help fraudsters purchasing the dumps make same-state purchases, thus avoiding any knee-jerk fraud defenses in which a financial institution might block transactions out-of-state from a known compromised card.

The New England bank decided to purchase 20 of its own cards from this shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s “shopping cart” offers the ability to check the validity of each purchased card. Any cards that are checked and found to be invalid automatically get refunded. A check of the cards revealed that just one of the 20 had already been canceled.

The bank quickly ran a fraud and common point-of-purchase analyses on each of the 19 remaining cards. Sure enough, the bank’s database showed that all had been used by customers to make purchases at Target stores around the country between Nov. 29 and Dec. 15.

“Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” my source told me. Incredibly, a number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including — wait for it — Target. My source explained that crooks often use stolen dumps to purchase high-priced items such as Xbox consoles and high-dollar amount gift cards, goods that can be fenced, auctioned or otherwise offloaded quickly and easily for cash.

My source said his employer isn’t yet sure which course of action it will take, but that it’s likely the bank will re-issue some or all of the 5,300+ cards affected by the Target breach — most likely sometime after Dec. 25.

The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards. Most online merchants require customers to supply the CVV2 as proof that they posses the legitimate, physical card for the corresponding account that is being used to fund the online purchase.

Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers. Not sure how credit monitoring helps with this specific breach, but at any rate here’s the rest of his statement:

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.

We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service.

We understand it’s been difficult for some guests to reach us via our website and call center. We apologize and want you to understand that we are experiencing unprecedented call volume. Our Target teams are working continuously to build capacity and meet our guests’ needs.

We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”

[EPSB]

Have you seen:

Non-US Cards Used At Target Fetch Premium”…An underground service that is selling millions of credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.
[/EPSB]

Tags: , , , , , , , , , , , , , , , , ,

445 comments

  1. Funny, I never have this problem with cash…

    • IMO, in the history of money–per capita (or whatever)–you are probably 100 times more likely to have your cash stolen than your credit card numbers. AND when your cash is being stolen, you’re probably 100 times more likely to get shot or stabbed over it than when your credit card numbers get stolen.

      • Not to mention that if your house burns down while you are out shopping, your cash is gone forever then as well.

        Valuable assets will always be at a high risk of theft or loss.

        It would be interesting to do a historical analysis of theft and loss of currency, and see how the current credit card ecosystem compares. It is possible that even with all the losses due to credit card theft and fraud, the overall “loss and theft” rate may be the best it’s ever been.

        • Based on how long the average US residential fire lasts (typically around a half hour), cash left at home, but in a fireproof safe rated at at least two hours would likely survive most residential fires.

          If, atop that, one kept said safe in a custom-built box made of three to five layers of 5/8-inch drywall, with red fire cloth and foam in the interior corners, and also sealing the space around the door (which door is also made of three to five layers of 5/8-inch drywall), then the cash would likely survive and even much longer fire; or perhaps even one that the fire department let burn, for some reason. Put the darned thing in a basement, or suspend it down through a trap door in the floor down into a hole in the ground in the crawlspace (if there’s no basement) and you virtually eliminate that fire could get to it at all.

          Yes, after the fire you’d need to dig to find it, but at least the cash inside would likely be okay.

          But that’s not really the biggest problem. The biggest problem is old serial numbers on said cash. One must keep recirculating it to keep the cash’s serial numbers from becoming too old or one quickly arouses the attention of federal authorities. Local banks are trained to watch-out for it; and what gets past local banks usually doesn’t get past the Federal Reserve. That, however, is a whole ‘nuther matter, unrelated to protecting one’s cash stash from house fires. Sorry for the digression.

          The best way is to just not even do it; to just use the US banking system, and just be careful about things… to not allow yourself to fall asleep at the switch; to be careful how and where you use your cards; to keep an eye on the monthly statements; and do only use cards that offer a system like the one I use which sends a text message every single time the card is used.

