40m card numbers stolen from Target

Target has a lot of customers who take advantage of the 5% off everything with their RedCard. From a practical perspective, it seems like RedCards would have a much lower value on the underground CC markets, but how much lower? Any idea how a store CC compares to a Visa or MasterCard? There certainly are a lot fewer places to use a compromised store CC.

No worries. Apparently the Secret Service had a previously unfamiliar past!

Actually, RedCard credit cards are Visa credit cards and can be used anywhere that accepts Visa – not just at Target stores. So they’d be worth just as much on the stolen-CC market as any other CC.

And as a general reply to this news: ugh. My husband had all his credit and debit card numbers stolen and cloned last year – all used in local brick and mortar stores on the same day, within a couple hours, enough to completely clean out our checking account and max out our credit limits. It was a giant pain in the butt. Even though we discovered it immediately and weren’t ultimately responsible for any of the fraudulent charges, it was still several days before the charges were actually reversed, which meant the only money we had during that time was what we could pull out of savings (and of course, transferring money from savings to checking takes a few days).

I really don’t want to have to deal with that again. And I’ve definitely been to Target a couple of times within the stated time frame, so they probably did get my card. Ugh.

(We never did figure out how the card numbers were stolen last time. My guess is visually undetectable skimmers at a gas station, left in place long enough for my husband to have used different cards over time, and then harvested all at once.)

Actually, RedCard credit cards are Visa credit cards and can be used anywhere that accepts Visa – not just at Target stores. So they’d be worth just as much on the stolen-CC market as any other CC.

Target no longer offers the Target Visa Card to new applicants. The new RedCards (either credit or debit) work only at Target and have a 10 digit number which doesn’t pass the Visa card checksum - ergo, they are not Visa cards.

Huh. Was not aware of that. Thanks for the correction!

Most likely this theft involved a piece of malware sitting in between the stores’ POS system and the payment processing networks. Large retailers like Target use software to manage the individual terminals - pushing out updates, etc… This software is usually centrally managed from the Home Office. The card data is transmitted from each cash register terminal to a server inside each store and then out to the payments processing networks. Just like a keylogger on a PC, it’s not too difficult to intercept the raw Track 2 data from each card swipe and use it to construct counterfeit cards.

So in essence, it’s really the same thing as getting it right from the point of sale only a lot more efficient than visiting all 1000+ stores.

Hard to imagine this didn’t involve some kind of inside help to pull this off though because these servers are generally not exposed to the Internet.

1 Like

These are called Private Label cards and are processed internally (sometimes referred to as “Closed Loop”). These transactions are never sent externally to Visa/MC/AMEX, etc. (aka “Open Loop”).

The first 6 digits are called the BIN (bank identification number) and Amex cards all start with 3; Visa starts with 4; MC starts with 5; and Discover start with 6. This is one way to know at a glance who the payment processor is.

This topic was automatically closed after 4 days. New replies are no longer allowed.