
Who's Selling Credit Cards From Target - dkasper
http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/
======
bri3d
This is a a good illustration of how hard it can be to stay anonymous online.

With that being said, I don't see how Krebs reaches the conclusion that this
guy "probably" knows who stole the Target cards or how they were stolen. They
were just posted on his crappy carding forum.

It seems a bit disingenuous to me to plaster this person's dox under this
headline; yes, he seems pretty scummy and runs several criminal enterprises
but there's no actual evidence in the article linking him to the Target fraud
beyond someone else using his forum to hawk their stolen goods.

~~~
d23
Krebs doxxes people frequently and it seriously undermines any moral argument
he may have, since a good deal of his time has been spent complaining about
people doxxing him. There's a fine line between exposing crime and opening
someone up to vigilante justice. Send the information to the police, but the
public has no need for it.

~~~
uchi
Who has Krebs doxxed before exactly? This is the first time I'm hearing about
this.

------
belluchan
I was in line and made a short conversation (short so as to not hold up the
line) with the cashier at Target. The elderly lady behind me was pretty
worried about the credit card theft, and the cashier knew about it too. It's
cool at least that news about this stuff is reaching more people.

In my opinion just get a new card, don't wait for suspicious activity. Check
it to see if it was already used. Also given that the 3 letter pins weren't
from the back are not included I'm not sure if it's going to be very easy to
make use of this card data. Having said, still get a new card if you used it
at Target recently.

~~~
liuhenry
By 3 letter pin, do you mean the CVC code?

Many merchants require the CVC code to protect themselves against
fraud/chargebacks and because they can get lower processing fees, but strictly
speaking, it's not necessary to make a transaction (IIRC, the only thing you
need is the card number and expiration date).

Notably, Amazon does this for their 1-click checkout. Saving CVC codes is
against PCI compliance, so in order to provide that low-friction experience,
they simply post the saved card information without it.

~~~
larrys
"the only thing you need is the card number and expiration date"

If the dollar amount charged is low enough you don't even need the expiration
date. You just use the current month.

We've frequently have to charge expired customer credit cards (expired by
years in many cases) and as long as the dollar amount is low enough (off the
top +- $40 [1]) and the card number hasn't been changed the charge will go
through. Very convenient instead of having to contact the customer to get a
new credit card expiration date. Also helps because that way you don't give
the customer a chance to rethink what they are paying for and whether they
need it or not.

[1] May be higher but I'm not certain if it's $60 or $100 so I will go with an
amount that I know works.

~~~
jusben1369
Who are you using as a payment processor? Are you sure they're not running the
Account updater service against your card on files and automatically updating
expired ones for you?

~~~
larrys
I'm sure. And it's paypal. No cards are on file. These are literally credit
cards that are stored in file folders (quite an air gap, huh?) and they are
typed in MANUALLY in the paypal interface. Nothing is stored with the
processor for repeat transactions. This has been going on since the mid 90's
and while using other processors as well as even (in another business) at a
credit card processing machine where the cards were keyed into that. CVV is
not relevant either.

~~~
jusben1369
Got it. Thanks for the clarification.

------
tzs
Several years ago I received an email offering to sell me 100k stolen credit
cards, and it included a sample of 12k cards. They had card number, issuing
bank, customer name, expiration date, customer address, and I think phone
number. I don't remember if they had the CSC or not.

Some of these were from banks that would let you try to login given a card
number and password, and told you on failure if you got the card number wrong
or the password wrong, so I was able to do a check using that on some of the
cards and found they were legit card numbers for accounts at those banks.

This was on a Friday late afternoon Pacific time.

I called the FBI to see if they were interested. They were not, and suggested
that the Secret Service might be more appropriate. The Secret Service was also
not interested. I then tried the credit card associations, and most of them
told me that this would be an issue for their security department and
suggested that I call back Monday morning as the security department had gone
home for the weekend. One did give me the email I could forward the mail to.

I had thought someone would be interested in this, at least enough to want to
look at the card numbers I had to determine if they came from a known breach
or were from something new.

~~~
MichaelGG
Is this due to the CC processors fraud detection? They just figure it's the
cost of business and most of the time, the merchant ends up footing the bill,
right?

Is it possible the CC companies are worried that if the government steps in,
it reduces their role in anti-fraud and helps their competitors?

------
ghoul2
A lot of value of stolen credit cards comes from the reluctance of businesses
and law enforcement to go after the users of such stolen cards, as the
transactions are "small" \- sub-1000$.

Last year, I had four fraudulent transactions appear on my card. I am a very
cautious user - Linux on the desktop, seperate user and browser profile for
e-shopping etc. This was the first time it happened in over 15 years of
extensive online card-use.