          In 2008 that handy feature helped me catch a punk kid who found my VISA card number on a form discarded at a local grocery store, and then used it on an onling gaming site that very night… a little before 1:00 AM. My phone awakened me with the text message just seconds after the transaction, and I could see the site where it was made right in the text, and I was online and in contact with said site within 10 minutes. The charge was refunded to my card two minutes later; and five minutes after that I was in touch with my bank, which killed and three days later replaced it. I was back in bed before 2:00 AM; and within 45 minutes I was sleepin’ like a baby.

          Every single credit and debit card on the planet should have that feature.

          __________________________________
          Gregg L. DesElms
          Napa, California USA
          gregg at greggdeselms dot com

          Veritas nihil veretur nisi abscondi.
          Veritas nimium altercando amittitur.

          • If you hadn’t gotten up at 1:00AM to deal with this, it would have gone down the same way. Your bank probably would have detected the charge as fraudulent in the morning and started the process a little later. Unfortunately, nothing you or your bank could have done would have taught the miscreant that “borrowed” your card a lesson. All that happened was he was able to move on to a different card number and try again.

            I really like your drywall box idea.

  2. What you say about the bank not being formally notified regarding the specific cards being stolen seems to be a pattern. PNC which is fairly large bank seems to be acting as either they don’t know how the breach is affecting them or are hoping it will blow over and won’t be too bad. I checked the carder store for PNC bank cards and there is a huge haul of both credit and debit cards. Considering the number of cards they got from my relatively rural area, I would say PNC has a major problem on their hands.

    Below is the formal e-mail PNC sent to their customers regarding the Target breach:

    “Important Information Regarding Target Data Breach

    PNC cares about our customers’ well being and is committed to protecting the security of our customers’ personal and financial information. As part of this commitment, we continuously monitor our customer accounts for fraudulent activity and customers are not held liable for unauthorized charges.

    Our Security Assurance pledge becomes even more significant when our customers are faced with a data breach like the one recently announced by Target. We have been made aware that someone gained unauthorized access to customer information in Target stores between Nov. 27 and Dec. 15, 2013.

    At this time, we believe most of our customers were not affected. However, if we detect any suspicious activity on your account, we will inform you. You do not need to contact us unless you notice activity on your account that you do not recognize. Further, you do not need to be concerned about continuing to use your existing card, so there is no need to request a replacement card due to this breach.

    We are working to learn more about this situation, and the impact on our customers, and we will share additional updates with you as they become available. To learn more and for answers to frequently asked questions, click here.”

    • I am a PNC customer and I’m fairly certain my card was effected by this even though I made a purchase at a Target store on November 22nd, five days before the date range issued by Target. An attempt to use my card number was made four times in a mid-western state on December 4th (I’m from the east coast) and then another attempt made on December 16th in Ohio. PNC caught the attempts on the 4th and denied the charges. However, PNC never reached out to me. I had to have my card declined and contact them before I found out there was fraudulent activity on my account. PNC cancelled and reissued me a new card number but could not verify how/when my card was compromised. I fully believe that it was the purchase I made at Target on November 22nd that caused my card number to be stolen.

      • I ALSO USED MY AMEX AT TARGET ON NOVEMBER 18 AND NOVEMBER 22. ON DECEMBER 9 AMEX CALLED ME TO VERIFY 4 CHARGES MADE IN TEXAS (I LIVE IN CALIF) 3 WERE UNDER $5.00 AND THE 4TH ONE WAS $1,400.40 AT AN APPLE STORE. ALL WERE DECLINED AND I WAS ISSUED A NEW CARD THE NEXT DAY. MY POINT IS I THINK THIS WAS GOING ON BEFORE THE DATES TARGET IS LEADING US TO BELIEVE..

        • Lola,

          You’re going to find that various destinations on the Web — including this one — don’t take kindly to people posting in ALL CAPS. It’s the equivalent of SHOUTING

          • Hi,
            How can you find out if your card info was one of the 40 million??? Target just sent a general letter?

            • As those that have said this before, and will say in the future: If you used your card during the time frame, your data has been stolen.

            • Deb…I’ve heard nothing, so far, from Target, but I know my Chase Credit/Debit Card was one of the Cards that was Compromised, in the Target Security Data Breach, ’cause I received an Email, from Chase Bank, letting me know. I used my Card on November 25, 2013 and again on November 29, 2013.

