Credit Cards Compromised

After poking about on the subject, a few things that could make this problem even worse.
We tend to think of our credit cards or debit cards as having a limit... ie. the credit card company would question sudden activity and stop the charges, or that the debit card risk would, at worst, be limited to the amount in your account. This may not be the case. The biggest fear would be having your identity stolen. More later...

While the details are not yet out, it seems apparent that the stolen information did not come from "skimmers", which would take a long time, and be limited to the information in the machine at the time... Suspicion is that the hacking went into a central system, and that the general area of the hacking was somewhere in Vietnam. This is an even worse problem, because of jurisdictional limits for investigation.

One guess as to the potential comes from this scenario. Hackers take the 40+million records, which includes name, account number and security code, and possibly address information (not sure about that)... and then package these records in groups of 1,000, selling them off to mafia type cyber pirates for $1 per account.

The simplest form of piracy would be to create and encode blank cards to be used by the perp, or to buy online.

Now... to the part about identity theft.
By itself, the credit or debit card is not a passport to sudden wealth, but going a bit further... Using the card as a starting point to steal your identity..
all of the information that could make HIM = YOU. Allowing them to... for instance:
Obtain a drivers license in another state, open up a bank account, obtain a voting card, get a (copy) birth certificate... and in effect, be YOU. Possibly the very worst part... it may not happen today or tomorrow, but 6 months, a year or more from now.

Stealing the identity is not as hard as it seems, but can take some effort and some time. You are probably familiar with the "White Pages"... a simple start. This can give your address, people who are associated with you, like kids or relatives, your telehone number, and the names and address es of your neighbors.
Google maps and Bird's eye view shows your house. Your face book page may show an infinite amount of personal information (whatever you share).
Geneological sites can show up relatives, like Your mother's maiden name... or the town in which your father was born... (test questions used to block your banking or personal info accounts).
...and for about $50, a complete background check.
With the explosion of social media, there are many many more possibilities, such as where you work, from Linked In.
...then, the easiest source... your name, you user name(s) into Google search... which, inour case, leads back to all the personal stuff we put here on ER.
If this sounds unreal, consider the moneyary rewards that coud be possible from spending a few hours or days in drilling for this information.

After an identity is stolen, fixing is a nightmare, as taking out loans, cleaning out bank accounts, buying cars can all happen in a matter of days or weeks, before the theft is discovered.

Definitely a scare story... and so far, this kind of mass theft has not occurred.
Likely this will be just a wake up call, for everyone... I watched an interview with a cyber security "expert" who said that no matter how sophisticated the "secure" system, the cyber criminal will always be a step ahead.

I don't know that you and I can do very much about this, other than being aware that all of our personal identification information is not in one place... as in a wallet, with drivers license, credit cards, social security cards, medical information and other identity items... Not just the wallet, but anywhere the information may be available and subject to loss or theft... The tablet, phone, laptop or even in the glove compartment of the car.

As I look around me, I see that I'm vulnerable, but also resigned to the possibilities. Other than some small, obvious changes, won't let the worry take over my life... Am too old for this shtuff...

And so ends a short foray into "what if"... Time for my ham and eggs breakfast. :dance:
 
Last edited:
Just to clarify this great discussion. The following from Target's press notice https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

"We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV."

"If you used a non-Target credit or debit card at Target between Nov. 27 and Dec. 15 and have questions or concerns about activity on your card, please contact the issuing bank by calling the number on the back of your card."

Rita
 
MichaelB said:
There is one other difference between the consumer liability of a fradulent charge on a credit card vs a debit card. On the credit card one registers a dispute and is then under no onligation to pay while the dispute is investigated and resolved. A debit, on the other hand, is money already withdrawn from one's account. The financial institution has an obligation to temporarily return the funds pending investigation, but a week without the funds is easy to imagine, and could be much more if the bank feels the withdrawals were in some way authorized.http://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards
Click to expand...

That's exactly why we don't have a debit card and refused it when the bank wanted to make the ATM card a combination ATM/debit card. They seemed surprised that anyone was aware of the distinctions between a cc and debit card other than the immediate withdrawal of funds for debit cards.
 
@imoldernu re: identity theft. Us old folks don't generally need to be able to open new lines of credit. DW and I froze our credit nearly a decade ago and have only once needed to temporarily unfreeze it to clear something. All existing lines of credit (e.g. cards and replacement cards) continue unaffected. An identity thief with sufficient data might be able to get a birth certificate and other documents that don't involve approving a new credit line but they couldn't get a loan, new cards, etc in your name. It is a bit of work but seemed worth it to me.
 