Two of the transactions were with Netflix to register new streaming accounts.
I called up Netflix, and within a couple minutes had a block placed on my card
and both the accounts deleted with refunds to my card.

The other two transactions were on frys.com. One was for a laptop and the
other, much higher value, for a smartphone. Shockingly enough, while one
transaction got security flagged and did not go thru, the laptop one cleared
and the laptop had been shipped out before I contacted frys. Frys rep told me
on the phone that the information submitted was very clearly and obviously
phony - the email address was a string of random letters @gmail.com, name etc
everything was fake. Even with the credit card info, the only piece of correct
info was the credit card number. No CVV was submitted, no correct billing
address, not even the name on the card was correct. Heck, as my credit card is
NOT US based, even the country of the card was not correct. Yet Frys shipped
it.

I tried to get more information about the fraud but frys refused: they told me
point blank, that they will not give me information, they will not initiate a
police case, and they will not refund my money even though they were clearly
at fault for having the transaction to go thru.

I, not being based in the US, had few options. I filed an online police report
with San Jose police, where Frys is based. I also filed an online report with
the FBI online fraud division. Both of them assumed I was filing these reports
for insurance/reporting purposes, but told me outright that no investigation
would take place.

Later, when my bank provided me with more info about the fraud I found out
that frys actually challenged my chargeback and provided the transactions
details to my bank. As expected they had no case, but I found out from the
details that the laptop had been shipped to an address in Abilene, TX. I
immediately registered an online report with the Abilene PD as well.

None of the authorities were interested in following up. Considering how
trivial it would have been to atleast checkup on the address, this seems like
a bad lapse.

I believe it creates a moral hazard: In the end, frys was the one that was out
a few hundred dollars, and they refuse to prosecute. Police does not act on my
complaint. Once it becomes known that a company has such lax policies, its
open season.

~~~
dba7dba
>> I filed an online police report with San Jose police, where Frys is based.

You can forget about police doing anything to catch the criminals. The only
good you get out of contacting police of such ID theft cases is that you can
use the resulting paperwork to file claim with credit card company. Forget
about police doing anything to actually go out to look for the criminals.

IMO, US police departments are firmly stuck in the mode of 'only-criminal-we-
go-after-is-someone-with-a-gun-or-drug'.

It's been a while so the sequence of events is a bit fuzzy but basically I was
a victim of ID theft a few years ago. A few checking/credit accounts opened
using my name. 2 iPhones purchased using my name (not approved by me of
course) at an official phone company store (meaning they were captured on
security camera in the store). On Credit Report I pulled immediately after I
learned what was happening, I saw my actual addresses and the criminals'
addresses on the report. Interestingly the criminals were living in a 'dump' 1
year earlier but had since moved into a rental in a brand new condo complex. I
mean a brand new, nice condo complex, also in San Jose area. I found out
through Google Street View.

Now I had leads on their addresses and VIDEO FOOTAGE (in possession of the
phone store in San Jose) of them existed. I was excited as I was headed to
police station to file report. Well, what a disappointment. It seemed no one
seemed interested in seeing the video footage. They just took my report (took
me about 1+ hours in there). I got a generic confirmation letter from my
police dept weeks later. I heard nothing from the police in San Jose. Weeks
(or months later ?) I got a call from a US Postal Inspection Service
investigator. He gave me names of 2 suspects and asked again if I knew them. I
did not and am pretty sure they were the criminals. Thus the crime was being
investigated by US Postal Inspection Service. So a potentially slam dunk case
was being pushed around between 2 local police departments and a Federal
agency. And the result was I was actually interviewed on the phone
weeks/months after the crimes had occurred.

These pulps committed a crime that potentially cost someone else a few
thousands bucks (cost of phone and fee and late fee), not to mention hours I
had to spend to clean up the mess. But because the victim and criminals are in
separate/distant jurisdictions, the police essentially did not do much on
their own. They simply pushed the case off to a federal agency.

Had someone in my police department called San Jose police department to go
look at a video foorage at a phone store and visit a local address up there,
they could've caught the guys in a matter of hours or days.

Interestinly, months later I got a letter from landlord of the condo rental
the criminals had rented. The landlord was demanding unpaid rent. The pulps
had rented the complex using my name and when the fraudulent accounts were cut
off and their money dried up, they fled without paying rent. The landlord's
collector of course searched for my name and found the real 'me'.

The US police seems helpless with these crimes that cross multiple
jurisdictions.

~~~
saryant
Anecdotal counterpoint: when a waiter started skimming cards in a town I used
to live in, the county sheriff actually did track them down and arrest them.
Charges were filed but I don't remember what happened after that.

Of course, they also tracked down someone who stole a pair of sunglasses out
of my car so my experience is likely atypical.

------
ck2
How on earth are the sellers "cashing out" and how are they taking payments?

Why can't the money be followed?