              If Chase hadn’t Emailed me, letting me know that my Credit/Debit Card was one that had been Compromised, I would never have known!

              It might be a good idea to continue to check your Credit Card Statements, and also your Bank Statements. You can always call your Bank, to ask them if your Credit/Debit Card might be among the ones stolen, in the Target Breach.

      • Hi Kathleen;

        I guess it is an inconvenience to have your card declined because the geo positioning systems detect that you cannot be in two places at once that are very far apart within a few minutes.

        This being said, you are lucky, the thieves that were trying to use your card, they could have sat on the card for several months without using it, then when the panic would have passed, they will start using it.

        It is still not clear if this is not going to happen with several thousands or millions of cards that were compromised at Target.

  3. Here is what Chase had to say to a client of mine. This person made only one purchase during the period in question:

    Dear Chase Customer:

    We’re reaching out to let you know what we’re doing to help protect your account after the data breach announced by Target on some credit and debit cards used at Target stores between November 27 and December 15.

    Here’s what you should know:
    All your Chase cards have our Zero Liability Protection. That means you’re not liable for unauthorized transactions you report to us.

    You don’t need to call us at this time unless you see transactions you don’t recognize. We’re using our sophisticated fraud-monitoring tools to look for abnormal spending and ATM patterns. That helps us block fraudulent transactions.

    We’ll let you know if we see unusual activity on your account.

    We’ll send you a new card if we determine that’s necessary.
    Here’s what you should do:
    Continue using your Chase card.

    Monitor your account — including using chase.com or Chase Mobile — and let us know if you see any transactions you don’t recognize.

    Enroll in our free Account Alerts* in the “Customer Center” section at chase.com and we’ll let you know about specific activity in your account.
    As always, thank you for your trust.
    Sincerely,

    Jennifer Myhre
    Senior Vice President
    Chase Consumer and Community Banking

    • I definitely advised my client to set automatic alerts in their account settings, and check the account anyway everyday for at least a month. The alert settings can be sent many ways. For this person SMS was the best, but not the only advisable setting. Email, and snail mail settings were prudent for certain alerts as well. That way if SMS and/or email were compromised, the snail mail would at least come through in three days.

      • To me this is very poor advice. Why would anyone want to waste their time monitoring their debit card daily after a major (40 MILLION STOLEN CARDS!!!) security breach? How many hours is that going to add up to? Ive got work, friends and most importantly a son to invest my time in.

        Just spend 15 minutes cancelling the card and be done with it.

        • You don’t need to monitor your Card all day, everyday…Just check your Online Bank Statements and Credit Card Statements about 2 days, a week…It takes less than 5 minutes…Cancelling a Credit/Debit Card will take 7 to 10 Business days, to get a new Card.

        • I have news for your Joe! You should do this anyway! Never assume you are not compromised! I say this from years of experience. But I will admit; years of helping people who have been compromised has gained me a bit of healthy paranoia; now allow me to adjust my tin foil hat please!

    • Interesting. Here’s what happened to an Oregonian who verifiably used a Chase card @ Target.

      http://www.oregonlive.com/portland/index.ssf/2013/12/clackamas_shoppers_chase_card.html#incart_river_default

      My own California credit union advised me to cancel my card and promised a new one in 5-7 business days. We’ll see how long 5-7 days lasts during the year end holidays.

      • You sound like you’re blaming Chase for Target’s bad practices! I think Chase is one of the best card companies bar none! I say that because they offer the best cash back of ANY company; and are always willing to deal with people who have fallen on hard times! If you are a shill working for the competitors; all I can say is you are the scum of the earth, and so is Target for how they handled this!

        However, I am sad as well, as I feel Target was once upon a time – the best retailer in my area also! It really is a tragic disgusting situation! :/

        • I was pointing out discrepancies/variability in Chase’s behavior. I know nothing of their retail policies. I do know that the financial bloggers I read consider them one of the Too Big To Fail banks that need to be broken up and more tightly regulated along with most of the banking industry.

