Cards Stolen in Target Breach Flood Underground Markets

I was just thinking whether I had ever bought anything at Target, and then remembered, yes, but that&#x27;s 7 years ago, and I&#x27;ve gotten new credit cards since. But then I wondered which other online services I had used with my credit card, and it occurred to me how awesome it would be if I had one-time throw-away credit cards, that I could use for only one purchase at one retailer and then throw it away. Now, I know that gift cards work this way, and could theoretically be used in such a way, but they&#x27;re usually locked to a specific retailer or one can&#x27;t use them for online purchasing.<p>Then I realised that, really with all the flack it is getting, Bitcoin is such a solution. Once the conversion from $ to BTC is done, there&#x27;s no way to get your credit card data or anything. You&#x27;re practically immune against any data theft at the place where you&#x27;re purchasing. Now, of course the problem only shifted as you have to guard your private keys now, but that&#x27;s more or less a question of tooling and usability of proper BTC clients (which hopefully come up in the future). I&#x27;d rather have the valuable information stored in an open source application used by millions with strong code review, than in a closed source web app where an intern wrote the code in php and forgot the salt or stored everything plaintext.<p>This alone sounds to me like a pretty strong incentive.

Recent stolen credit card number story:<p>Last week I got an email saying I made a $1,000 payment on my credit card. Except, I didn&#x27;t. It wasn&#x27;t bill pay time of the month. I brushed it off as a well formatted spam.<p>An hour later, it still bothered me. I logged in to check. Yup, there was a $1,000 payment recorded as of 4am my local time the same day. WTF? Oh, look, there&#x27;s also fraudulent charges showing up now. How odd.<p>It turns out: my card didn&#x27;t have enough free on the credit line for the losers to buy their xbox, so they <i>called in</i> and requested a $1,000 payment from my bank account on file. The credit card company happily issued it, my credit limit increased by $1,000, then the guy went out and bought his xbox.<p>While I was on the phone explaining this to the credit card company, three more fraudulent charges showed up in pre-auth.<p>Incompetents all around (except for whoever stole my credit card number).<p>The whole &quot;stolen credit card number&quot; doesn&#x27;t hurt very much (since all bad charges are covered), but what <i>really</i> is annoying is someone getting away with purchasing things fraudulently.

Personal anecdote and tips:<p>I had my debit card skimmed at a local gas station in October. Within a couple hours, it was being used at stores in Los Angeles. I live a 3+ hour drive from LA so there&#x27;s no way the skimmer&#x2F;data was physically taken down there–the data had to have been transferred (cell?) to someone down there pretty quickly.<p>My card was used at a restaurant and a few different stores, but several times per store. Total amount charged was about $2K. All purchases were &lt; $100 and most purchases were for very even amounts at drug stores. Based on research, this is because buying gift cards is a favorite use of stolen cards. Gift cards can be turned into cash online for about 75-85 cents on the dollar.<p>Chase was very good about freezing the card and crediting back all the fraudulent charges.<p>TIPS:<p>- Use cash or a gas card for gas OR at the very least, use a pump close to the cashier<p>- Debit cards have a reputation for having less protection than credit cards. At least at Chase, this is no longer true. Chase has zero-liability for unauthorized debit card purchases [1]<p>- Check your online banking often<p>- Don&#x27;t rely on your bank&#x27;s automated fraud detection. Most alerts I&#x27;ve received from Chase have been false positives (legitimate purchases while traveling).<p>[1] <a href="https://www.chase.com/checking/debit-cards" rel="nofollow">https:&#x2F;&#x2F;www.chase.com&#x2F;checking&#x2F;debit-cards</a>

I bought something from Target in this window with a credit card (Wells Fargo).<p>I called them up to proactively report it stolen - the problem is they will immediately deactivate your current card and it takes 7-10 business days for the new one to show up. It is not possible to get a 2nd card number without deactivating the first (to avoid a no-card for 2 weeks situation). Or you can have them overnight it to you for $16.<p>Kind of annoying to pay $16 for a merchant error, or to not have your primary card for 2 weeks during the holiday season (and also the card you use to pay all service bills like cable tv, internet, city&#x2F;trash&#x2F;water etc).<p>Ultimately I decided to do nothing and just keep a close eye on account activity until January when it is less inconvenient to wait for the new one.

