
Cards Stolen in Target Breach Flood Underground Markets - clarkm
https://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/
======
terhechte
I was just thinking whether I had ever bought anything at Target, and then
remembered, yes, but that's 7 years ago, and I've gotten new credit cards
since. But then I wondered which other online services I had used with my
credit card, and it occurred to me how awesome it would be if I had one-time
throw-away credit cards, that I could use for only one purchase at one
retailer and then throw it away. Now, I know that gift cards work this way,
and could theoretically be used in such a way, but they're usually locked to a
specific retailer or one can't use them for online purchasing.

Then I realised that, really with all the flack it is getting, Bitcoin is such
a solution. Once the conversion from $ to BTC is done, there's no way to get
your credit card data or anything. You're practically immune against any data
theft at the place where you're purchasing. Now, of course the problem only
shifted as you have to guard your private keys now, but that's more or less a
question of tooling and usability of proper BTC clients (which hopefully come
up in the future). I'd rather have the valuable information stored in an open
source application used by millions with strong code review, than in a closed
source web app where an intern wrote the code in php and forgot the salt or
stored everything plaintext.

This alone sounds to me like a pretty strong incentive.

~~~
sehrope
BofA has a feature called ShopSafe that lets you generate virtual credit card
numbers tied to your main card. They got it when they acquired MBNA/FIA Card
Services. According to the Wikipedia article[1] a couple of other banks have
offered similar services over the years as well (though looks like a couple
have been canceled).

With ShopSafe, each virtual card has a custom expiration of 2-12 months, a max
spending limit (ex: $100), and only a single merchant can bill to it. That
last feature is important as it means that even if it's leaked before the
shorter expiration period nothing should be able to be charged to it.
Recurring charges _are_ possible though (ie the same initial merchant can
charge you again) so you can use it for situations that require recurring
billing. Either way the spending limit still applies.

Anonymity aside, I'd argue that virtual credit cards are even better than BTC
from a consumer's perspective as you still have the power of charge backs.
Each one has the same rights as your original card including the right to
declare a purchase as fraudulent ( _ex: the merchant didn 't ship the goods_).

Would be cool if someone would create a physical version of these virtual
cards that gets created on the fly for each transaction. I was hoping that
Coin or one of the other "virtual physical cards" would do that but I guess
that'll come later.

[1]:
[http://en.wikipedia.org/wiki/ShopSafe](http://en.wikipedia.org/wiki/ShopSafe)

~~~
altero
Central Europe has good security tools for this. For example whitelist for
transaction. Or approval for each transaction via SMS. Or temporary unlocking
card while shopping

------
seiji
Recent stolen credit card number story:

Last week I got an email saying I made a $1,000 payment on my credit card.
Except, I didn't. It wasn't bill pay time of the month. I brushed it off as a
well formatted spam.

An hour later, it still bothered me. I logged in to check. Yup, there was a
$1,000 payment recorded as of 4am my local time the same day. WTF? Oh, look,
there's also fraudulent charges showing up now. How odd.

It turns out: my card didn't have enough free on the credit line for the
losers to buy their xbox, so they _called in_ and requested a $1,000 payment
from my bank account on file. The credit card company happily issued it, my
credit limit increased by $1,000, then the guy went out and bought his xbox.

While I was on the phone explaining this to the credit card company, three
more fraudulent charges showed up in pre-auth.

Incompetents all around (except for whoever stole my credit card number).

The whole "stolen credit card number" doesn't hurt very much (since all bad
charges are covered), but what _really_ is annoying is someone getting away
with purchasing things fraudulently.

~~~
kordless
Then pile on the fact that I've tried to use my AX legitimately to buy
hardware over the last month and was denied 2 separate times because it
'seemed suspicious'. Really makes you wish for a more secure payment system
which can be used for such transactions.

~~~
Jtsummers
I'm curious, my purchase history with my CC was generally local stores,
groceries, gas, restaurants. Large purchases were rare, and then I finally
bought some computer hardware (~1k purchase for the whole kit, all at once).
BoA called me and confirmed it wasn't fraudulent, things went on. Then I moved
and hadn't spent much in the new area (I use cash most of the time), when I
finally decided to upgrade from my 13" CRT. Go into Best Buy, pay with the CC,
again BoA called me and once the call was through the transaction cleared and
I had my new TV.

Does your CC company not call to confirm things? Were the purchases clearly
out of line with your previous purchase history (by location, type or amount)?

------
callmeed
Personal anecdote and tips:

I had my debit card skimmed at a local gas station in October. Within a couple
hours, it was being used at stores in Los Angeles. I live a 3+ hour drive from
LA so there's no way the skimmer/data was physically taken down there–the data
had to have been transferred (cell?) to someone down there pretty quickly.