I am wondering how they did this. Apparently, it was swiped cards that had their information stolen. I can't imagine modifying the equipment and hundreds, maybe thousands of registers, doing it all over the country, and nobody noticing anything. Most likely they intercepted the information as it traveled from the register to the whatever computers process the transaction for Target. Does anybody have any insight how this might have been done?

This has to be at least the third time in two years that financial type data of mine has been compromised by the corporations I trust with it. It makes me wonder.
 
If you stand back and look at the entire process, there are a number of attack vectors. If programmers can get into industrial controllers and wreck a centrifuge...
 
I had to call Amex and cancel DW's card (and get a new one) last night after seeing a a fraud charge pop up. She had used her card at Target just after Thanksgiving.

I have set up my card accounts to send me an email when a charge is made, so that helped get notification right away. We have no liability, but it is still a pain to deal with.
 
I was going to go to Target on 12/13 to do some Christmas shopping, but decided to postpone the trip until 12/16, due to laziness/general procrastination. I used my debit card there on 12/16.

Apparently the problems with compromised card data occurred through 12/15.

For once in my life, my laziness paid off big time.

I feel for all the folks who are having to deal with the fallout from the breach. Even if there is no evidence of fraud in your accounts, just having to worry about it and monitor it diligently is a PITA, especially at this time of year.

Edited to add: Even though they say the cutoff was 12/15, I am still checking my account a couple of times a day. Can't believe everything you read.
Edited (again) to fix the dates (thanks Audrey!)
 
Last edited:
MichaelB said:
The first report I saw indicated PIN numbers were included in the breach. Recent reports say not so, only card info (number, expiration, security). Changing a PIN is a PITA.

I'd believe USAA over all the others.
Click to expand...
Easy to do at an ATM machine? I changed my ATM card PIN easily a couple of months ago.
 
Gotadimple said:
"We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV."
Click to expand...

I noticed that as well and am confused. (a common occurrence) I thought the CVV number printed on the back of the card was not on the magnetic strip info and was only used for on-line transactions to prove you physically had the card in your presence. Merchants are required by law to not store the CVV number.
 
Alan said:
I noticed that as well and am confused. (a common occurrence) I thought the CVV number printed on the back of the card was not on the magnetic strip info and was only used for on-line transactions to prove you physically had the card in your presence. Merchants are required by law to not store the CVV number.
Click to expand...
Didn't know that. I am occasionally asked for it at point of sale.

If they are NOT supposed to store the CVV number by law, then these guys really need to straighten up! It would make it harder if the thieves didn't get their hands on the CVV.

And why on earth would debit card PINs be stored?!?
 
Credit card data (and transaction data) goes through a number of systems during and after a transaction. The media reports mentioned POS systems, but that does not necessarily mean POS systems local to all 1700+ stores; it could be some place where the data gets concentrated (like a central server). The merchant stores this data for a number of reasons, like resolving disputes (with 1700+ stores do you think Target ever has to resolve a dispute?), processing exchanges and returns, redundancy (equipment does fail, and the more of it you have, the more likely a failure), and analysis (spending data is analyzed just about every way one can think of), etc.

Just because the data is in a computer system and you can't "see" it, that does not mean that people cannot access that data.

Some people think their card is safe if no other person ever handles it. In reality, the exposure starts when the card is swiped, regardless of who does the swiping.

The media reports also use the word "hacked" which would mean an unauthorized outsider, but some also mentioned "trusted insider". We may never know because full details of these things are rarely made public.

But it probably wasn't a guy wearing dark sunglasses with a stolen Big Chief tablet and No. 2 lead pencil lurking in the checkout area. ;)
 
Last edited:
audreyh1 said:
What month/year are you in?
Click to expand...

HA! Mea culpa. I have been on vacation for the last 8 days, and apparently my mental faculties have gone AWOL. Not the first time.

I am on vacation for a total of three weeks (sort of "practicing" for retirement). If this is any indication of what I can expect, it does not bode well for my mental faculties in actual retirement. :(

Maybe my slip can be explained by the fact that this morning I entered several appointments in my January calendar? That's my story and I'm sticking to it. :)
 
We shopped at Target during the period in question, so we are following the situation. From what I've read:

It didn't happen at the registers, a breach on this scale had to be hackers/organized crime and/or insiders infiltrating Target's system. Still under investigation.

They got all the information on the cards' magnetic strips, including full names, card numbers, expiration dates, even security codes.

However, the magnetic strip on the back of your card doesn't have your Social Security number or your address or your phone number. Information thieves would need to actually open accounts in your name and impersonate you, so experts say the risk of total identify theft is fairly slim.