My wife shopped at Target twice, both times outside of the period given for the breach. I think we are still going to get the cards replaced just to err on the side of prudence.<p>I find myself wondering how this might affect Target. I almost never shop there myself. My wife, on the other hand, might have shopped there once a month or once every couple of months. Yesterday she told me she is not going back. Ever. There have to be other people on the same boat.<p>It&#x27;ll be interesting if they ever release information on how exactly the breach was orchestrated. My biggest question is about all of that data moving about Target&#x27;s distributed system without any encryption whatsoever. At least that&#x27;s what it sounds like. The data capture had to be done at some central point in their infrastructure in order to affect some 1,800 stores.<p>Again, all of that data from 1,800 stores got to a central repository of some sort completely unprotected? Why isn&#x27;t that information stored and limited to the within the walls of each store? It&#x27;d sure limit the exposure, well, a factor of 2,000. Anything leaving the walls of a store needs to be encrypted.<p>Perhaps someone with more experience in brick-and-mortar payment infrastructures of this kind can comment on this?

I had an interesting thing happen a few months ago. I kept having my credit card used for fraudulent charges, but they weren&#x27;t buying TVs or electronics, just small purchases at Dollar General and gas stations in Texas. I was really confused. So I had the card cancelled and another issued, and there again it was being used in another state. This happened three times within a couple months. I have no idea how or why as I&#x27;m very careful purchasing things online and in person. I finally changed my PIN and it stopped. I don&#x27;t know why or how they were using my card with my pin, but either by coincidence or luck that fixed it.

From the screenshot in that article, it looks like Target stored not just the credit card number, but also expiration date and full magnetic track information, including CVV1.<p>Why in the world would they do that? I would lose a lot of sleep over if I had to store just name and card number, but at least I could see some use for that. For example, you could look up a customer’s past purchases for returns or warranty claims.<p>Why did Target want to store the expiration date, so the card could be used on online stores that don’t check CVV2, and the magnetic track info with CVV1 so the cards can be cloned?

I got a notification from simple last night that said they would be sending me a new card because I shopped at Target, but that my old would still work until the new one was activated.<p>Great service and I didn&#x27;t even have to do anything.<p>Cheers simple!

So is it worth replacing my debit card and updating numerous automated payments that bill it, or just closely monitor my banking activity (like I already do)?

So... What&#x27;s the best way to find out if your card was caught up in the breach?

<i>Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.</i><p>No fucking way (pardon my French)!<p>I haven&#x27;t seen anyone comment on this yet, but doesn&#x27;t this seem <i>incredible</i>? I.e. I don&#x27;t believe it.<p>Am I to accept that transfers of $20,000,000 to $100,000,000 ($20 to $100 times a batch of 1 million) are occuring in payment for these cards.<p>Bullshit. I just don&#x27;t believe it. This theft is now widely known. So no way that someone is going to plunk down $100,000,000 just to get a small portion of this info.<p>Again, bullshit. IMO. It just doesn&#x27;t make sense.

Ironically we only used Targets Red debit card. Can only be used at target and has a pin. Of all our cards that was the &#x27;best&#x27; one we could have used in this case. We just changed the pin, even though no pins were taken.

As I mentioned in a pair of comments in an earlier thread,[1][2] I live so close to the local Super Target (walking distance), that we end up shopping there even though we like other stores better. But from now on, we will pay only in cash, and if that limits our purchases at Target, well that&#x27;s too bad for Target.<p>[1] <a href="https://news.ycombinator.com/item?id=6934787" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6934787</a><p>[2] <a href="https://news.ycombinator.com/item?id=6936175" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6936175</a>