My card was used at a restaurant and a few different stores, but several times
per store. Total amount charged was about $2K. All purchases were < $100 and
most purchases were for very even amounts at drug stores. Based on research,
this is because buying gift cards is a favorite use of stolen cards. Gift
cards can be turned into cash online for about 75-85 cents on the dollar.

Chase was very good about freezing the card and crediting back all the
fraudulent charges.

TIPS:

\- Use cash or a gas card for gas OR at the very least, use a pump close to
the cashier

\- Debit cards have a reputation for having less protection than credit cards.
At least at Chase, this is no longer true. Chase has zero-liability for
unauthorized debit card purchases [1]

\- Check your online banking often

\- Don't rely on your bank's automated fraud detection. Most alerts I've
received from Chase have been false positives (legitimate purchases while
traveling).

[1] [https://www.chase.com/checking/debit-
cards](https://www.chase.com/checking/debit-cards)

~~~
MartinCron
I've also had plenty of false positives, but my bank (Bank Of America) has
caught multiple actual fraudulent charges. It's easy to hate on big banks and
big data and the loss of privacy, but it's pretty cool when your bank calls
you up and says "We don't think that was you buying skateboards and polo
shirts in Eastern Europe."

~~~
ubernostrum
I live in a sort of love/hate relationship with BoA's fraud-detection system.

On the one hand, I had a number genuinely stolen a while back in the PSN hack,
and a case where someone tried to use my debit card in a hotel in Tennessee.
In both cases, I got a phone call almost immediately, was out zero dollars and
had a new debit card number within 24 hours.

On the other hand, I travel a lot. Emphasis on _a lot_. And I have begun
simply planning trips around the expectation that at least one of my BoA cards
will be frozen every time I do so, because their systems don't seem to
actually work off usage patterns. Instead, use of the card beyond a certain
mileage radius from home address triggers a fraud alert. So even though quite
a bit of my travel is to a small number of cities, I still have to deal with
occasional random fraud alerts freezing my cards (example: I've been to
Washington, DC around six times in the past year. Despite that -- and despite
making the booking in advance, including the card number -- I still had one of
my cards frozen when trying to check into a hotel there a while back).

Their customer service people have confirmed that it's just mileage radius,
and anecdotally it seems that the radius is around 600 miles (I am based near
Kansas City, and can safely use BoA cards in Denver and Chicago, but has a
problem once in Austin, IIRC). Which probably makes sense for most people, but
I am more than 600 miles from home at least a couple times every month. And
there seems to be nothing for it aside from calling their fraud-prevention
department every time I'm about to go somewhere, which is equally impractical.

~~~
MartinCron
For what it's worth, I found out that you can inform BofA about your travel
plans via online banking. A lot faster than calling the fraud prevention line.

------
munger
I bought something from Target in this window with a credit card (Wells
Fargo).

I called them up to proactively report it stolen - the problem is they will
immediately deactivate your current card and it takes 7-10 business days for
the new one to show up. It is not possible to get a 2nd card number without
deactivating the first (to avoid a no-card for 2 weeks situation). Or you can
have them overnight it to you for $16.

Kind of annoying to pay $16 for a merchant error, or to not have your primary
card for 2 weeks during the holiday season (and also the card you use to pay
all service bills like cable tv, internet, city/trash/water etc).

Ultimately I decided to do nothing and just keep a close eye on account
activity until January when it is less inconvenient to wait for the new one.

~~~
clauretano
Very inconvenient. I wish more banks had the feature of Simple[1][2] where
from the mobile app, you can lock and unlock your card at will. They emailed
customers proactively regarding the Target breach and suggested that if you
are really worried, you can leave your card in a locked state and then unlock
it only when you need to swipe it.

Since they by default send a push notification on every transaction, it'd be
overkill as long as you respond quickly in the even of an unauthorized one.

[1][http://www.simple.com](http://www.simple.com) [2]simple is fantastic for a
whole host of reasons. Check them out. I'm not affiliated in any way, but have
been using them as my primary bank since early on in their beta.

------
robomartin
My wife shopped at Target twice, both times outside of the period given for
the breach. I think we are still going to get the cards replaced just to err
on the side of prudence.

I find myself wondering how this might affect Target. I almost never shop
there myself. My wife, on the other hand, might have shopped there once a
month or once every couple of months. Yesterday she told me she is not going
back. Ever. There have to be other people on the same boat.

It'll be interesting if they ever release information on how exactly the
breach was orchestrated. My biggest question is about all of that data moving
about Target's distributed system without any encryption whatsoever. At least
that's what it sounds like. The data capture had to be done at some central
point in their infrastructure in order to affect some 1,800 stores.

Again, all of that data from 1,800 stores got to a central repository of some
sort completely unprotected? Why isn't that information stored and limited to
the within the walls of each store? It'd sure limit the exposure, well, a
factor of 2,000. Anything leaving the walls of a store needs to be encrypted.

