Slashdot Mirror
Target Hackers Have More Data Than They Can Sell
itwbennett writes "The hackers who stole millions of credit card numbers from Target customers are probably 'laying low knowing that everyone is looking for them,' says Alex Holden, who runs cybercrime consultancy Hold Security. But it's also likely that they can't sell them: 'You can imagine that having a lot of stolen credit cards will not net the hackers, say $35 per card for all 40 million,' said Holden. 'Even if the hackers are willing to sell cards for $1 a card, no one will buy the stolen goods in these amounts.'"
The TargetCardCoin
You can always reduce things. They can sell a smaller subsets.
Maybe they did it for the lulz.
- In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
next to everybody's card has been stolen, is it time for everybody to get a new card? It'll make the stolen database worthless, as well as all other databases of stolen credit cards...
My bank (Chase) has sent out new cards to anyone that had a transaction at Target during the time period they indicated of the breach, and many other banks/financial institutions have done likewise. The value of the purloined data is heading towards nil quickly.
And now you understand the dilemma of De Beers and OPEC, which have more diamonds and oil than they know what to do with and trickle them to the market to keep the price up.
So they dump a small portion of them for free all over the place. If some who use it get busted it's a smoke screen but they can claim they're freedom fighting Robyn Hoods or something. My bank can only dock me $50 except that I have a plan that is free which means I don't get docked squat the bank eats it.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
They should help the less fortunate. Like me.....
I would take a few cards for free.
Security through Ubiquity!
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
The data was stolen by the company that prints the replacement cards.
Help stamp out iliturcy.
It's 110 million. Yes about 1/3 of the U.S. population has used a credit card at Target. I pray they don't hit Wal Mart.
ugh! lying low not laying low.
Supposedly one bank had already figured out the Target hack happened before Target announced it by buying back some of their own card data and checking the common point of purchase:
http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/
To borrow from the Graduate, plastic has no future - is it really necessary to possess physical plastic cards and scan them? Not at all, the future is biometric/electronic/e-wallets and in at least one large retailer's case, regular customers will be able to walk out of the door without ever approaching a cash register.
I find this difficult to believe; for one the data can simply be sold off in smaller chunks, and secondly because there exist fences for this type of product that would be willing to purchase the data at a low-ball price and sit on it until the right buyer is found.
How long did it take Target to realize this and then how long did it take them to come forth?
All of my cards have been replaced (i didn't request either) due to the breach. It seems banks are getting more cautious and replacing cards after big breaches like this. I'd imagine in a month or two 90% of the stolen card numbers will be worthless.
Since it sounds like we are near the point where everybody's credit card will need replacing anywayâ¦. how about this?
Under the current credit card system, when I want to purchase something from Target (or from anybody else), I send them my name, credit card number, billing address, and security code. Anyone who has this information is able to bill any number of charges to my account, in any amount, for as long as they want to (or until I catch on and cancel the card).
That seems like a bit too much power. What I'd like instead is the ability to send information that the holder of that information can only use once, to initiate a single transaction, for a specified amount, and (ideally) only to a specified destination account. That way if (okay, when) some miscreant gets ahold of the data I sent, the damage they can do is limited to the amount specified in that one transaction -- I won't have to replace my credit card, and I won't have to fight the credit company to get thousands of dollars in charges reversed.
Given that it's 2014 already (the future!), surely a system like this (or better) is possible? Build it around BitCoin if you have to, they seem to manage it just fine.
I don't care if it's 90,000 hectares. That lake was not my doing.
Not a bad problem to have from a hacker's point of view. As Mae West said, "Too much of a good thing can be wonderful."
This is stupid. Starting with the title:
"Target Hackers Have More Data Than They Can Sell" - so what? And based on what? Any guarantees?
"But it's also likely that they can't sell them" - but that leaves the possibility that they can, right?
"no one will buy the stolen goods in these amount" - why not? And why would they need to sell ALL to the same buyer? Couldn't they sell them in batches?
.
Implying they haven't been selling them in smaller batches.
I mean, if you are in business of stealing something to sell, you can never have "too much". You just have to sell in packets or whatever is the usual instead of advertizing "hey! Anybody wanna buy 110 million CCs wink, wink, nudge, nudge!". /. ;) The summary was too much already!
But most importantly, they had been stealing at least since November. And CCs are a "commodity" with an expiration date. You think if they wanted to sell them they have sat on them for all these months (when there was supposedly no "problem" finding buyers), waiting for something?
Low article even for
Not that I read it of course
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Bull. They will be selling these numbers for months. Many of the people who were impacted by this will never follow up by changing credit cards and pins. A large percentage of these numbers will remain valid until used.
What we are going to see is more large scale attacks because these gray and black hat hackers have access to vast resources. Stolen credit cards are a favorite for buying cloud hosting.
I think that the current US magnetic strip EMV credit card days are numbered.
Some form of two factor authentication should follow, which limits the vulnerability of the card information. Most european EMV credit cards use a Chip and PIN method of authentication, but the expense of these cards have been a deal breaker so far.
The heist is so big, I sometimes wonder, if it was done to destabilize the current US credit card system.
It's the banks that issuing the cards that are profiting from the hack.
Shoppers (more than 40 millions of them) who used their credit cards in Target are all running scared, and many will go to their banks to exchange their existing credit cards for a new one.
And the banks gonna change those poor credit cards owner a "service charge".