If the NSA is such a powerhouse with billions of dollars of assets to track
every electronic communication, why aren't they focusing their entire
resources on people like the sellers?

Or is it like the TSA where they just hassle the completely innocent people at
the airport for show while the real criminals take other paths.

~~~
dasil003
> _If the NSA is such a powerhouse with billions of dollars of assets to track
> every electronic communication, why aren 't they focusing their entire
> resources on people like the sellers?_

Because they didn't invest that kind of money to find the logs in a haystack
that are eastern bloc cyber criminals. They are looking for a _needle_ in a
haystack dammit. A needle. (and possibly if some of their wives are cheating
on them).

~~~
Datsundere
"Is your wife cheating on you? Well you have the opportunity to figure out by
joining the NSA today!"

------
ginko
Is it just me or is anyone else surprised that the first screenshot contains a
(working) .su URL?

.su was the TLD of the Soviet Union.

~~~
alcari
Russia still controls the .su tld and allows registering new domains under it.

------
falcolas
So, granted the perpetrator can easily be considered to be a scumbag, but is
doxxing him really the best way to address this situation? What if this guy
ends up lynched by a vindictive mob? What if this information is wrong?

~~~
pyre
If he gets lynched, then it becomes news, and generates more pageviews. It's
good for business. /s

------
x0054
This is a fascinating bit of research. Has any one posted yet information on
how the actual card info was stollen? I read somewhere that the point of sale
units were infected, but with no evidence to back that claim up.

~~~
wallflower
Not the details of how it was done - but Bob Cringely has an interesting bit
of conjecture on how the attack might have been introduced. It is a bit
controversial because it hypothesizes that it was a lack of proper change
control processes and possible outsourcing.

[http://www.cringely.com/2013/12/20/thoughts-grinch-stole-
tar...](http://www.cringely.com/2013/12/20/thoughts-grinch-stole-targets-
christmas/)

~~~
MichaelGG
That article is pretty worthless. First, he says "clearly the terminals had
access to the Internet", and that if they used a private network, it'd not
have been a problem. That's just wrong. Let's assume the POS terminals
connected via IPSec over a frame relay linkup to several datacenters. A
compromise in the processing center could cause an issue. Or, you could attack
the POSes and have them record data to some internal site which you can access
from another point in the intranet.

Second, his only actual argument is: "Someone probably made an out of process
change to Target’s POS system and nobody noticed."

Sure, maybe. Or maybe someone subverted some other security system first. Who
knows. Useless conjecture is just that.

Then he goes on about how the NSA should be fixing these issues. Okie dokie.

This is the same guy that doesn't understand how search engines work, and
asked Eric Schmidt to manually fix his sister's website ranking in Google. I
wouldn't take him as a useful source.

------
andy10
Unfortunately, I was one of the shoppers at Target. It's fascinating how
different issuers are dealing with the problem. It seems that many are waiting
to reissue the cards, so the consumer can continue to shop during the busy
time.

------
lstamour
Of course all this hinges on the admission that he was Hel in the first place
.... which seems plausible to the amateur but requires more evidence for
courts, I suspect. Though the name-clash of that service and the bribery is
intriguing.

As to Target, there had to be a group. Somebody funding, someone inside, and
then you've distribution networks for what effectively ends up as money
laundering. At least that's the way I imagine it :)

------
yeukhon
I am fascinated how the black market operates. With law enforcement probing
every corner, going undercover, I can't imagine myself getting involved in a
blackmarket at all. Well, I guess there is always the risk which says high
risk yields high return.

~~~
dobbsbob
Russia and CIS countries don't care about US fraud so won't allow citizens to
be extradited. FBI/Secret Service prob know who they are and will just wait
until they go on vacation somewhere and kidnap them like they usually do.

~~~
bananacurve
>kidnap them like they usually do

Although that would be impressive, I'm sure you know you are full of shit, but
other people don't.

~~~
dobbsbob
Derp dey derp [http://rt.com/news/extradite-russian-national-
panin-901/](http://rt.com/news/extradite-russian-national-panin-901/)

Also Maksim Yastremsky (sp?) who the SS had Turkey work over for his FDE key
because when they broke into his hotel room in Dubai couldn't extract info.
That was from the 2007 big TJmax carding heist.

~~~
AnotherDesigner
I'm confused, are you implying it's not okay for these criminals to be brought
to justice, in accordance with various international laws, when their parent
state acts belligerent and refuses to cooperate? These people hurt others for
a living. They deserve punishment.

~~~
dobbsbob
So does the Pentagon but you never see them punished for blowing up a wedding.
US does not act within international law if they did CIS/Russia wouldn't be
complaining about these kidnappings

------
seivan
I tend to create temporary e-cards for online purchases outside of
subscriptions...

