Forgot your password?
typodupeerror
Security

Target Hackers Have More Data Than They Can Sell 118

Posted by Soulskill
from the embarrassment-of-riches dept.
itwbennett writes "The hackers who stole millions of credit card numbers from Target customers are probably 'laying low knowing that everyone is looking for them,' says Alex Holden, who runs cybercrime consultancy Hold Security. But it's also likely that they can't sell them: 'You can imagine that having a lot of stolen credit cards will not net the hackers, say $35 per card for all 40 million,' said Holden. 'Even if the hackers are willing to sell cards for $1 a card, no one will buy the stolen goods in these amounts.'"
This discussion has been archived. No new comments can be posted.

Target Hackers Have More Data Than They Can Sell

Comments Filter:
  • The TargetCardCoin
    • Don't they already offer The Red Coin?

  • Stupid People (Score:4, Insightful)

    by Anonymous Coward on Tuesday January 14, 2014 @10:04PM (#45960627)

    You can always reduce things. They can sell a smaller subsets.

    • Re:Stupid People (Score:4, Insightful)

      by PPH (736903) on Tuesday January 14, 2014 @10:43PM (#45960885)

      But the buyers know (roughly) how many cards are available. The media has seen to that. So they know its a buyers' market.

    • by Anonymous Coward

      This is so fucking obvious that it is really really sad somebody had to point it out.

      • by Anonymous Coward

        It's also fucking obvious that the second set they sell will be worth about 10 cents since everyone will have canceled their cards by then.

    • Re:Stupid People (Score:5, Informative)

      by jeffmeden (135043) on Tuesday January 14, 2014 @11:14PM (#45961105) Homepage Journal

      You can always reduce things. They can sell a smaller subsets.

      This. Thefuck is this article? The guy who broke the breach [krebsonsecurity.com] also pointed out where the cards were getting sold at [krebsonsecurity.com] too. This article is a muse on a blog by a supposed "pundit" (pundit, n.: one whose insistence of credibility is the only thing greater than their ignorance).

      • by Fnord666 (889225)
        What do you expect from a guy who says the following:

        Cybercriminals often advertise the kind of data they've captured from the card's magnetic stripe, which has three so-called "tracks," each containing data.

        News flash. They are called tracks because they are tracks on a magnetic recording tape. Nothing "so called" about it.

        • News flash. They are called tracks because they are tracks on a so called "magnetic recording tape". Nothing "so called" about

          FTFY

  • Maybe they did it for the lulz.
  • Seeing that (Score:5, Insightful)

    by Kardos (1348077) on Tuesday January 14, 2014 @10:14PM (#45960693)

    next to everybody's card has been stolen, is it time for everybody to get a new card? It'll make the stolen database worthless, as well as all other databases of stolen credit cards...

    • by symbolset (646467) * on Tuesday January 14, 2014 @10:48PM (#45960921) Journal
      The data was stolen by the company that prints the replacement cards.
    • This is similar to what Northern Irish banks did after the Northern bank robbery got away with 26 million pounds sterling a few years ago. They recalled all of the northern Irish cash. Rumor is that a member of the political wing of the old IRA was spotted burning cash in his back garden. This becomes much easier with credit cards and digital currency but isn't too difficult in a small country where banks are able to issue individually identifiable notes (much as the US once did.)
  • by jddeluxe (965655) on Tuesday January 14, 2014 @10:17PM (#45960721)
    My bank (Chase) has sent out new cards to anyone that had a transaction at Target during the time period they indicated of the breach, and many other banks/financial institutions have done likewise. The value of the purloined data is heading towards nil quickly.
    • by Anonymous Coward

      This is not true. Chase has not sent everyone a card. My wife had two transactions at target on two different debit cards and has not received a new card from either bank.

      • Re: (Score:3, Insightful)

        by Anonymous Coward
        Ah but those are debit cards not credit cards. If stuff happens with your wife's debit cards it's her money that's gone and she has to try to get it back from the bank/merchant.

        Whereas if they were credit cards, if stuff happens it's the bank/merchant's money that's gone and they'd have to try to get the money from her or their insurer or eat the loss.