          • Point duly noted KFritz. I guess I’m partial to them(Chase) because, despite them giving me the best deal on the planet, I had to default on them once! We negotiated the deal rather than me going bankrupt! Most people think bankruptcy is the answer, and it isn’t especially if you are concerned for your future, or are a youngster.

            Meanwhile, I’ve fully recovered my health and financial position. I can partially thank Chase for this. I know what you mean by “Too big to fail”, but US law and regulations have been adjusted so the Feds can break them up and sell the out piecemeal if they fail in the future; this was not possible before 2007.

    • This is the Email I received from Chase Bank, in regard to the Target Breach…If I hadn’t gotten this Email, I probably would never have known!

      “Dear Lesley,

      As you’ve learned from recent news reports, Target reported that it experienced a data breach on debit and credit cards that its customers used to make purchases in its stores from November 27 th through December 15 th . Unfortunately, your Chase debit or Liquid card was identified as one at risk because of Target’s security breach. Defending against fraud is a top priority for us, so we are taking extra precautions to try to keep Chase accounts safe.

      Here’s what you should know:

      First and most important, don’t worry. All your Chase cards have our Zero Liability Protection. That means you’re not liable for unauthorized transactions you report to us. We use sophisticated fraud-monitoring tools to review account transactions and detect abnormal spending and ATM patterns. That helps us block fraudulent transactions.

      Here’s what has changed:

      Beginning today, for customers whose debit or Liquid cards are at risk from the Target breach, we are temporarily limiting ATM withdrawals in the United States to $100 per day and purchases to a total of $300 a day. Those customers travelling internationally whose debit cards are at risk won’t be able to access cash at an ATM. If you are traveling outside the United States or plan to, please call the number on your card to see how we can help you.

      Here’s what you can do:

      Stop by a branch: Employees at our 5,600 branches are standing by to help you if you need more cash than $100. With proper identification, you can access your available funds. Many branches will also stay open late, if needed, to help customers. To find a branch near you, visit our branch locator on chase.com. Watch for your new card. We plan to reissue all affected debit cards and Chase Liquid Cards automatically over the coming weeks. Until then, you can use your debit or Liquid card with the temporary limits.

      We realize this could not have happened at a more inconvenient time with the holiday season upon us. We ask for your patience as we take these precautions to combat fraud and prevent criminals from using your card. We’ll continue to keep you updated by email and through chase.com.

      Sincerely,

      Jennifer Myhre
      Senior Vice President Chase Consumer and Community Banking”

      The Debit Card, for this Account has been Compromised 2 times. (Had Card replaced after the last Compromise) After it happened the 1st time, I had Chase Bank remove the “Pay Pass” and “Blink” Emblems, on the back of the Card…Set up Text Alerts, so that if it should ever get Compromised, again, I’ll get notifications, via Texts, letting me know that someone is trying to use my Card, in excess of my $250.00 Spending/ATM limit, that I had Chase set my Daily Limits to.

      I never knew what my original Daily Spending/ATM limit was, on either of my Debit Cards, and when I asked Chase they told me $3000.00, for both Spending and ATM, I was shocked…I wasn’t the one who had set the limits, at that amount, Chase did.

      Tell your friend to check with Chase, for what his/her Daily Spending/ATM limit is, for their Card, and if it’s really high, like mine was, then have it lowered, to a more reasonable amount.

  4. I’m pleading ignorance about one otherwise obvious aspect of this entire situation, but I have to ask: Does this pertain to the Red Target Card, or only to other credit cards?? As much as I’ve read, I remain unclear.

    • Red Cards (both credit and debit) are included, as well as non-Target cards.

      • Since Target is at least claiming that the PIN numbers weren’t exposed, it would seem that the Target Debit Red Card would be more secure than other debit cards, as it can only be used at Target and with a PIN. I’m assuming the target card info on the mag stripe only makes sense to Target.

        However, if the routing # and other information were compromised, it could be worse. But it would be much like someone photocopying a check you wrote at Target, wouldn’t it? Same routing information is plainly visible there.

