Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target Hackers Have More Data Than They Can Sell

Posted by Soulskill on from the embarrassment-of-riches dept.

itwbennett writes "The hackers who stole millions of credit card numbers from Target customers are probably 'laying low knowing that everyone is looking for them,' says Alex Holden, who runs cybercrime consultancy Hold Security. But it's also likely that they can't sell them: 'You can imagine that having a lot of stolen credit cards will not net the hackers, say $35 per card for all 40 million,' said Holden. 'Even if the hackers are willing to sell cards for $1 a card, no one will buy the stolen goods in these amounts.'"

28 of 118 comments (clear)

  1. Proposal for new *coin by relisher · · Score: 2, Funny

    The TargetCardCoin

  2. Stupid People by Anonymous Coward · · Score: 4, Insightful

    You can always reduce things. They can sell a smaller subsets.

    1. Re:Stupid People by PPH · · Score: 3, Insightful

      But the buyers know (roughly) how many cards are available. The media has seen to that. So they know its a buyers' market.

      --
      Have gnu, will travel.
    2. Re:Stupid People by jeffmeden · · Score: 4, Informative

      You can always reduce things. They can sell a smaller subsets.

      This. Thefuck is this article? The guy who broke the breach also pointed out where the cards were getting sold at too. This article is a muse on a blog by a supposed "pundit" (pundit, n.: one whose insistence of credibility is the only thing greater than their ignorance).

    3. Re: Stupid People by Redmancometh · · Score: 3, Interesting

      I'm surprised I haven't seen anyone mention this, but I think they single-handedly killed the market. Think about it...no one knows all of the CC numbers yet. Not only should no one buy off of those guys, but no one knows who those guys are. So if say 80% of the cards are cancelled there are now 32 million legitimate useless credit card numbers out there.

      No one is going to trust anyone. I have a feeling this is going to do the blackhat community quite a blow.

    4. Re: Stupid People by BosstonesOwn · · Score: 3, Interesting

      As some one who deals with security on a daily basis, I have seen tools to prevent this.

      What happens is someone advertises say 10 K cards for sale. They actually package 15 K cards in the pack, when the user gets the pack they have a robot ap that goes and makes purchases from shops that are on the internet and are known to be able to easycard fraud friendly. The robots order something quickly like a $20 cable or piece of merchandise. If its declined the card is dropped from the database.

      Once all the cards are checked if the buy has close to 10 K they don't care. If less then say 8 K they get another chunk of 4 K to go at again. Until they get close to the 10 K they were promised. This is how the good groups do it. The ones who don't care just sell in chunks of 5 K to 10 K with no guarantees.

      Now they also can use another system for cards to do quick transactions checks just like paypal would do to check if the card is valid. Small bump purchase then issue a refund if they want to hide from the owner of the card.

      I have to monitor these "groups" as I need to make sure that none of my servers are being used in their scams. A good security guy keeps his eye on everything ! And yes we monitor IRC and other methods of chatter to see if any of our servers have been compromised.

      --
      This package Does Not Contain a Winner
  3. Seeing that by Kardos · · Score: 4, Insightful

    next to everybody's card has been stolen, is it time for everybody to get a new card? It'll make the stolen database worthless, as well as all other databases of stolen credit cards...

    1. Re:Seeing that by An+dochasac · · Score: 2

      This is similar to what Northern Irish banks did after the Northern bank robbery got away with 26 million pounds sterling a few years ago. They recalled all of the northern Irish cash. Rumor is that a member of the political wing of the old IRA was spotted burning cash in his back garden. This becomes much easier with credit cards and digital currency but isn't too difficult in a small country where banks are able to issue individually identifiable notes (much as the US once did.)

  4. Probably not worth a dollar... by jddeluxe · · Score: 4, Interesting

    My bank (Chase) has sent out new cards to anyone that had a transaction at Target during the time period they indicated of the breach, and many other banks/financial institutions have done likewise. The value of the purloined data is heading towards nil quickly.

    1. Re:Probably not worth a dollar... by Anonymous Coward · · Score: 3, Insightful

      Ah but those are debit cards not credit cards. If stuff happens with your wife's debit cards it's her money that's gone and she has to try to get it back from the bank/merchant.

      Whereas if they were credit cards, if stuff happens it's the bank/merchant's money that's gone and they'd have to try to get the money from her or their insurer or eat the loss.