        See the difference in urgency? ;)
        • by grim4593 (947789)
          I have a debit card from TCF bank and they sent out notices that their VISA debit cards were covered by the same VISA zero-liability-policy as their credit cards. Regardless, I didn't purchase anything at Target.
    • by jddeluxe (965655)
      Mine was a Chase debit card, everyone else I know that is with Chase got an unsolicited new card if they shopped at Target during the breach period. If you fall into the same category and haven't received one I'd recommend contacting them.
    • by TubeSteak (669689)

      The value of the purloined data is heading towards nil quickly.

      I just got a robo call today that I'll be getting a new credit card (number) soon.
      My current number will still be good till the end of the month.

      So at least for my issuer, that's how long the criminals have to commit some fraud.

    • by bobjr94 (1120555)
      Thats what I was thinking. Many people I know had received new cards and the old ones deactivated. I guess even if 20% of these old cards are still valid, thats still a huge number. Some banks like Chase even have setup phones lines just to deal with target related calls. Myself, my card number was stolen from Harbor Freight Tools in October in a nation wide security breach.
  • De Beers and OPEC (Score:3, Insightful)

    by tepples (727027) <[moc.liamg] [ta] [selppet]> on Tuesday January 14, 2014 @10:18PM (#45960723) Homepage Journal
    And now you understand the dilemma of De Beers and OPEC, which have more diamonds and oil than they know what to do with and trickle them to the market to keep the price up.
  • So they dump a small portion of them for free all over the place. If some who use it get busted it's a smoke screen but they can claim they're freedom fighting Robyn Hoods or something. My bank can only dock me $50 except that I have a plan that is free which means I don't get docked squat the bank eats it.

    • by Anonymous Coward

      So they dump a small portion of them for free all over the place. If some who use it get busted it's a smoke screen but they can claim they're freedom fighting Robyn Hoods or something.

      You took that right out of the Ed Snowden game plan, didn't you? ;)

    • Re:What me worry? (Score:5, Informative)

      by TheloniousToady (3343045) on Tuesday January 14, 2014 @10:57PM (#45960973)

      Actually, the merchant eats it - at least that's been my experience as a merchant. The ingestion process is called a chargeback [wikipedia.org]. It's one reason why credit card issuers are so glad to make refunds to consumers. Merchants live in fear of chargebacks because not only do they lose the revenue, they also have to pay a penalty.

      As a merchant, you quickly figure out that it's best to accommodate any request for a refund, even if you think you're being treated unfairly. For example, I recently had a customer in another country who asked me to pay his local taxes on the sale I had just made to him. So I gave him a refund for the amount of the tax. Easy decision.

      (I shouldn't be telling you folks this, it's supposed to be a dirty little secret. Don't tell anybody else.)

      • by Anonymous Coward

        Chargebacks are definitely annoying for physical merchants, but are even worse if you're selling stuff online or have a presence in more than one state. I did some work for a company that sells specialized sports equipment and has stores in four or five states, as well as selling things at various events. The problem was that due to the way their payment system worked, they had to present their physical location - their main store in my state - on every transaction. So many people who bought things on the r

        • Re:What me worry? (Score:4, Interesting)

          by black6host (469985) on Wednesday January 15, 2014 @10:14AM (#45964543)

          As for parent, I recall my boss telling me something about retail: It would be better to pay roughly 20% of the people who buy from you to walk away rather than deal with them, because the problems they'll have will ultimately cost you more.

          Somehow, as a favor to someone, I ended up managing the operations of a service based company for a short period of time. We would have customers that constantly were saying: "Do you know who I am?" Usually the past, past, past president of some condo association. Or customers who thought we'd starve without their business and make all kinds of unreasonable demands that would result in a loss to us. We'd let that happen maybe two or three times and when it became apparent that the customer's behavior was chronic I would simply tell them that our goal was to satisfy our customers in every way and obviously we were unable to meet their needs. We valued their satisfaction and felt they would be better served by another company. I'd then suggest a competitor for them to call. The reactions were priceless! They couldn't believe they were being "fired". It helped us two ways. First, it freed up our resources to service the customers who appreciated being treated fairly (and we really were service oriented, money back guarantee on everything.) Second, by the time our competitor figured out what kind of customer they just took on they had suffered the loss.

          This was a service industry where there was more work to do than we had people to do it so there really was no loss to us in culling the bad ones. Offtopic I know but maybe someone will benefit from our experience.