  5. Target is still not getting it right. I went shopping today at my hometown Target in Southern California. I liked the 10% discount but when I wrote a check for my transaction the cashier did not know how to frank (process) the check. Also they POS system would not accept the check for a little over $200. There was a declination from a company called Certegy that contracts with Target. When I contacted them I was told by the automated voice (there are no operators on the line). That since my check writing pattern was out of the ordinary for Target purchases, that my check was denied! What a double insult, I will certainly be taking my shopping dollars to another retailer, and letting all and sundry know of this poor business practice. Please warn others before they have to go through this humiliation in the check out line. If America votes with their spending dollars retailers can be reined in.

  6. Speaking as a developer with 9 years of POS application experience, and 8 years POS support experience at a major OEM who’s hardware isn’t in Target stores anymore …

    re: end to end encryption
    There’s a financial difference to the retailer between authorising a transaction with a card #, name and expiry date and authorising one where the retailer has the full track info. The card processor historically charges the retailer a smaller %age of the transaction total if they can supply the full track info, since that implies the retailer physically saw the card and so cuts down on ‘card not present’ fraud. Ironic, isn’t it?

    Historically the pinpad has given the unencrypted data to the POS terminal, where the application is responsible for authorising the card (either over dial up line or internet connection) with the card processor. Note that the POS application typically does not do this itself – it hands it off to a dedicated application on the POS terminal to do that. So in this case we’ve already got unencrypted data going from the pinpad to the POS application to the processing application. Whether the processing application encrypts the data is between it and the bank, but most of the ones I’m aware of don’t (or at least didn’t when I dealt with them).
    Now, modern pinpads have the abilty to authorise themselves directly with the processor without even giving the card info to the POS terminal, but that then requires a pinpad have internet access, with all the headaches that entails …

    re: storing of card numbers by retailers
    Consumers are lazy. We like being able to return a gift without a receipt, and have the retailer look up the transaction based on the card we used to make the purchase.
    We also like being able to log in to our favourite website and make a purchase, billing it to the card we used last time. In both cases the retailer has to store the card # & expiry date in order to make this work.
    Sure, the retailer can not do this, but how many customers are they likely to lose to the store next door which does offer this functionality? It’s only when something goes wrong that we start complaining about it.

    re: writing “Check ID” on the signature line of the card
    The signature on a credit card is not to prove you are the cardholder, it’s to say you agree to the terms and conditions of the card. If the card isn’t signed then the retailer has no way to know that once they give you the goods you will actually pay the card company – obviously you can still not do that (hence all the people in credit card debt), but there’s a difference between not paying the card company when you are legally obligated to, and not even having the obligation. In the first the card company will come after you for lack of payment, in the second the retailer is effectively giving you the product with no recourse to anyone if you don’t pay.
    The reason most people get away with it is because (a) most people don’t know the rules and (b) most store managers and cashiers don’t want to be the one to enforce it.
    See http://usa.visa.com/merchants/risk_management/card_present.html for more details.

    The retailer could quite easily mandate to their staff that all card purchases in store require a check of photo ID, but that takes longer (who wants their checkout time to take even longer?) and puts the onus on the cashier to verify the identity (and the retailer probably wouldn’t want that either).

    • The larger processors return a token, i’d assume even smaller ones can. So there is no need to keep track data, or the pan in the systems. In Targets case, id imagine they get the same on card in hand and keyed due to the massive volumes they do. Interchange plus basis points for tiered volumes of transactions.

      No excuses for storing key data. Piss poor development if they do.

    • With a company the size of Target, they are most likely getting interchange (Bet even visa discounts at this volume), plus a couple basis points. Target utilizes First Data for their credit card processing (as does Walmart, Costco, etc). First Data offers a tokenized transaction system (Transarmor as they call it). So there is no need to store any of the data. As for the track data, when you get into large volumes it’s possible to get the same cost for card in hand, as well as keyed.

      So for the having to store a customers card data for returns, not so much. If the group of developers are decent and the project is done right, you can very easily find all transactions for a cardholder. Just store the tokened pan (random #’s except the last 4 digits in Firstdata’s case). You do need to store information you normally wouldn’t though; but nothing that would let you utilize the card from anywhere else.

      • Good point. Please note, that Homeland, et al, security protects the 0.1%. It’s only called that because the public pays for it. Try to manage your anger over such (common contemporary) relevations and channel it to helpful ends. PrndotFm is a good place to start. G’luck!

