The nightmare before Christmas continues for Target and its customers.
Stolen Target customer information from a security breach involving its in-store point-of-sale systems has already begun flooding the black market, according to numerous people in the fraud industry tracking the situation.
On Dec. 11, one week after hackers breached Target’s systems, EasySolutions, a company that tracks fraud, noticed a ten- to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every U.S. bank and credit union.
The black market for credit card and debit card numbers is highly sophisticated, with numerous card-selling sites that are indistinguishable from a modern-day e-commerce site. Many sell cards in bulk to account for the possibility of cancellations. Some go for as little as a quarter. Corporate cards can sell for as much as $45.
But the security blogger Brian Krebs, who first broke news of the Target security breach on his website, said some Target customers’ high-value cards were selling for as much as $100 on exclusive black market sites.
Security experts say the higher the limit on the card, the more valuable they are to criminals, who can use them to make purchases, burn information onto counterfeit cards or buy gift cards that can be exchanged for cash.
In many cases, the credit card numbers flow through the same distribution channels as narcotics, said Paul Kocher, the president of Cryptography Research, a security-focused division of Rambus, a Silicon Valley technology company.
“When you try to deal with this problem from a street policing perspective, it’s often the drug dealers, not the guys making the actual money, who get caught,” Kocher said.
Target released a new statement Friday saying that, to date, it was aware of only a few incidents of actual fraud, and reassuring customers that they would not be held financially accountable for fraudulent purchases.
The retailer also clarified that no personal identification numbers, or PINs, had been compromised. That was a major concern among customers, who feared that with the PIN, criminals could use a counterfeit card to withdraw money from an ATM.
The company also said that any Card Verification Value data (the security number on the back of a card) that was breached was data from the magnetic strip, not the three- or four-digit code visible on cards that are used to make secure purchases online. Target also said it had no indication that customers’ dates of birth or Social Security numbers had been compromised.
Target said that it would use email to alert affected customers, those who had shopped in its retail stores between Nov. 27 and Dec. 15, and that it expected to notify all 40 million customers by the end of the weekend.
Target said that its loyalty card holders, known as REDcard holders, were protected by fraud monitoring systems and had additional security and fraud monitoring for their cards. But customers complained that it was virtually impossible to monitor their accounts for fraudulent activity.
John Kenyan, a Target REDcard holder, said in an email that when he had tried to check his account for fraudulent activity, the account listed only the total purchase amount, the date and the store, without listing the individual items purchased.
“This makes it almost impossible to check for fraud,” Kenyan said.
Target spokeswoman Molly Snyder said Target has provided exposed card numbers to Visa, MasterCard, Discover and American Express. Those companies are in turn providing the information to the financial institutions that issue them.
Investigators believe that overseas hackers were responsible for the cyber attack on Target and customers’ accounts, a person familiar with the matter told Reuters on Friday.
The person, who was not authorized to talk publicly about the matter, said that government investigators do not believe that the hackers had inside help.
The source declined to say how the hackers got in or where investigators believe they are based.
TRYING TO SALVAGE SALES
Target’s CEO Gregg Steinhafel apologized through a statement issued on Friday. The retailer also said it’s working hard to resolve the problem and is adding more workers to field calls and help solve website issues. And the discounter began offering 10 percent off for customers who shop in its stores on Saturday and Sunday and free credit-monitoring services to those who’ve been affected by the issue.
Mark Hosenball and Dhanya Skariachan of Reuters contributed to this report.