Even if the "service charge" is only $50 per card, for 40 million cards we are looking at a $2 billion dollar extra revenue for the banks !
Muchas Gracias, Señor Edward Snowden !
What kind of awful bank / credit card company do you have that charges you a replacement fee? I literally replaced my debit card and credit card without any fee, and my debit card was even replaced with a temporary one free of charge.
Furthermore, most of them would likely prefer to send out a card rather than have to deal with claims of account fraud, which costs them money to investigate as well as to eventually replace.
I'm no fan of the banks, but this is ridiculous.
Let's face it - credit cards are insecure. They always have been, and they still are. I have long operated under the assumption that all of my cards are compromised, but that someone hasn't gotten around to making use of them yet. Even 20+ years ago when I was trading cards using stolen voicemail boxes, we had more cards than we knew what to do with. Sure, there are organized gangs now using smurfs to work the cards, but they're still few in number. When you have say, 1/2 of all credit cards at your disposal, it's going to take you quite a while to go through them all, gang or no gang.
Until the economics change, the financial companies have no incentive to change things. Adding another step to a credit card transaction which reduces convenience, leading to even a infinitesimal amount of spending reduction, could easily cost more than all of the fraud combined.
http://www.masturbateforpeace.com/
Theoretically, yes. Practically, it doesn't happen.
You sell something. 40 days later, the customer calls their bank. The bank mails a form, which the customer receives 10 days later. They fill it in and mail it back. 14 days later, the bank deducts the amount from the merchant's receipts. Ten days after that, the merchant receives a letter saying they've been charged back for a transaction that occurred over two months ago. They money has already been taken from them, subtracted from recent sales.
IF the merchant digs up a signed receipt, they can start the process to dispute the chargeback. 90 days later they'll just get another letter saying the customer now says the product wasn't as advertised.
What HAS worked for me, in a small business, is to call the customer and start some friendly small talk. "Hi George, it's Ray from bettercgi.com. How was your vacation? ...". After establishing that human contact so the customer sees me as an actual person, I mention the chargeback. "I wanted to see if there was a misunderstanding because the bank sent me a letter saying you filed a fraud report against me...". When they are reminded of what the charge is for, I used to ask them to call the bank and cancel the chargeback. That involves the bank mailing another form for them to fill out, so that never ended up working. Now, I just get them to repay the amount. I end up eating the chargeback fee of about $39, plus the double processing fees. I then CALL them 20 days later and REMIND them what the charge is for because people who forget and charge back once tend to forget and charge back again.
As a consumer, please keep in mind your credit card provides strong protection from FRAUD. When you call the bank and charge back, you are accusing someone of fraud.
When you buy some cards on that website, are you supposed to already have a fraudulent credit card?
It just doesn't seem smart to use your real credit card to purchase stolen credit card numbers.
At least they didn't shoot someone then leave the goods laying there on the floor like idiots. Good for them, and go to jail. There are laws against that kind of griefing in this MMO.
Buy your next Linux PC at eightvirtues.com
Now you too can own stolen credit card to buy all your online pr0n! All for the limited cost of $1. Nothing could be easier! Simply pay by Credit Card! No hassle!
So the crooks might've slurped in more data than they can handle (where have we heard that one before?) and so these "analysts" do a bit of back-of-the-envelope calculating and find cause to write a bit of a piece full of sensationalist terms like the now entirely meaningless "hacker" (which colour hat, eh? did you check?) and gratuitous repeating the same over and over again again to try and cover up that they really have not more than a sentence or two of speculation to share.
Thank you so much for wasting my time like this.
Cause my credit card was stolen in the hack and charged $1000; so basically, they're wrong. Unless they pulled my card randomly out of a hat and I'm the most unlucky person on this earth they are and have been selling them.
I know your a troll but I'll bite anyways...You know its not just the card number that was stolen, but the other information that makes a number matching Luhn's Algorithm valuable. You know information like the card holders name, card expiration date, the CVV, perhaps even the PIN.
But of course, you were just being obtuse.
Does anyone have that website handy where you can enter your card number to see if it was stolen? That could be pretty helpful for people to figure out their risk level here...
Target has been the target of a hack attack.
As a consumer, please keep in mind your credit card provides strong protection from FRAUD. When you call the bank and charge back, you are accusing someone of fraud.
Or (unrealted to the Target hacks) of having an unreasonable returns policy that is not consistent with what the sales guy promised. So yes, I suppose that is fraud, though incompetence is a more likely explanation.
It is a miracle that curiosity survives formal education. - Einstein
Silly thing about the metric system is that we did make that concerted effort, but it was wiped out by the rise of Reagan conservatism and subsequent retrenchment of American exceptionalism.
Does the stolen-card pusher take plastic?
1. Buy 1 stolen card for $35
2. Buy x stolen cards using a previously acquired stolen card
3. Wash/Rinse/Repeat
4. ???
5. Profit
...when everything is a crime, everyone is a criminal.
This is a little off topic, but here it goes:
Most of my purchases are via the web. I used Discover's secure online account numbers for my web purchases. The SOANs can be used only at one merchant, but allows for multiple uses so that it can be used to set up monthly bill payment at the merchant. I was breathing a little easier, but now Discover is cancelling the program from next month. Tragic that the company is now going backward in light of this breach.I have written a letter to them. I encourage any other SOAN user to write them as well