There are no guarantees to prevent identity theft, but there are lots of actions you can take to reduce your odds, most common sense. And I'd bet many/most here already take lots of precautions. The "I don't know that you and I can do very much about this" comment above is misleading.

40 Precautions for Preventing Identity Theft

Let me google that for you

Debit cards carry higher exposure than credit cards.
 
Last edited:
I don't normally participate in Black Friday shopping, and did not do so this year either. However, I admit that Target had some very tempting sales prices. If I *had* participated in the Black Friday madness, probably it would have been at Target.

What a mess this must be for those affected!
 
Don't blame Target. I haven't been to Target in months, but last week I Discovered $9K of fraudulent charges on my Discover Card. I suspect a local restaurant, but I have no evidence to back that up yet. Discover says that I'm not responsible for the fraudulent charges. Discover closed that account and sent me a new card the next day. They said that because of the amount ($9K) They will probably want a police report. They will let me know. The fraudulent charges were made to online retailers all over the USA.

I manually enter all my transactions into Quicken every evening, Then, I download online every evening. If any downloaded transaction doesn't match my manually entered transactions, I immediately investigate. That's how I Discovered the fraudulent charges.

Interestingly, the perpetrator had changed my account mailing address and contact phone number. The fraudulent mailing address and phone number were legitimate USA numbers. So, If Discover had called about the unusual charges, they would have been talking to the perpetrator. The Discover representative had to check my records before the fraudulent changes to establish my identity. The fraudulent charges and the changes to my account were all made the same day online. My account spending limit had not not been reached.
 
If this didn't occur at point of sale, but rather downstream from it, then why is sensitive info like CVC and PIN being passed downstream? Can't the POS terminal verify the transaction and not save those numbers? Poor security design. I guess they don't expect hackers?
 
audreyh1 said:
Didn't know that. I am occasionally asked for it at point of sale.

If they are NOT supposed to store the CVV number by law, then these guys really need to straighten up! It would make it harder if the thieves didn't get their hands on the CVV.
Click to expand...

If the code is a CSC code printed flat (not embossed) on the back of the card then that code is not embedded in the magnetic strip. Not sure what the CVV codes in the article above that was stolen was referring to.

The second type of CSC is a three- or four-digit value printed on the front of the card or on the signature strip on the back. It is not encoded on the magnetic stripe but is printed flat, not embossed like the card number.

  • American Express cards have a four-digit code printed on the front side of the card above the number.

  • MasterCard, Visa, Diners Club, Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card. New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip.[3] This has been done to prevent overwriting of the numbers by signing the card.
Click to expand...
As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed.[4] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.
Click to expand...
Card security code - Wikipedia, the free encyclopedia
 
Maybe this Target incident will provide the impetus to move to smart cards in the US.
 
From the Consumerist blog

The card numbers are being sold in batches of one million each, and commanding prices of $20 to $100 per card (so, $20 million to $100 million per batch).
Click to expand...




More information from the guy who broke the story is here:
Cards Stolen in Target Breach Flood Underground Markets — Krebs on Security

his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.
Click to expand...

Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.
Click to expand...

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.
Click to expand...
 
Last edited:
Those that DID get hit with unauthorized charges (from Target or TJ Max or any of the other places that have insufficient technology protections) from get hit with inconvenience of straightening-out those transactions. But EVERYBODY with any kind of plastic gets hit with the cost of these breaches. Usually, the money from those unauthorized transactions is gone-gone, and that makes for higher fees to retailers. And of course they need to pass-on those costs to consumers. We all pay when a retailer can't secure their data.

Why-o-why doesn't the US adopt chip and pin?
 
The debit card PIN should be encrypted at the card reader and sent as a "block" to the issuing bank. Target's readers obviously didn't do this. As Alan noted, they probably kept the CVV digits too (and unencrypted?!?).

PCI compliance score = F
 
I wonder if Square (I have used) and/or eWallet (not used yet, but looking forward to it if secure) are any more secure?
 
You must log in or register to reply here.

Similar threads

easysurfer
MOVEit Hack
Replies
10
Views
859
easysurfer
easysurfer
Brook2
Is paypal more secure than using a credit card?
2 3
Replies
60
Views
5K
sengsational
sengsational
Koolau
BFF 0.5 Million In Debt at 79 Has Passed Away
2 3 4
Replies
92
Views
10K
Koolau
Koolau
L
How Much Does A Credit Card Company Know About Your Other Accounts?
Replies
8
Views
955
cyber888
C
K
2022 Personal Financial Report Card
Replies
14
Views
1K
Dtail
D

Latest posts

Back
Top Bottom