The nightmare before Christmas continues for Target.
Stolen Target customer information from a security breach involving its in-store point-of-sale systems has already begun flooding the black market, according to numerous people in the fraud industry tracking the situation.
On Dec. 11, one week after hackers breached Target’s systems, EasySolutions, a company that tracks fraud, noticed a ten- to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union.
The black market for credit card and debit card numbers is highly sophisticated, with numerous card-selling sites that are indistinguishable from a modern-day e-commerce site. Many sell cards in bulk to account for the possibility of cancellations. Some go for as little as a quarter. Corporate cards can sell for as much as $45.
But the security blogger Brian Krebs, who first broke news of the Target security breach on his website, said some Target customers’ high-value cards were selling for as much as $100 on exclusive black market sites.
Security experts say the higher the limit on the card, the more valuable they are to criminals, who can use them to make purchases, burn information onto counterfeit cards or buy gift cards that can be exchanged for cash.
In many cases, the credit card numbers flow through the same distribution channels as narcotics, said Paul Kocher, the president of Cryptography Research, a security-focused division of Rambus, a Silicon Valley technology company.
“When you try to deal with this problem from a street policing perspective, it’s often the drug dealers, not the guys making the actual money, who get caught,” Kocher said.
Target released a new statement Friday saying that, to date, it was aware of only a few incidents of actual fraud, and reassuring customers that they would not be held financially accountable for fraudulent purchases.
The retailer also clarified that no personal identification numbers, or PINs, had been compromised. That was a major concern among customers, who feared that with the PIN, criminals could use a counterfeit card to withdraw money from an ATM.
The company also said that any Card Verification Value data (the security number on the back of a card) that was breached was data from the magnetic strip, not the three- or four-digit code visible on cards that are used to make secure purchases online. Target also said it had no indication that customers’ dates of birth or Social Security numbers had been compromised.
Target said that it would use email to alert affected customers, those who had shopped in its retail stores between Nov. 27 and Dec. 15, and that it expected to notify all 40 million customers by the end of the weekend.
Target said that its loyalty card holders, known as REDcard holders, were protected by fraud monitoring systems and had additional security and fraud monitoring for their cards. But customers complained that it was virtually impossible to monitor their accounts for fraudulent activity.
John Kenyan, a Target REDcard holder, said in an email that when he had tried to check his account for fraudulent activity, the account listed only the total purchase amount, the date and the store, without listing the individual items purchased.
“This makes it almost impossible to check for fraud,” Kenyan said.