Perhaps someone with more experience in brick-and-mortar payment
infrastructures of this kind can comment on this?

~~~
toast0
My guess is that they run all the stores through a centralized payment system.
Encrypted in transit or not, the payment system needs the details in plain
text to send to the payment processor. At or near the payment processing is
where the information was likely copied.

The information can't only stay within the store, because purchases from one
Target may be returned at any Target, and they may look up receipts by credit
card used. At Target's scale, it makes more sense to do a centralized lookup
(or local + centralized), rather than a query to every store.

------
joshmlewis
I had an interesting thing happen a few months ago. I kept having my credit
card used for fraudulent charges, but they weren't buying TVs or electronics,
just small purchases at Dollar General and gas stations in Texas. I was really
confused. So I had the card cancelled and another issued, and there again it
was being used in another state. This happened three times within a couple
months. I have no idea how or why as I'm very careful purchasing things online
and in person. I finally changed my PIN and it stopped. I don't know why or
how they were using my card with my pin, but either by coincidence or luck
that fixed it.

------
guan
From the screenshot in that article, it looks like Target stored not just the
credit card number, but also expiration date and full magnetic track
information, including CVV1.

Why in the world would they do that? I would lose a lot of sleep over if I had
to store just name and card number, but at least I could see some use for
that. For example, you could look up a customer’s past purchases for returns
or warranty claims.

Why did Target want to store the expiration date, so the card could be used on
online stores that don’t check CVV2, and the magnetic track info with CVV1 so
the cards can be cloned?

~~~
elwell
You don't need the CVV unless you're in the UK (or somewhere that requires
it). I've made plenty of online cc forms for US based companies that did not
have include it (that doesn't sound very good now that I write it out).

~~~
guan
CVV1 is the code that is embedded in the magnetic track and allows you to
swipe the card. CVV2 is printed on the back and used in many, but as you
correctly point out not all, online stores.

------
thechut
I got a notification from simple last night that said they would be sending me
a new card because I shopped at Target, but that my old would still work until
the new one was activated.

Great service and I didn't even have to do anything.

Cheers simple!

------
CoachRufus87
So is it worth replacing my debit card and updating numerous automated
payments that bill it, or just closely monitor my banking activity (like I
already do)?

~~~
ansible
I just checked my CC account, and found a transaction at Target in that time
period. I checked my other transactions, and everything was OK. However, I
decided to cancel the card anyway and get it re-issued, just to be safe.

I have other cards I can use, so it is not inconvenience. I feel I dodged some
trouble.

------
nnnnni
So... What's the best way to find out if your card was caught up in the
breach?

~~~
takeda64
Here:
[http://paulsparrows.files.wordpress.com/2011/06/ismycreditca...](http://paulsparrows.files.wordpress.com/2011/06/ismycreditcardstolen4.png)

Your question reminded me of this and I see someone already responded. In any
case you should get a new card if there was a chance you were affected.

------
PhantomGremlin
_Credit and debit card accounts stolen in a recent data breach at retail giant
Target have been flooding underground black markets in recent weeks, selling
in batches of one million cards and going for anywhere from $20 to more than
$100 per card, KrebsOnSecurity has learned._

No fucking way (pardon my French)!

I haven't seen anyone comment on this yet, but doesn't this seem _incredible_?
I.e. I don't believe it.

Am I to accept that transfers of $20,000,000 to $100,000,000 ($20 to $100
times a batch of 1 million) are occuring in payment for these cards.

Bullshit. I just don't believe it. This theft is now widely known. So no way
that someone is going to plunk down $100,000,000 just to get a small portion
of this info.

Again, bullshit. IMO. It just doesn't make sense.

~~~
unreal37
I think what they mean is that you can buy 100 stolen cards for $2000. And
they guarantee that those 100 are still good numbers because they check them
right after selling them.

No one is buying them in the millions. But plenty would buy 10, 20, 50 good
stolen card numbers.

------
quaffapint
Ironically we only used Targets Red debit card. Can only be used at target and
has a pin. Of all our cards that was the 'best' one we could have used in this
case. We just changed the pin, even though no pins were taken.

~~~
webXL
We use that exclusively there, too. 5% off is a no brainer for how much we
shop there.

------
tokenadult
As I mentioned in a pair of comments in an earlier thread,[1][2] I live so
close to the local Super Target (walking distance), that we end up shopping
there even though we like other stores better. But from now on, we will pay
only in cash, and if that limits our purchases at Target, well that's too bad
for Target.

[1]
[https://news.ycombinator.com/item?id=6934787](https://news.ycombinator.com/item?id=6934787)

[2]
[https://news.ycombinator.com/item?id=6936175](https://news.ycombinator.com/item?id=6936175)

