The “Target Breach Flood” Is Already Appearing On The Carder Black Market; Target Reacts

In a deliciously detailed post, security writer Brian Krebs has explained the path taken by credit card numbers stolen in the Target breach on their way to the carder black market. Krebs has far more information in his post but he’s discovered that some card shops have created Target-only sections for the trove of numbers.

Krebs described visiting a particularly infamous card shop where he and an anonymous bank representative found sets of cards belonging to a “base” called Tortuga. In carder slang, a base is simply a source of cards. And Tortuga cards, according to Krebs, belonged to a set of numbers stolen from target stores. Amazingly, many of the cards included zip code or state data, thereby circumventing the fraud protections, as many banks automatically treat out-of-state card purchases as suspect.

How quickly did customer react on hearing about the breach? Clearly not fast enough:

The New England bank decided to purchase 20 of its own cards from this shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s “shopping cart” offers the ability to check the validity of each purchased card. Any cards that are checked and found to be invalid automatically get refunded. A check of the cards revealed that just one of the 20 had already been canceled.

Should you be worried? If you shopped in a physical Target store and swiped your credit or debit card there between November 27 and December 15, then the answer is “Yes.” However, thieves cannot fully recreate your card and, say, withdraw cash from your account or make an online purchase. Target media representative Molly Snyder wrote:

1. At this time, there is no indication that there has been any impact to PIN numbers. What this means is their bank PIN debit card or Target debit card still has this additional layer of protection. It also means that someone cannot visit an ATM with a fraudulent card and withdraw cash.
2. We have no indication that the data that was inappropriately accessed included a guest’s date of birth or social security number.
3. The CVV data that may have been impacted was data in the magnetic strip and NOT the three or four-digit code visible on the card that guests use that would allow someone to make an online purchase.

Target CEO Gregg Steinhafel said that customers can enjoy a brief discount on everything at the store as well as free credit monitoring for a year.

We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”

The small bank Krebs assisted in the exploration of the carder site will probably re-issue all 5,300 of its customer’s cards after Christmas. That just leaves thirty-nine million nine hundred ninety-four thousand seven hundred more cards to check for fraud.