  7. If I lost millions of dollars’ worth of Target’s intellectual property, I’m pretty sure they’ let me off with an apology.

  8. how do we find out if our ‘target red card’ was one of the cards that had the info stolen?

    • Right now, you can’t (unless you don’t mind doing some digging on shady websites–something I don’t recommend). Either keep a close eye on your account, or request a new card.

      • The HYS box for this article was appropriate & helpful. However, it keeps appearing, which is annoying. Can you suppress it after once read?

    • Colleen,
      If you used your card at any USA Target store between (and including the dates) Nov 27 thru Dec 15 then your card has been stolen.

    • It’s all cards, if you swiped a card at Target the bad guys more than likely have your info.

  9. Any danger(s) in going to “Rescator_dot_la” and searching for my CU’s “BIN”? Known malware D/L’s or Java/Flash exploits, etc. (Am on OSX/Mac).

    I have several Target debt card transactions during the time period in question and the “wait for your card info. to get bought/abused” suspense is killing me!

    Thanks.

    • Not that I’m an expert (and I know even less about Mac products), but…hey, look at the ethics of rescator. Wouldn’t put it past these sorts to plant some sort of drive-by malware on their site. At the very least, they probably have the means to track the IP addresses of whoever goes to their site, and these are not the sort of people I would want having my IP address. They are thieves.

    • Jonathan Kerstain

      rescator[]la is totally safe! I’m using this shop to buy cards about 2 years and very happy of their quality! Never got some kind of malware from their site. Rescator is a good man

      • LOL! Now, why on Earth would you Post, on any Website, that you buy “Stolen Credit Cards”! Doesn’t seem like a very smart move, to me! :o/

    • Why would you need to watch and wait? Or is it to get some excitement? 😛

      You can go to an ATM and take out as much as you’d need to last a week or two it is a debit card, and then call your bank and have them cancel and replace the card (or just call the issuer if it is a credit card), which is almost always free. Many banks will even expedite shipping if you are willing to pay a fee.

  10. Seriously – target sucks – for even capturing and saving that info – hackers didnt need to do much – target also sucks for storing that data for even allowing it to be access from the WAN.

  11. Look at who’s wearing the Target now. But, it’s all right because you get a discount???

  12. Looks like rescator.la is down today…ahem, it’s “moved to another host”. Perhaps it got a little too much attention due to this post?

  13. So what is the price per card as seems $100 you have wrote seems amazingly high ?

  14. Actually, we don’t know if it was Target or FirstData that was ‘non-compliant’. We have all assumed the magnetic strip up until now. If the breach was at FirstData, that is a whole new area to be explored. FirstData has a very large amount of big customers. Was the breach localized? Or are their other customers that were breached? Also, this means Target didn’t really ‘fix’ the problem and is still being breached.

  15. If Chase believed Target’s statement that no PIN’s were stolen, why would Chase limit debit cardholders to withdrawing only $100 daily at ATM’s? If Chase doesn’t believe Target, why should consumers?

    • Sharon, why are you so certain the Chase action is related to Target? Obviously, it happened around the same time, but it may actually be related to something else.

      • Brian, all I know about this whole mess is what I’ve seen in the media (which is to say I don’t know anything for certain), but according to the media reports Chase said the limit was a precaution taken due to the Target security breach. I can’t see any reason for Chase to lie about it. I can see a reason for Target to utter soothing words, even if they haven’t determined for certain that no PIN’s were captured.
        Let me thank you again for your public service in outing Target on this mess in the first place. I hope your career profits by it because you deserve it.

        • Not directed at you specifically, but more incredulous — as in jeez, what is this sh*t? How does a bank get off doing this? This is how you know your money is not your money. Because this was surely not protection measure for *you*, and frankly I find it difficult to believe it isn’t illegal.

      • BK, Chase has stated that its move to limit cash withdrawals, etc., are related to accountholders who shopped at Target during the breach period. They opened their facilities today so Chase debit card users could get cash.

