40m card numbers stolen from Target

So this is the one that’s going to trigger an overhaul in how we pay for things, right? Instead of bolting on “sms fraud alerts” to an aging and poorly implemented system?

Did I just hear a cricket chirp?

2 Likes

Well you still have passwords to protect your accounts - as long as no one can get hold of the get around the answers to security questions like your mother’s maiden name and color of your first car. No one will ever be able to crack that military grade security.

4 Likes

I don’t know, does anyone else feel like this is fishy? I have a difficult time believing a band of Target thieves went to ALL of the stores throughout the US and planted these magnetic strips. I just wonder whether the breach had more to do with the government harming security through backdoors on internet systems and a criminal hack finding their way in. (Unless this was a massive inside job). And why is the Secret Service investigating this? Since when does the Secret Service involve itself in this type of theft?

1 Like

Well, I can’t get past the security questions on one of my accounts – I tried to be clever in my answers and quickly forgot the “obvious” substitutions that I made.

that’s okay, since you weren’t required to use any special characters, probably any old password hacking program can figure your answers out for you.

Um. Since it’s founding?

Today the agency’s primary investigative mission is to safeguard the payment and financial systems of the United States. This has been historically accomplished through the enforcement of counterfeiting statutes to preserve the integrity of United States currency, coin and financial obligations.

Source

1 Like

What do passwords and security questions have to with the fact that all the systems we use to move money between institutions in the US are horribly insecure.

Hell ACH is based on trust and well no one complained so this transaction must be good.

The systems are horribly outdated and seem to not be based on any modern concept of banking and security.

1 Like

Umm who said anything about thieves planting magnetic strips anywhere. This breach occurred over the network. Someone just sat grabbing every bit of data as the stores were transmitting through some central point.

1 Like

Sorry, I stand corrected.

It was in a previous article I read. That was what they were putting out there initially.

Rogue software installed on Target card readers believed used to steal data

This article made it sound as if it was the point of sale, while swiping the magnetic card strip.

1 Like

Thanks, I updated the post. That dateline format is pretty annoying, yep.

Me too! And I even got a special card JUST for buying stuff ONLINE where I only put the exact amount in the account after I bought something. Otherwise the balance is 7 bucks or zero and there is NO over draft protection (with associated fees) This means that if the number is swiped and they try to use it they can’t.

But This PISSES me off.

BTW I talked to someone who said after these thefts the banks have decided that it is cheaper to replace cards AFTER they have been used in some kind of crime than replace all 40 million cards. they are counting on the fact that their systems for fraud will find the unusual activity first.

2 Likes

Target has a lot of customers who take advantage of the 5% off everything with their RedCard. From a practical perspective, it seems like RedCards would have a much lower value on the underground CC markets, but how much lower? Any idea how a store CC compares to a Visa or MasterCard? There certainly are a lot fewer places to use a compromised store CC.

No worries. Apparently the Secret Service had a previously unfamiliar past!

Actually, RedCard credit cards are Visa credit cards and can be used anywhere that accepts Visa – not just at Target stores. So they’d be worth just as much on the stolen-CC market as any other CC.

And as a general reply to this news: ugh. My husband had all his credit and debit card numbers stolen and cloned last year – all used in local brick and mortar stores on the same day, within a couple hours, enough to completely clean out our checking account and max out our credit limits. It was a giant pain in the butt. Even though we discovered it immediately and weren’t ultimately responsible for any of the fraudulent charges, it was still several days before the charges were actually reversed, which meant the only money we had during that time was what we could pull out of savings (and of course, transferring money from savings to checking takes a few days).

I really don’t want to have to deal with that again. And I’ve definitely been to Target a couple of times within the stated time frame, so they probably did get my card. Ugh.

(We never did figure out how the card numbers were stolen last time. My guess is visually undetectable skimmers at a gas station, left in place long enough for my husband to have used different cards over time, and then harvested all at once.)

Actually, RedCard credit cards are Visa credit cards and can be used anywhere that accepts Visa – not just at Target stores. So they’d be worth just as much on the stolen-CC market as any other CC.

Target no longer offers the Target Visa Card to new applicants. The new RedCards (either credit or debit) work only at Target and have a 10 digit number which doesn’t pass the Visa card checksum - ergo, they are not Visa cards.

Huh. Was not aware of that. Thanks for the correction!

Most likely this theft involved a piece of malware sitting in between the stores’ POS system and the payment processing networks. Large retailers like Target use software to manage the individual terminals - pushing out updates, etc… This software is usually centrally managed from the Home Office. The card data is transmitted from each cash register terminal to a server inside each store and then out to the payments processing networks. Just like a keylogger on a PC, it’s not too difficult to intercept the raw Track 2 data from each card swipe and use it to construct counterfeit cards.

So in essence, it’s really the same thing as getting it right from the point of sale only a lot more efficient than visiting all 1000+ stores.

Hard to imagine this didn’t involve some kind of inside help to pull this off though because these servers are generally not exposed to the Internet.

1 Like

These are called Private Label cards and are processed internally (sometimes referred to as “Closed Loop”). These transactions are never sent externally to Visa/MC/AMEX, etc. (aka “Open Loop”).

The first 6 digits are called the BIN (bank identification number) and Amex cards all start with 3; Visa starts with 4; MC starts with 5; and Discover start with 6. This is one way to know at a glance who the payment processor is.

This topic was automatically closed after 4 days. New replies are no longer allowed.