      See the difference in urgency? ;)

    2. Re:Probably not worth a dollar... by jddeluxe · · Score: 2

      Mine was a Chase debit card, everyone else I know that is with Chase got an unsolicited new card if they shopped at Target during the breach period. If you fall into the same category and haven't received one I'd recommend contacting them.

  5. De Beers and OPEC by tepples · · Score: 3, Insightful

    And now you understand the dilemma of De Beers and OPEC, which have more diamonds and oil than they know what to do with and trickle them to the market to keep the price up.

  6. It has arrived! by Ol+Olsoc · · Score: 5, Funny

    Security through Ubiquity!

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:It has arrived! by ebno-10db · · Score: 3, Informative

      That's the latter day corollary to hiding something in plain sight.

  7. Spoiler alert by symbolset · · Score: 4, Funny

    The data was stolen by the company that prints the replacement cards.

    --
    Help stamp out iliturcy.
  8. Uh, it's not 40 million... by Patent+Lover · · Score: 3, Interesting

    It's 110 million. Yes about 1/3 of the U.S. population has used a credit card at Target. I pray they don't hit Wal Mart.

    1. Re:Uh, it's not 40 million... by DigiShaman · · Score: 4, Interesting

      Well given how successful this was on a Windows based POS system, just imagine all the restaurants, and bars that might be compromised too. I'm in agreement with what others have said; we need to go to the Chip-and-PIN system. If we are going to be replacing CC for potentially hundreds of millions of people, now is the time to make the switch. If the bank wants to charge me a few extra bucks for a fancy new card, do it. I'd rather have the peace of mind after this fiasco.

      --
      Life is not for the lazy.
    2. Re:Uh, it's not 40 million... by baker_tony · · Score: 4, Interesting

      Wait, American's aren't using chip and pin yet?

    3. Re:Uh, it's not 40 million... by cusco · · Score: 5, Insightful

      Our banks are run by people who play "executive musical chairs". If something will save the bank a million dollars over the next ten years, but nothing for the first three years, it won't get implemented because the executives will have rotated out to another company by the time the savings could affect their quarterly bonuses. Chip and pin would cost the banks money to implement, so it won't happen until you get a set of executives who can see further than the next board meeting.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  9. lying low by contrapunctus · · Score: 2

    ugh! lying low not laying low.

  10. Re:What me worry? by TheloniousToady · · Score: 5, Informative

    Actually, the merchant eats it - at least that's been my experience as a merchant. The ingestion process is called a chargeback. It's one reason why credit card issuers are so glad to make refunds to consumers. Merchants live in fear of chargebacks because not only do they lose the revenue, they also have to pay a penalty.

    As a merchant, you quickly figure out that it's best to accommodate any request for a refund, even if you think you're being treated unfairly. For example, I recently had a customer in another country who asked me to pay his local taxes on the sale I had just made to him. So I gave him a refund for the amount of the tax. Easy decision.

    (I shouldn't be telling you folks this, it's supposed to be a dirty little secret. Don't tell anybody else.)

  11. Paranoid much? by Anonymous Coward · · Score: 2, Insightful

    What kind of awful bank / credit card company do you have that charges you a replacement fee? I literally replaced my debit card and credit card without any fee, and my debit card was even replaced with a temporary one free of charge.

    Furthermore, most of them would likely prefer to send out a card rather than have to deal with claims of account fraud, which costs them money to investigate as well as to eventually replace.

    I'm no fan of the banks, but this is ridiculous.

    1. Re:Paranoid much? by ubergeek2009 · · Score: 2

      My bank sent me a replacement debit card in the mail without charge and without even asking. I just got a letter apologizing saying that my card may have been compromised, so they sent me a replacement the same way they would have if my card had expired, so no charge and a new card with a new number.

  12. Re:What me worry? by Solandri · · Score: 2

    The onus is upon the merchant to prove the charge was legit. For an in-store transaction, this usually means a copy of the signature on the credit card receipt. You send that to the credit card clearinghouse, they compare it to the signature the credit card company provides, and decide if the cardholder really made the purchase or not.

    For online transactions, you're pretty much SOL. The credit card companies provide tools to let you try to confirm the cardholder is legit before completing the transaction. e.g. Compare billing address and phone number to that provided by the purchaser (this is why gas station pumps require you to type in a zip code - they're not trying to collect marketing data, it's cross-checking what you type with the zip code on file for the card). The better cards also keep a list of authorized shipping addresses on file, and the merchant can decline the sale if the shipping address for the order doesn't match that on file. But if the customer makes a chargeback, all you can do is show the clearinghouse that you used the tools they provided and hope they decline the chargeback. Usually the customer wins no questions asked, and the merchant just eats the loss as a cost of doing business (like shoplifting).