        See: http://www.nytimes.com/2013/12/22/business/chase-to-limit-use-of-debit-cards-from-target-breach.html

  16. I’m somewhat knocked over at, not so much the thievery as the lack of counter-intelligence. Until all this was in the news I never knew there were such sites with ‘card dumping’ activity, but now I learn there aren’t a handful but literally ‘hundreds’. HUNDREDS?!!!! And there are even posters here, honest or not, saying, ‘yeah, I bought a few of their cards- great stuff’ as though stealing from someone was like sampling ice cream at Baskin Robbins.

    We have HOW MUCH MONEY, HOW MANY RESOURCES in D.C., solving ‘the world’s problem’s by bombing the crap out of Afghanistan, supporting thugs in Ethiopia and god knows what else but this, meh, no biggie. Just our consumer confidence on our most common method of financial exchange in the country.

    Where is the FBI? What the hell rate the NSA doing other than reading granma’s email? Why are we sending bullets to fight ideological enemies overseas when we have REAL ones, all over the net operating in open site?

    I won’t say I hate the government (I don’t want to get a knock on the door in the middle of the night), but I am very chaffed that we spend so much and really get so little to nothing in return.

    As for you guys buying cards to rip someone else off, get a regular job. you don’t need to hurt someone else to make money in this world and don’t think for a second what you’re doing isn’t hurting someone. And if you think hurting someone is good, well, then you deserve the hell you live in.

    • Thank you, Baffled!!! Target, Chase, other retailers and other banks should obviously all do a better job of protecting their customer’s information, *however*, the one thing I never seem to read in the comments on the subject is the fact that anyone who is involved in stealing credit card numbers, buying them, using someone’s info, aka, *creating misery for other people*, is a complete greedy, narcissistic a**wipe and should die a horrible and painful death. ‘Not sure how they live with themselves, but I’m sure they have all kinds of BS excuses.

  17. Online Fraud Prevention

    The reason the bank is not concerned about cards being used to commit fraud online has nothing to do with the CVV. They don’t care because the liability for fraud belongs to the online seller (merchant) rather than the bank (issuer).

    Quote:
    The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards.

  18. Target does not deserve to be let off the hook. I understand it was a large operation, but it may have more to do with their procedures for handling this information.

    I know it has caused me to protect my information more carefully.

    I think any company responsible for a security breach should provide their customers a minimum of 6 months credit watch because the credit agencies will want proof that you are not responsible.

  19. I don’t like that “Have you seen” box that appears when I look at older stories on your blog, BK. I wish there were a way to make it disappear for good.

    • He has not really had much luck with using cookies for things (which would probably the approach to do so) from what I have seen. I do think it is a bit silly when the stories are not aged/older (and annoying), but I try to remind myself that especially in these sorts of stories he probably is getting a lot of new readers who have never seen his blog before.

  20. One thing I don’t understand (as a layman), is how do thieves interpret the data they steal? Isn’t this data encrypted, or is it clear text when they’re pulling it from wherever they get it? Even if they have sophisticated tools, they couldn’t possibly crack a complicated encryption so quickly…could they?

  21. So after spending money yesterday, yes I don’t care about being breached, I don’t have enough money on cards for that reason. Everywhere I went, I was asked for ID every time.

    People also need to realize that IN STORE customer service CAN’T do anything for you. Call your card issuer. They can and will help you.

  22. how can we cancel target cards compromised when you can’t even connect to their toll free no? target shld just cancel the cards & issue us new ones!

  23. Apparently no one noticed “Jonathan Kerstain” comment about how “good a man” this Rescator character is ??!! Rescator, or whoever he is, is a THIEF, period. And instead of babbling on about who’s fault it it (bank, target….) you should be leaning on Interpol or a private hit-man to go after this miscreant. Having a few thieving hackers depart the planet would send a strong message. And what kind of an arrogant idiot is Mr. “Jonathan Kerstain” to come on this forum and state the HE “buys cards from that store every 2 years”? Buying stolen card numbers?? What an *ss ! See ya behind bars.

    • Yes, extremism is totally the answer. Why do things legally and logically when you can just hire a hitman.