      • by Anonymous Coward
        BITCOINS for the WIN! :P
        • From a merchant's point of view, a system like Bitcoin that puts the merchants back in control of refunds sure sounds appealing. However, I believe most customers appreciate the security of having a third party like a credit-card issuer to go to when there is a dispute. In starker terms, customers enjoy the power they currently hold. So, if the use of Bitcoin eliminates fraudulent chargebacks but reduces overall sales, it still may not be in the merchant's best interest.

          Also, from the merchant's point of

  • by Ol Olsoc (1175323) on Tuesday January 14, 2014 @10:38PM (#45960847)
    Security through Ubiquity!
  • by Patent Lover (779809) on Tuesday January 14, 2014 @10:53PM (#45960939)
    It's 110 million. Yes about 1/3 of the U.S. population has used a credit card at Target. I pray they don't hit Wal Mart.
    • by DigiShaman (671371) on Tuesday January 14, 2014 @11:05PM (#45961025) Homepage

      Well given how successful this was on a Windows based POS system, just imagine all the restaurants, and bars that might be compromised too. I'm in agreement with what others have said; we need to go to the Chip-and-PIN system. If we are going to be replacing CC for potentially hundreds of millions of people, now is the time to make the switch. If the bank wants to charge me a few extra bucks for a fancy new card, do it. I'd rather have the peace of mind after this fiasco.

      • by baker_tony (621742) on Tuesday January 14, 2014 @11:32PM (#45961231) Homepage

        Wait, American's aren't using chip and pin yet?

        • by Xeno man (1614779)
          No they are not, that would require change and as we all know, Americans fear change.
          • Fear of change is not applicable in this case. As with converting to the metric system, the holdback from Chip-and-PIN is pure momentum of an established system. That, and the up-front cost to make the change. Everyone I knows agrees that the metric system is better, but we're kinda stuck with it because a concerted effort to change is a vast undertaking. To do so would be the equivalent of an American Moonshot part II. The very idea is epic in its own right.

        • by mewsenews (251487)
          They'll get to it. Right after they switch to metric
        • by cusco (717999) <brian.bixby@gmai l . c om> on Wednesday January 15, 2014 @02:00AM (#45962157)

          Our banks are run by people who play "executive musical chairs". If something will save the bank a million dollars over the next ten years, but nothing for the first three years, it won't get implemented because the executives will have rotated out to another company by the time the savings could affect their quarterly bonuses. Chip and pin would cost the banks money to implement, so it won't happen until you get a set of executives who can see further than the next board meeting.

    • by cdrudge (68377)

      The 110m number is comprised of 40m credit and debit cards as well as personal data of 70m individuals. The latter includes names, addresses, phone, and email records but not credit/debit card.

      The 40m cards is not 40m customers, as customers may have used multiple cards during the breach. The 70m customer with stolen personal data also likely has a huge overlap with the 40m cards.

      I can guarantee that almost all of that personal data is very readily available on public lists already, diminishing the impact

  • by contrapunctus (907549) on Tuesday January 14, 2014 @10:54PM (#45960959)

    ugh! lying low not laying low.

  • by Anonymous Coward

    Supposedly one bank had already figured out the Target hack happened before Target announced it by buying back some of their own card data and checking the common point of purchase:
    http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/

  • To borrow from the Graduate, plastic has no future - is it really necessary to possess physical plastic cards and scan them? Not at all, the future is biometric/electronic/e-wallets and in at least one large retailer's case, regular customers will be able to walk out of the door without ever approaching a cash register.
    • by kesuki (321456)

      "in at least one large retailer's case, regular customers will be able to walk out of the door without ever approaching a cash register."

      rfid tags and 'walk through' charging is dubious at best. imagine a small smartphone app that jams the rfid tag signal with its own, at close range quite a bit can be stolen.

  • I find this difficult to believe; for one the data can simply be sold off in smaller chunks, and secondly because there exist fences for this type of product that would be willing to purchase the data at a low-ball price and sit on it until the right buyer is found.
    • by DarkOx (621550)

      Moreover the data has to be sold in chunks anyway. The card info pretty much has to be used in the region in which it was purloined. They don't have the CCV codes, so mostly they will need to make counterfeit cards and use them at physical locations, online will be difficult. There is already evidence the cards are being used in the region they were stolen from, and that makes sense to do otherwise would trip everyone's fraud monitoring.