    The banks and credit card companies have done a pretty good job making sure they don't pay anything for fraud (except the customer support rep's wages), all while charging exorbitant interest and fees purportedly to combat fraud. (In their defense, the interest and fees do pay for a different type of fraud - non-payment from customers, though I still think it's excessive.)

  13. only in theory. call the customer by raymorris · · Score: 2

    Theoretically, yes. Practically, it doesn't happen.
    You sell something. 40 days later, the customer calls their bank. The bank mails a form, which the customer receives 10 days later. They fill it in and mail it back. 14 days later, the bank deducts the amount from the merchant's receipts. Ten days after that, the merchant receives a letter saying they've been charged back for a transaction that occurred over two months ago. They money has already been taken from them, subtracted from recent sales.

    IF the merchant digs up a signed receipt, they can start the process to dispute the chargeback. 90 days later they'll just get another letter saying the customer now says the product wasn't as advertised.

    What HAS worked for me, in a small business, is to call the customer and start some friendly small talk. "Hi George, it's Ray from bettercgi.com. How was your vacation? ...". After establishing that human contact so the customer sees me as an actual person, I mention the chargeback. "I wanted to see if there was a misunderstanding because the bank sent me a letter saying you filed a fraud report against me...". When they are reminded of what the charge is for, I used to ask them to call the bank and cancel the chargeback. That involves the bank mailing another form for them to fill out, so that never ended up working. Now, I just get them to repay the amount. I end up eating the chargeback fee of about $39, plus the double processing fees. I then CALL them 20 days later and REMIND them what the charge is for because people who forget and charge back once tend to forget and charge back again.

    As a consumer, please keep in mind your credit card provides strong protection from FRAUD. When you call the bank and charge back, you are accusing someone of fraud.

  14. Re:What me worry? by TheloniousToady · · Score: 2

    The onus is upon the merchant to prove the charge was legit. For an in-store transaction, this usually means a copy of the signature on the credit card receipt. You send that to the credit card clearinghouse, they compare it to the signature the credit card company provides, and decide if the cardholder really made the purchase or not.

    In light of that, it fascinates me that those electronic signature gizmos at stores work so badly. Half the time, I can't even recognize my own signature because half of it's missing. I guess signature comparisons to dispute chargebacks must not happen very often - I assume that merchants just roll over and die most of the time. The fact that we're all faithfully made to sign on those things probably is just psychology to make us feel like we can't commit friendly fraud by disputing our own purchases.

  15. Re:What me worry? by black6host · · Score: 3, Interesting

    As for parent, I recall my boss telling me something about retail: It would be better to pay roughly 20% of the people who buy from you to walk away rather than deal with them, because the problems they'll have will ultimately cost you more.

    Somehow, as a favor to someone, I ended up managing the operations of a service based company for a short period of time. We would have customers that constantly were saying: "Do you know who I am?" Usually the past, past, past president of some condo association. Or customers who thought we'd starve without their business and make all kinds of unreasonable demands that would result in a loss to us. We'd let that happen maybe two or three times and when it became apparent that the customer's behavior was chronic I would simply tell them that our goal was to satisfy our customers in every way and obviously we were unable to meet their needs. We valued their satisfaction and felt they would be better served by another company. I'd then suggest a competitor for them to call. The reactions were priceless! They couldn't believe they were being "fired". It helped us two ways. First, it freed up our resources to service the customers who appreciated being treated fairly (and we really were service oriented, money back guarantee on everything.) Second, by the time our competitor figured out what kind of customer they just took on they had suffered the loss.

    This was a service industry where there was more work to do than we had people to do it so there really was no loss to us in culling the bad ones. Offtopic I know but maybe someone will benefit from our experience.

  16. Get the whole bundle for $35? by dunnomattic · · Score: 2

    Does the stolen-card pusher take plastic?

    1. Buy 1 stolen card for $35
    2. Buy x stolen cards using a previously acquired stolen card
    3. Wash/Rinse/Repeat
    4. ???
    5. Profit

    --
    ...when everything is a crime, everyone is a criminal.