      You should see a psychiatrist. 🙂

    • Jonathan Kerstain was being sarcastic…

      …I hope

    • I noticed “Jonathan Kerstain’s” Post! Asked him why he would post, on any Website, that he purchased “Stolen Credit Cards” Told him I didn’t think it was a very smart move.

      People like Jonathan, are the Scum of the Earth! They all deserve whatever Punishment is thrown, at them!

  24. If one of these guys goes to a brick and mortar
    retailer and uses one of these stolen card numbers,
    what typically happens? Is the purchase denied?
    Or is the fraudulent purchase detected later?
    Does the brick and mortar store attempt to have
    him arrested?

    Seems like the card issuers could reduce fraud if
    they simply require ID for POS purchases for these
    card numbers.

  25. To: Brian Krebs On Security Saturday, Dec. 21, 2013

    Re: Target Credit Card Hack

    Maybe a store named “target” was just too tempting a challenge for the “Tortuga” card shop to ignore. It’s not much of a stretch to imagine either a low level Carib cartel or a high level corporate scam behind this jolt to the complacency of credit card security. Brian’s kick in the pants should put us on high alert and not for a minute confuse TV law enforcement with the reality of interdiction focused on CD piracy, Wall Street demonstrations or student loan defaults. The tsunami like Target breach now exposed to the light of day is nothing short of a robust exchange market offering credit cards as a commodity and being sold to major retailers and probably anyone else that can handle the cost and minimal risk in networking the underlying cash advantages. Our elected officials who are either promoting pay increases for themselves, planning their exit strategy from one recess to another or sniping across the isle, flagrantly display an entrenched paralysis in mandating hard-hitting meaningful consumer protections. Asleep at the wheel, they are preoccupied with protecting and patronizing the same businesses intertwined within this colossal scam.

    Brian, Your efforts are greatly appreciated.

    Best of holidays.
    Chaz

  26. I just called the Target Red Card customer service number and got a recorded message that “There is nothing to indicate your data was compromised. Call back another time.” So no chance to cancel the card. I did call Equifax and put on a fraud alert, and their automated system indicated that they shared the alert with Experian and Trans Union.

    I have been a loyal Target customer but this apparent laissez-faire arrogance toward customers is astounding. Since they won’t share what happened, how am I to believe them saying “your card data is safe”? What a hot steaming mess.

  27. I had made a purchase at Target during that time period, and at first I was worried but then I realized I had used a $20 gift card I had received. There was only 3 bucks left on it after my purchase, so have at it!

  28. I hate the jerks that offer up “credit monitoring” as if were some kind of solution to anything. All it does is further reveal your personal data to a company that will send you targeted advertising to pay money for “monitoring services” later. Target CEO Gregg Steinhafel should be pilloried for this.

  29. @brian

    Nice one minute clip of you on the ABC affiliate in Minneapolis last night. This being the home office of Target this is getting a lot of attention Lots of Target Executives working during the holidays. They could use your expertise!

  30. The real scammers are Target themselves. About 15 years ago I took out a Target card in upstate NY in return for a 10% discount on items totaling less than $25. That day I paid in cash since the card was supposed to be mailed.

    About 6 months later (after NEVER receiving the card through the mail) I got a call from Target. They had an incorrect address and agreed to send another card which I never received and never used. A week after the call I got a bill in the mail saying I owed almost $4,000 for unpaid merchandise. They claim I left the store without paying which I would never do. I called and told them there was a mistake because these charges are illegal. They said they would look into it.

    Every 6 months or so I would get another bill (with more illegal charges added on to their made up bill) offering a settlement if I paid a few 1,000 dollars. Over the years this amount has been reduced. The last offer (about 2 months ago) was a settlement offer for a few hundred dollars.

    My only regret is that I didn’t save all letters and report it to the proper consumer fraud authorities.

    In conclusion, Target perpetuates scams, fraud and illegal unauthorized charges. Although this is well documented (it’s posted all over the internet) they continue to get away with illicit activity. It’s just a matter of time before they will be fully exposed and completely OUT OF BUSINESS for good. According to a very reliable source this will definitely happen before 2015. BUYER BEWARE when shopping at Target because you do so at your own risk of being scammed!!!