      So they are not trying to sell the whole grab to anyone to begin wit

  • Since it sounds like we are near the point where everybody's credit card will need replacing anywayâ¦. how about this?

    Under the current credit card system, when I want to purchase something from Target (or from anybody else), I send them my name, credit card number, billing address, and security code. Anyone who has this information is able to bill any number of charges to my account, in any amount, for as long as they want to (or until I catch on and cancel the card).

    That seems like a bit too mu

  • Not a bad problem to have from a hacker's point of view. As Mae West said, "Too much of a good thing can be wonderful."

  • This is stupid. Starting with the title:

    "Target Hackers Have More Data Than They Can Sell" - so what? And based on what? Any guarantees?

    "But it's also likely that they can't sell them" - but that leaves the possibility that they can, right?

    "no one will buy the stolen goods in these amount" - why not? And why would they need to sell ALL to the same buyer? Couldn't they sell them in batches?

    .
    • by azadrozny (576352)

      We need to think of this like spam, where the cost of sending the second and subsequent spam messages is negligible. Even if these guys can't sell 95% of the card numbers they collected, it did not cost them much to collect them. Even to sell 1% of their take at $35 ea. is a lot of money. The volume is key here.

  • Implying they haven't been selling them in smaller batches.

  • I mean, if you are in business of stealing something to sell, you can never have "too much". You just have to sell in packets or whatever is the usual instead of advertizing "hey! Anybody wanna buy 110 million CCs wink, wink, nudge, nudge!".
    But most importantly, they had been stealing at least since November. And CCs are a "commodity" with an expiration date. You think if they wanted to sell them they have sat on them for all these months (when there was supposedly no "problem" finding buyers), waiting for

  • Bull. They will be selling these numbers for months. Many of the people who were impacted by this will never follow up by changing credit cards and pins. A large percentage of these numbers will remain valid until used.

      What we are going to see is more large scale attacks because these gray and black hat hackers have access to vast resources. Stolen credit cards are a favorite for buying cloud hosting.

  • I think that the current US magnetic strip EMV credit card days are numbered.

    Some form of two factor authentication should follow, which limits the vulnerability of the card information. Most european EMV credit cards use a Chip and PIN method of authentication, but the expense of these cards have been a deal breaker so far.

    The heist is so big, I sometimes wonder, if it was done to destabilize the current US credit card system.

    • The Credit "industry" is one of the few big industries the USA still has. Cheap bastards never had a legitimate excuse - they simply do not want to spend the money or be the 1st one and compete with that extra overhead.

      If they really cared about the issue and their losses (which I'm sure they have clever uses for,) they would LOBBY the US Government and regulation mandating chips would have happened already. The losses have to be significant enough.

      Given the CIA was involved a while ago already and it lik

  • Let's face it - credit cards are insecure. They always have been, and they still are. I have long operated under the assumption that all of my cards are compromised, but that someone hasn't gotten around to making use of them yet. Even 20+ years ago when I was trading cards using stolen voicemail boxes, we had more cards than we knew what to do with. Sure, there are organized gangs now using smurfs to work the cards, but they're still few in number. When you have say, 1/2 of all credit cards at your di

  • At least they didn't shoot someone then leave the goods laying there on the floor like idiots. Good for them, and go to jail. There are laws against that kind of griefing in this MMO.
  • Now you too can own stolen credit card to buy all your online pr0n! All for the limited cost of $1. Nothing could be easier! Simply pay by Credit Card! No hassle!

  • Does anyone have that website handy where you can enter your card number to see if it was stolen? That could be pretty helpful for people to figure out their risk level here...
    • by tlhIngan (30335)

      Does anyone have that website handy where you can enter your card number to see if it was stolen? That could be pretty helpful for people to figure out their risk level here...

      Sure, reply to this message and I'll look it up for you.

      Of course, you might want to really consider what you're asking here... if a website claimed to have a list, they could use your lookup to verify your data. If they don't, they could use your lookup to add it to the list.

      If you're not sure, call your bank. They'll issue you a new

  • Does the stolen-card pusher take plastic?

    1. Buy 1 stolen card for $35
    2. Buy x stolen cards using a previously acquired stolen card
    3. Wash/Rinse/Repeat
    4. ???
    5. Profit

Genius is ten percent inspiration and fifty percent capital gains.

Working...